This is the seventh editorial in a blog series describing how to build a Web Application Firewall (WAF) using the Apache .htaccess configuration file and Project Honey Pot. The goal of this blog series is to reduce the volume of spam or malicious internet traffic visiting small and medium size websites.
The Blue Plate WAF is an experimental cybersecurity tool for small websites on basic web hosting plans that lack access to more sophisticated web security tools. Basic web hosting plans often host content management systems (CMS) such as WordPress, Joomla, Drupal, or Typo3 for small organizations.
This blog edition focuses on redirecting traffic originating from specific countries without using the traffic's IP address to trigger the redirect. Determining the originating country of an IP address requires a subscription service because IP address block assignments are continuously updated. IP address geo blocking subscriptions and geo block tools can be costly or too complex for a small website and we will focus on alternative options.
Built on the Blue Plate WAF Framework
We will start with the experimental .htaccess file we created in the previous Detect Content Management System (CMS) Hacking Attempts blog. The new code we create will be built on to of all the previous blog posts.
New Framework Use Case, Countries Involved in Conflicts or U.S. Sanctions
The new code will based on a use case where the website owner wants to limit website traffic from U.S. Treasury sanctioned countries and countries involved conflicts. The use case website does not conduct business in any of these regions, countries, or languages and seeks to limit any spillover from cyber warfare originating in the specific conflict zones. The countries included in this use case are:
- Russian Collective Security Treaty Organization (CSTO)
- Russia
- Armenia
- Belarus
- Kazakhstan
- Tajikistan
- Serbia
- Cuba
- Venezuela
- North Korea
- Iran
- Syria
- Yemen
New Framework Enhancements, Configuration Directives for Non-IP Based Geo Blocking
We will explore how to use the following Apache variables and configuration directives to detect and filter country specific traffic.
- REMOTE_HOST
- Resolve for country code top level domains (ccTLD)s
- HTTP:Accept-Language
- Detect country specific languages
- HTTP:X-Forwarded-Host
- Resolve for original host country code top level domains when host is proxied
- HTTP_REFERER
- Resolve for referring country code top level domains
- USER_AGENT
- Detect country specific web browsers
- Detect country specific mobile phone hardware
- Detect country specific bots
- HTTP:From
- Detect bot email addresses from country code top level domains
- SSL:SSL_CLIENT_I_DN_O
- Detect a connecting client’s Certificate Authority (I) Distinguished Name (DN) Organization (O) record
Remote Host Detection to Send Users from Specific Countries to Your Honeypot
Remote host detection through the .htaccess file can be used as an alternative or a supplement to IP address country identification. The REMOTE_HOST attribute is populated by Apache with the fully qualified domain name (FQDN) of the remote user. In the event Apache can't resolve the FQDN, it returns the value of REMOTE_ADDR (users IP Address).
The code below reads the REMOTE_HOST variable using the RewriteCond command. If a resolved remote host match is detected, the RewriteRule command virtually directs the user to your honey pot.
To determine the originating country of the traffic, RewriteCond is looking to see if the users FQDN resolves to a top-level country domain related to the countries that the website owner would like to limit.
##### Start -- Redirect Geo Conflict Hotspots by Remote Host to The Honeypot -- Start ##### RewriteCond %{REQUEST_URI} !honeypot.php/ RewriteCond %{REMOTE_HOST} \.ru$ [NC,OR] #Russia RewriteCond %{REMOTE_HOST} \.am$ [NC,OR] #Armenia RewriteCond %{REMOTE_HOST} \.by$ [NC,OR] #Belarus RewriteCond %{REMOTE_HOST} \.kz$ [NC,OR] #Kazakhstan RewriteCond %{REMOTE_HOST} \.kg$ [NC,OR] #Kyrgyzstan RewriteCond %{REMOTE_HOST} \.tj$ [NC,OR] #Tajikistan RewriteCond %{REMOTE_HOST} \.rs$ [NC,OR] #Serbia RewriteCond %{REMOTE_HOST} \.cu$ [NC,OR] #Cuba RewriteCond %{REMOTE_HOST} \.ve$ [NC,OR] #Venezuela RewriteCond %{REMOTE_HOST} \.kp$ [NC,OR] #North Korea RewriteCond %{REMOTE_HOST} \.ir$ [NC,OR] #Iran RewriteCond %{REMOTE_HOST} \.sy$ [NC,OR] #Syria RewriteCond %{REMOTE_HOST} \.ye$ [NC] #Yemen RewriteRule ^(.*)$ /honeypot.php/ [NC,L] ##### End -- Redirect Geo Conflict Hotspots by Remote Host to The Honeypot -- End #####
|
Proxied Host Detection to Send Users from Specific Countries to Your Honeypot
Forwarded host detection through the .htaccess file can be used as an alternative or a supplement to IP address country identification. The HTTP:X-Forwarded-Host attribute is populated by Apache with the fully qualified domain name (FQDN) of the remote user when the user is browsing through a proxy.
