### =================== Blue-plate Special Firewall =================== ### ### !!!!!! Always Backup Your Previous Unmodified .htaccess File !!!!!! ### !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ### ### =================== Blue-plate Special Firewall =================== ##### RewriteEngine enabled - BEGIN RewriteEngine On ##### RewriteEngine enabled - END ##### RewriteBase set - BEGIN RewriteBase / ##### RewriteBase set - END ##### Block directory browsing -- BEGIN IndexIgnore * Options -Indexes ##### Block directory browsing -- END ##### Redirect Linux Programs/Commands Used By Hackers and Spammers To Honeypot -- START RewriteCond %{REQUEST_URI} !honeypot.php/ RewriteCond %{HTTP_USER_AGENT} ^.*Wget* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*curl* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*apache* [NC] RewriteRule ^(.*)$ /honeypot.php/ [NC,L] ##### Redirect Linux Programs/Commands Used By Hackers and Spammers To Honeypot -- END ##### Redirect If QUERY_STRING Has SQL Injection To Honeypot -- START #QUERY_STRING contains everything in the URL after the "?" ex.) mydomain.com/test.php?test=test #Excluded the commands like, version, update, insert, and set because they are common words and have caused false positives RewriteCond %{QUERY_STRING} !^$ RewriteCond %{REQUEST_URI} !honeypot.php/ RewriteCond %{QUERY_STRING} union [NC,OR] RewriteCond %{QUERY_STRING} select [NC,OR] RewriteCond %{QUERY_STRING} cast [NC,OR] RewriteCond %{QUERY_STRING} declare [NC,OR] RewriteCond %{QUERY_STRING} drop [NC,OR] RewriteCond %{QUERY_STRING} md5 [NC,OR] RewriteCond %{QUERY_STRING} benchmark [NC,OR] RewriteCond %{QUERY_STRING} table [NC,OR] RewriteCond %{QUERY_STRING} column [NC,OR] RewriteCond %{QUERY_STRING} distinct [NC,OR] RewriteCond %{QUERY_STRING} substr [NC,OR] RewriteCond %{QUERY_STRING} concat [NC,OR] RewriteCond %{QUERY_STRING} schema [NC,OR] RewriteCond %{QUERY_STRING} hex [NC,OR] RewriteCond %{QUERY_STRING} truncate [NC,OR] RewriteCond %{QUERY_STRING} convert [NC,OR] RewriteCond %{QUERY_STRING} exec [NC,OR] RewriteCond %{QUERY_STRING} passthru [NC,OR] RewriteCond %{QUERY_STRING} system [NC,OR] RewriteCond %{QUERY_STRING} popen [NC,OR] RewriteCond %{QUERY_STRING} proc [NC,OR] RewriteCond %{QUERY_STRING} load [NC,OR] RewriteCond %{QUERY_STRING} between [NC,OR] RewriteCond %{QUERY_STRING} null [NC,OR] RewriteCond %{QUERY_STRING} delay [NC,OR] RewriteCond %{QUERY_STRING} char [NC,OR] RewriteCond %{QUERY_STRING} sleep [NC,OR] RewriteCond %{ QUERY_STRING } schema [NC,OR] RewriteCond %{QUERY_STRING} unhex [NC] RewriteRule ^(.*)$ /honeypot.php/ [NC,L] ##### Redirect If QUERY_STRING Has SQL Injection To Honeypot -- END ##### Redirect If QUERY_STRING Has Encoded Injection Characters To Honeypot -- START #QUERY_STRING contains everyting in the URL after the "?" ex.) mydomain.com/test.php?test=test #Excluded "%20", "%2F", "%26", "%3A", "%3D" due to use in site URL variables RewriteCond %{QUERY_STRING} !