Home FAQs / How-To's Securing apache with a custom application firewall
Securing apache with a custom application firewall PDF Print E-mail
User Rating: / 3
PoorBest 
Written by Mario   
Thursday, 11 December 2008 10:23
There are many spider and bots on the Internet looking for insecurities in web servers. They try to add code (XSS) and use mostly USER_AGENTs like wwwlibperl or other known user agents. They send HEAD or TRACE to the server or send words like union or drop in their QUERY_STRING. That makes it easy to identify them by a signature a schema.

It is not easy to use mod_security with all webapplications and most users don't read every rule Wink

So here is an easy blacklist usable in httpd.conf or .htaccess

This a only a basic security package which blocks a about 85% of most attacks. But it is recommend to write / use safe web application and use mod_security. But this is easy to setup and should enough security instead of NO security.
You have to edit the last line with your own custom 404 error page.

RewriteEngine On
Options +FollowSymLinks
ServerSignature Off
RewriteCond %{REQUEST_METHOD}  ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
RewriteCond %{THE_REQUEST}     ^.*(\\r|\\n|%0A|%0D).* [NC,OR]
RewriteCond %{HTTP_REFERER}    ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{HTTP_COOKIE}     ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{REQUEST_URI}     ^/(,|;|:|<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget|libwww|python).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|httrack|clshttp|archiver|loader|email|har
vest|extract|grab|miner |collector|magnet|reaper|siphon|sweep
er|collect|wolf|nikto|scan|express|extractor|fake|fashget|suck
er|leech|offine|snagger|snoop|bandit|copier|devil|hook|mole|reap
er|sauger|sucker|snake|stripper|weasel|leach|wwwofe|whack|dirbus
ter|paros|scarab).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{QUERY_STRING}    ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|un
ion|select|insert|cast|set|declare|drop|update|md5|benchmark).*
[NC,OR]
RewriteCond %{QUERY_STRING}    ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
RewriteCond %{QUERY_STRING}    ^.*\.[A-Za-z0-9].* [NC,OR]
RewriteCond %{QUERY_STRING}    ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC]
RewriteRule ^(.*)$ 404.php
Last Updated on Wednesday, 17 December 2008 20:36