The code below reads the HTTP:X-Forwarded-Host variable using the RewriteCond command. If a resolved forwarded host match is detected, the RewriteRule command virtually directs the user to your honey pot.
To determine the originating country of the traffic, RewriteCond is looking to see if the users FQDN resolves to a top-level country domain related to the countries that the website owner would like to limit.
##### Start -- Redirect Geo Conflict Hotspots by Forwarded Host to The Honeypot -- Start ##### RewriteCond %{REQUEST_URI} !honeypot.php/ RewriteCond %{HTTP:X-Forwarded-Host} \.ru$ [NC,OR] #Russia RewriteCond %{HTTP:X-Forwarded-Host} \.am$ [NC,OR] #Armenia RewriteCond %{HTTP:X-Forwarded-Host} \.by$ [NC,OR] #Belarus RewriteCond %{HTTP:X-Forwarded-Host} \.kz$ [NC,OR] #Kazakhstan RewriteCond %{HTTP:X-Forwarded-Host} \.kg$ [NC,OR] #Kyrgyzstan RewriteCond %{HTTP:X-Forwarded-Host} \.tj$ [NC,OR] #Tajikistan RewriteCond %{HTTP:X-Forwarded-Host} \.rs$ [NC,OR] #Serbia RewriteCond %{HTTP:X-Forwarded-Host} \.cu$ [NC,OR] #Cuba RewriteCond %{HTTP:X-Forwarded-Host} \.ve$ [NC,OR] #Venezuela RewriteCond %{HTTP:X-Forwarded-Host} \.kp$ [NC,OR] #North Korea RewriteCond %{HTTP:X-Forwarded-Host} \.ir$ [NC,OR] #Iran RewriteCond %{HTTP:X-Forwarded-Host} \.sy$ [NC,OR] #Syria RewriteCond %{HTTP:X-Forwarded-Host} \.ye$ [NC] #Yemen RewriteRule ^(.*)$ /honeypot.php/ [NC,L] ##### End -- Redirect Geo Conflict Hotspots by Forwarded Host to The Honeypot -- End #####
|
Language Detection to Send Users from Specific Countries to Your Honeypot
Language detection through the .htaccess file can used as an alternative or a supplement to IP address country identification. The HTTP:Accept-Language attribute is passed from a users web browser to identify their language and country configuration.
The code below reads the HTTP:Accept-Language variable sent from the user's browser using the RewriteCond command. If a language match is detected, the RewriteRule command virtually directs the user to your honey pot.
The web browser HTTP:Accept-Language variable values correspond to the ISO-639 language abbreviation and the ISO-3166 country code according to the W3C standard for HTTP:Accept-Language.