^$ RewriteCond %{REQUEST_URI} ! honeypot.php/ RewriteCond %{QUERY_STRING} %00 [OR] RewriteCond %{QUERY_STRING} %0A [NC,OR] RewriteCond %{QUERY_STRING} %0D [NC,OR] RewriteCond %{QUERY_STRING} %21 [OR] RewriteCond %{QUERY_STRING} %22 [OR] RewriteCond %{QUERY_STRING} %23 [OR] RewriteCond %{QUERY_STRING} %24 [OR] RewriteCond %{QUERY_STRING} %25 [OR] RewriteCond %{QUERY_STRING} %27 [OR] RewriteCond %{QUERY_STRING} %28 [OR] RewriteCond %{QUERY_STRING} %29 [OR] RewriteCond %{QUERY_STRING} %40 [OR] RewriteCond %{QUERY_STRING} %60 [OR] RewriteCond %{QUERY_STRING} %2A [NC,OR] RewriteCond %{QUERY_STRING} %2B [NC,OR] RewriteCond %{QUERY_STRING} %2C [NC,OR] RewriteCond %{QUERY_STRING} %2D [NC,OR] RewriteCond %{QUERY_STRING} %3B [NC,OR] RewriteCond %{QUERY_STRING} %3C [NC,OR] RewriteCond %{QUERY_STRING} %3E [NC,OR] RewriteCond %{QUERY_STRING} %5B [NC,OR] RewriteCond %{QUERY_STRING} %5C [NC,OR] RewriteCond %{QUERY_STRING} %5D [NC,OR] RewriteCond %{QUERY_STRING} %5E [NC,OR] RewriteCond %{QUERY_STRING} %5F [NC,OR] RewriteCond %{QUERY_STRING} %7B [NC,OR] RewriteCond %{QUERY_STRING} %7C [NC,OR] RewriteCond %{QUERY_STRING} %7D [NC,OR] RewriteCond %{QUERY_STRING} %7E [NC,OR] RewriteCond %{QUERY_STRING} > [OR] RewriteCond %{QUERY_STRING} < [OR] RewriteCond %{QUERY_STRING} ; RewriteRule ^(.*)$ / honeypot.php/ [NC,L] ##### Redirect If QUERY_STRING Has Encoded Injection Characters To Honeypot -- END ##### Redirect If HTTP_USER_AGENT Has Common Programatic Commands Potentially Injected To Honeypot -- START RewriteCond %{QUERY_STRING} !^$ RewriteCond %{REQUEST_URI} !honeypot.php/ RewriteCond %{QUERY_STRING} sanitize [NC,OR] RewriteCond %{QUERY_STRING} eval [NC,OR] RewriteCond %{QUERY_STRING} base64 [NC,OR] RewriteCond %{QUERY_STRING} echo [NC,OR] RewriteCond %{QUERY_STRING} @set [NC,OR] RewriteCond %{QUERY_STRING} @ini [NC,OR] RewriteCond %{QUERY_STRING} dirname [NC,OR] RewriteCond %{QUERY_STRING} decode [NC] RewriteRule ^(.*)$ / honeypot.php/ [NC,L] ##### Redirect If HTTP_USER_AGENT Has Common Programatic Commands Potentially Injected To Honeypot -- END ##### Redirect Really Old Web Browser and Therefore Probably Fake USER_AGENT Strings To Honeypot -- START RewriteCond %{REQUEST_URI} !honeypot.php/ RewriteCond %{HTTP_USER_AGENT} ^.*Mozilla\/[1-4]\\.* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Chrome\/[1-9]\\.* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Firefox\/[1-9]\\.* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*MSIE\s[1-6]\\.* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Opera* [NC] RewriteRule ^(.*)$ /honeypot.php/ [NC,L] ##### Redirect Really Old Web Browser and Therefore Probably Fake USER_AGENT Strings To Honeypot -- -- EN ##### Redirect Fake Mozilla USER_AGENT Missing "/[1-9][0-9.][0-9.]" To Honeypot -- START RewriteCond %{REQUEST_URI} !honeypot.php/ RewriteCond %{HTTP_USER_AGENT} ^.