##### Start -- Redirect Geo Conflict Hotspots by Language to The Honeypot -- Start ##### RewriteCond %{REQUEST_URI} !honeypot.php/ RewriteCond %{HTTP:Accept-Language} ^ru [NC,OR] #Russia Russian RewriteCond %{HTTP:Accept-Language} ^hy [NC,OR] #Armenia Armenian RewriteCond %{HTTP:Accept-Language} ^be [NC,OR] #Belarus Belarusian RewriteCond %{HTTP:Accept-Language} ^kk [NC,OR] #Kazakhstan Kazakh RewriteCond %{HTTP:Accept-Language} ^ky [NC,OR] #Kyrgyzstan Kyrgyz RewriteCond %{HTTP:Accept-Language} ^sr [NC,OR] #Serbia Serbian RewriteCond %{HTTP:Accept-Language} ^tg [NC,OR] #Tajikistan Tajik RewriteCond %{HTTP:Accept-Language} ^es\-cu [NC, OR] #Spanish Cuba (not sure if in use) RewriteCond %{HTTP:Accept-Language} ^es\-ve [NC, OR] #Spanish Venezuela RewriteCond %{HTTP:Accept-Language} ^ko\-kp [NC, OR] #North Korea (not sure if in use) RewriteCond %{HTTP:Accept-Language} ^fa [NC, OR] #Iran Persian (Farsi) RewriteCond %{HTTP:Accept-Language} ^ar\-sy [NC, OR] #Syria Arabic RewriteCond %{HTTP:Accept-Language} ^ar\-ye [NC] #Yemen Arabic RewriteRule ^(.*)$ /honeypot.php/ [NC,L] ##### End -- Redirect Geo Conflict Hotspots by Language to The Honeypot -- End #####
|
Web Site Referral Detection to Send Users from Specific Countries to Your Honeypot
Website referral detection through the .htaccess file can be used as an alternative or a supplement to IP address country identification. The HTTP_REFERER attribute is passed from a users web browser when the user clicks on a link and that link takes the user to your website.
The code below reads the HTTP_REFERER variable sent from the user's browser using the RewriteCond command. If a country specific referral match is detected, the RewriteRule command virtually directs the user to your honey pot.
RewriteCond is looking to see if the referring website comes from a top-level country domain related to the countries that the website owner would like limit traffic from.
##### Start -- Redirect Geo Conflict Hotspots by Referral Website to The Honeypot -- Start ##### RewriteCond %{REQUEST_URI} !honeypot.php/ RewriteCond %{HTTP_REFERER} \.ru$ [NC,OR] #Russia RewriteCond %{HTTP_REFERER} \.am$ [NC,OR] #Armenia RewriteCond %{HTTP_REFERER} \.by$ [NC,OR] #Belarus RewriteCond %{HTTP_REFERER} \.kz$ [NC,OR] #Kazakhstan RewriteCond %{HTTP_REFERER} \.kg$ [NC,OR] #Kyrgyzstan RewriteCond %{HTTP_REFERER} \.tj$ [NC,OR] #Tajikistan RewriteCond %{HTTP_REFERER} \.rs$ [NC,OR] #Serbia RewriteCond %{HTTP_REFERER} \.cu$ [NC,OR] #Cuba RewriteCond %{HTTP_REFERER} \.ve$ [NC,OR] #Venezuela RewriteCond %{HTTP_REFERER} \.kp$ [NC,OR] #North Korea RewriteCond %{HTTP_REFERER} \.ir$ [NC,OR] #Iran RewriteCond %{HTTP_REFERER} \.sy$ [NC,OR] #Syria RewriteCond %{HTTP_REFERER} \.ye$ [NC] #Yemen RewriteRule ^(.*)$ /honeypot.php/ [NC,L] ##### End -- Redirect Geo Conflict Hotspots by Referral Website to The Honeypot -- End #####
|
Web Browser Version Detection to Send Users from Specific Countries to Your Honeypot
Web browser version detection through the .htaccess file can be used as an alternative or a supplement to IP address country identification. The USER_AGENT attribute is passed from a users web browser when the user accesses your website and self-identifies the type and version of web browser being used.
The code below reads the USER_AGENT variable sent from the user's browser using the RewriteCond command. If a web browser version match is detected, the RewriteRule command virtually directs the user to your honey pot.
##### Start -- Redirect Geo Conflict Hotspot Web Browsers to The Honeypot -- Start ##### RewriteCond %{REQUEST_URI} !honeypot.php/ RewriteCond %{HTTP_USER_AGENT} YaBrowser [NC,OR] #Russia RewriteCond %{HTTP_USER_AGENT} Yowser [NC,OR] #Russia RewriteCond %{HTTP_USER_AGENT} YaApp [NC,OR] #Russia RewriteCond %{HTTP_USER_AGENT} naenara [NC] #North Korea RewriteRule ^(.*)$ /honeypot.php/ [NC,L] ##### End -- Redirect Geo Conflict Hotspot Web Browsers to The Honeypot -- End #####
|
Country Specific Mobile Phone Hardware Detection to Send Specific Users to Your Honeypot
Mobile phone hardware type detection through the .htaccess file can be used as an alternative or a supplement to IP address country identification. The USER_AGENT attribute is passed from a user’s web browser when the user accesses your website and at times the USER_AGENT self-identifies the manufacturer of the mobile phone being used.
The code below reads the USER_AGENT variable sent from the user's device browser using the RewriteCond command. If a mobile phone hardware match is detected, the RewriteRule command virtually directs the user to your honey pot.
##### Start -- Redirect Geo Conflict Hotspot Mobile Phone Hardware to The Honeypot -- Start ##### RewriteCond %{REQUEST_URI} !honeypot.php/ RewriteCond %{HTTP_USER_AGENT} AYYA\sT1 [NC,OR] #Russia Ayya T1 Phone RewriteCond %{HTTP_USER_AGENT} highscreen [NC,OR] #Russia Highscreen Phone RewriteCond %{HTTP_USER_AGENT} teXet [NC,OR] #Russia Texet Phone RewriteCond %{HTTP_USER_AGENT} YOTA [NC,OR] #Russia Yota Phone RewriteCond %{HTTP_USER_AGENT} YD201 [NC,OR] #Russia Yota Phone 2 RewriteCond %{HTTP_USER_AGENT} YOTA\s3\+ [NC,OR] #Russia Yota Phone 3 RwriteCond %{HTTP_USER_AGENT} YotaDevices [NC] #Russia Yota Device RewriteRule ^(.*)$ /honeypot.php/ [NC,L] ##### End -- Redirect Geo Conflict Hotspot Mobile Phone Hardware to The Honeypot -- End #####
|
Country Specific Mobile Phone Carrier Detection to Send Specific Users to Your Honeypot
Mobile phone carrier type detection through the .htaccess file can be used as an alternative or a supplement to IP address country identification. The USER_AGENT attribute is passed from a user’s web browser when the user accesses your website and sometimes the USER_AGENT self-identifies the mobile carrier being used.
The code below reads the USER_AGENT variable sent from the user's device browser using the RewriteCond command. If a mobile carrier match is detected, the RewriteRule command virtually directs the user to your honey pot.
##### Start -- Redirect Geo Conflict Hotspot Mobile Phone Carriers to The Honeypot -- Start ##### RewriteCond %{REQUEST_URI} !honeypot.php/ RwriteCond %{HTTP_USER_AGENT} MegaFon [NC] #Russia Only Mobile Carrier RewriteRule ^(.*)$ /honeypot.php/ [NC,L] ##### End -- Redirect Geo Conflict Hotspot Mobile Phone Carriers to The Honeypot -- End #####
|
Country Specific Bot Detection to Send Specific Bots to Your Honeypot
Bot detection through the .htaccess file can be used as an alternative or a supplement to IP address country identification. The USER_AGENT attribute is passed from a bot to your website and is used to self-identify the type of bot accessing your website.
The code below reads the USER_AGENT variable transmitted by the bot using the RewriteCond command. If a bot match is detected, the RewriteRule command virtually directs the bot to your honey pot.
##### Start -- Redirect Geo Conflict Hotspot Bots to The Honeypot -- Start ##### RewriteCond %{REQUEST_URI} !honeypot.php/ RewriteCond %{HTTP_USER_AGENT} YandexBot [NC,OR] #Russia SE Bot RewriteCond %{HTTP_USER_AGENT} YaDirectFetcher [NC,OR] #Russia SE Bot RewriteCond %{HTTP_USER_AGENT} rambler [NC,OR] #Russia SE Bot RewriteCond %{HTTP_USER_AGENT} Mail\.Ru [NC,OR] #Russia SE Bot RewriteCond %{HTTP_USER_AGENT} aport [NC,OR] #Russia SE Bot RewriteCond %{HTTP_USER_AGENT} yooz [NC,OR] #Iranian SE Bot RewriteCond %{HTTP_USER_AGENT} hivaBot [NC,OR] #Iranian SE Bot (yooz) RewriteCond %{HTTP_USER_AGENT} Parsijoo [NC,OR] #Iranian SE Bot RewriteCond %{HTTP_USER_AGENT} Rismoon [NC] #Iranian SE Bot RewriteRule ^(.*)$ /honeypot.php/ [NC,L] ##### End -- Redirect Geo Conflict Hotspot Bots to The Honeypot -- End #####
|
Bot Email Address Detection to Send Users from Specific Countries to Your Honeypot
Bot email address detection through the .htaccess file can be used as an alternative or a supplement to IP address country identification. The HTTP:From header attribute is passed from a bot to your website and is used to self-identify the email address of bots accessing your website. Note that this is an older HTTP standard header but it is still in use by many bots.