*Mozilla* [NC] RewriteCond %{HTTP_USER_AGENT} !^.*Mozilla\/[1-9][0-9.][0-9.]* [NC] RewriteRule ^(.*)$ /honeypot.php/ [NC,L] ##### Redirect Fake Mozilla USER_AGENT Missing "/[1-9]" To Honeypot – END ##### Redirect Fake Chrome USER_AGENT Missing "/[1-9][0-9.][0-9.]" To Honeypot -- START RewriteCond %{REQUEST_URI} !honeypot.php/ RewriteCond %{HTTP_USER_AGENT} ^.*Chrome* [NC] RewriteCond %{HTTP_USER_AGENT} !^.*Chrome\/[1-9][0-9.][0-9.]* [NC] RewriteRule ^(.*)$ /honeypot.php/ [NC,L] ##### Redirect Fake Chrome USER_AGENT Missing "/[1-9]" To Honeypot – END ##### Redirect Fake Firefox USER_AGENT Missing "/[1-9][0-9.][0-9.]" To Honeypot -- START RewriteCond %{REQUEST_URI} !honeypot.php/ RewriteCond %{HTTP_USER_AGENT} ^.*Firefox* [NC] RewriteCond %{HTTP_USER_AGENT} !^.*Firefox\/[1-9][0-9.][0-9.]* [NC] RewriteRule ^(.*)$ /honeypot.php/ [NC,L] ##### Redirect Fake Firefox USER_AGENT Missing "/[1-9]" To Honeypot – END ##### Redirect Fake Internet Explorer USER_AGENT To Honeypot -- START ###MSIE Has a Different Format Than Other Browsers Eg. "MSIE VERSION" RewriteCond %{REQUEST_URI} !honeypot.php/ RewriteCond %{HTTP_USER_AGENT} ^.*MSIE* [NC] RewriteCond %{HTTP_USER_AGENT} !^.*MSIE\s[1-9][0-9.][0-9.]* [NC] RewriteRule ^(.*)$ /honeypot.php/ [NC,L] ##### Redirect Fake Internet Explorer USER_AGENT To Honeypot – END ##### Redirect Really Old and Therefore Probably Fake or Compromised Windows NT Versions In The USER_AGENT String To The Honeypot -- START RewriteCond %{REQUEST_URI} !honeypot.php/ RewriteCond %{HTTP_USER_AGENT} ^.*Windows\sNT\s[0-4]\\.* [NC] RewriteRule ^(.*)$ /honeypot.php/ [NC,L] ##### Redirect Really Old and Therefore Probably Fake or Compromised Windows NT Versions In The USER_AGENT String To The Honeypot – END ##### Redirect Non-Existent and Therefore Probably Fake Windows Versions In USER_AGENT String To The Honeypot -- START RewriteCond %{REQUEST_URI} !honeypot.php RewriteCond %{HTTP_USER_AGENT} ^.*Windows\sNT* [NC] RewriteCond %{HTTP_USER_AGENT} ^.*Windows\sNT\s5\\.[3-9]* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Windows\sNT\s6\\.[4-9]* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Windows\sNT\s7\\.* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Windows\sNT\s8\\.* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*Windows\sNT\s9\\.* [NC] RewriteRule ^.* honeypot.php/ [NC,L] ##### Redirect Non-Existent and Therefore Probably Fake Windows Versions In USER_AGENT String To The Honeypot – END ##### Redirect Non-Existent and Therefore Probably Fake Windows Versions In USER_AGENT String To The Honeypot -- START RewriteCond %{REQUEST_URI} !honeypot.php/ RewriteCond %{HTTP_USER_AGENT} ^.*Windows\sNT* [NC] RewriteCond %{HTTP_USER_AGENT} !^.*Windows\sNT\s[1-9][0-9.][0-9.]* [NC] RewriteRule ^(.*)$ /honeypot.php/ [NC,L] ##### Redirect Non-Existent and Therefore Probably Fake Windows Versions In USER_AGENT String To The Honeypot -- END