The code below reads the HTTP:From header sent from the bot using the RewriteCond command. If a country specific referral match is detected, the RewriteRule command virtually directs the user to your honey pot. RewriteCond is looking to see if the bot email address contains a top-level country domain related to the countries that the website owner would like to limit traffic from.
##### Start -- Redirect Geo Conflict Hotspot Bot Email Addresses to The Honeypot -- Start ##### RewriteCond %{REQUEST_URI} !honeypot.php/ RewriteCond %{HTTP:From} \.ru$ [NC,OR] #Russia RewriteCond %{HTTP:From} \.am$ [NC,OR] #Armenia RewriteCond %{HTTP:From} \.by$ [NC,OR] #Belarus RewriteCond %{HTTP:From} \.kz$ [NC,OR] #Kazakhstan RewriteCond %{HTTP:From} \.kg$ [NC,OR] #Kyrgyzstan RewriteCond %{HTTP:From} \.tj$ [NC,OR] #Tajikistan RewriteCond %{HTTP:From} \.rs$ [NC,OR] #Serbia RewriteCond %{HTTP:From} \.cu$ [NC,OR] #Cuba RewriteCond %{HTTP:From} \.ve$ [NC,OR] #Venezuela RewriteCond %{HTTP:From} \.kp$ [NC,OR] #North Korea RewriteCond %{HTTP:From} \.ir$ [NC,OR] #Iran RewriteCond %{HTTP:From} \.sy$ [NC,OR] #Syria RewriteCond %{HTTP:From} \.ye$ [NC] #Yemen RewriteRule ^(.*)$ /honeypot.php/ [NC,L] ##### End -- Redirect Geo Conflict Hotspot Bot Email Addresses to The Honeypot -- End #####
|
Client Certificate Detection to Send Users Providing Country Specific Certificate Authorities to Your Honey Pot
Client certificate detection through the .htaccess file can be used as an alternative or a supplement to IP address country identification. The SSL:SSL_CLIENT_I_DN_O variable is retrieved by Apache when a client connects to your website using a SSL/TLS encryption certificate. This variable identifies the organization name listed for the certificate authority (CA) in the client’s encryption certificate.
Recent news reports suggest that Russia has mandated all Russian users and products implement certificates produced by the Russian Ministry of Digital Development and Communications. A certificate from this Russian government entity can be identified using this described method.
- EEF: You Should Not Trust Russia’s New “Trusted Root CA”
- Bleeping Computer: Russia creates its own TLS certificate authority to bypass sanctions
The Apache directives below must be configured in your httpd.conf file for the SSL:SSL_CLIENT_I_DN_O variable to be accessible to .htaccess. You may need to check with your hosting provider to determine if this functionality is available for you
- SSLEngine
- SSLOptions +StdEnvVars
The code below reads the SSL:SSL_CLIENT_I_DN_O variable in the user's client certificate using the RewriteCond command. If a country specific certificate authority organization name match is detected, the RewriteRule command virtually directs the user to your honey pot. RewriteCond is looking to see if the certificate authority's organizational name matches to an organization that the website owner would like to limit traffic from.
##### Start -- Redirect Geo Conflict Hotspot Certificate Authorities To The Honeypot -- Start ##### RewriteCond %{REQUEST_URI} !honeypot.php/ RewriteCond %{SSL:SSL_CLIENT_I_DN_O} Russian [NC] #Russian Trusted Root CA RewriteRule ^(.*)$ /honeypot.php/ [NC,L] ##### End -- Redirect Geo Conflict Hotspot Certificate Authorities To The Honeypot -- End #####
|
The working file is available for download here. We welcome questions, comments, and thoughts on these techniques, reach out to the PCCS Labs Team at This email address is being protected from spambots. You need JavaScript enabled to view it.