Validate & Block Invalid Operating System Versions Using Apache .htaccess

User Rating: 0 / 5

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive
 

This is the fifth post in a blog series describing how to build a Web Application Firewall (WAF) using the Apache .htaccess file and Project Honey Pot to help reduce spam traffic hitting your website. 

The Blue Plate WAF is for small websites on basic hosting plans that lack access to more sophisticated web security tools.  These basic plans are often used to host content management systems such as WordPress, Joomla, or Drupal which are ideal for small organizational websites.

Web browsers such as Chrome, Firefox, Internet Explorer, and Safari identify the operating system that they are running on by passing along their version information in the HTTP_USER_AGENT variable to the Apache HTTP Server.  By examining the HTTP_USER_AGENT variable, we can determine if a valid operating system version was submitted. 

PCCS Labs has observed that spam bots often identify themselves as invalid or very out of date operating system versions even though it is easy to correctly spoof this information. Validating the operating system version passed in HTTP_USER_AGENT helps to filters out spam and spam bot traffic.

 

Getting Started with Operating System Version Validation Using .htaccess

We will start with the previous .htaccess file we created in the previous blog.  The new code we create uses the framework introduced in previous blog posts to send suspicious traffic to our honeypot webpage using the Project Honey Pot system.

 

Legacy Operating System Versions

The code below uses the RewriteCond command to scan the HTTP_USER_AGENT variable for operating system versions that are very out of date.  These versions are so out of date that an actual person would not be browsing with them.  If a real human were actually using this operating system version, you would not want them visiting your website because these OS versions have significant security vulnerabilities.

Wikipedia maintains a history of Windows versions which can be used to determine which operating system version to block based on the version age or improper version string. The code below scans for legacy Windows NT release version numbers NT 1.0 through NT 4.0 and sends traffic identifying as those versions to the honeypot:

 

 

##### Redirect Really Old and Therefore Probably Fake or Compromised Windows NT Versions In The USER_AGENT String To The Honeypot -- START

RewriteCond %{REQUEST_URI} !honeypot.php/

RewriteCond %{HTTP_USER_AGENT} ^.*Windows\sNT\s[0-4]\\.* [NC]

RewriteRule ^(.*)$ /honeypot.php/ [NC,L]

 ##### Redirect Really Old and Therefore Probably Fake or Compromised Windows NT Versions In The USER_AGENT String To The Honeypot – END

 

 

Invalid Operating System Versions

The code below scans for non-existent Windows release version numbers and sends traffic identifying as those versions to the honeypot:

 

 

 ##### Redirect Non-Existent and Therefore Probably Fake Windows Versions In USER_AGENT String To The Honeypot -- START

RewriteCond %{REQUEST_URI} !honeypot.php

RewriteCond %{HTTP_USER_AGENT} ^.*Windows\sNT* [NC]

RewriteCond %{HTTP_USER_AGENT} ^.*Windows\sNT\s5\\.[3-9]* [NC,OR]

RewriteCond %{HTTP_USER_AGENT} ^.*Windows\sNT\s6\\.[4-9]* [NC,OR]

RewriteCond %{HTTP_USER_AGENT} ^.*Windows\sNT\s7\\.* [NC,OR]

RewriteCond %{HTTP_USER_AGENT} ^.*Windows\sNT\s8\\.* [NC,OR]

RewriteCond %{HTTP_USER_AGENT} ^.*Windows\sNT\s9\\.* [NC]

RewriteRule ^.* honeypot.php/ [NC,L]

  ##### Redirect Non-Existent and Therefore Probably Fake Windows Versions In USER_AGENT String To The Honeypot – END

  

 

The code below scans for two digit or more non-existent Windows release version numbers and sends traffic identifying as those versions to the honeypot:

 

  

##### Redirect Non-Existent and Therefore Probably Fake Windows Versions In USER_AGENT String To The Honeypot -- START

RewriteCond %{REQUEST_URI} !honeypot.php/

RewriteCond %{HTTP_USER_AGENT} ^.*Windows\sNT* [NC]

RewriteCond %{HTTP_USER_AGENT} !^.*Windows\sNT\s[1-9][0-9.][0-9.]* [NC]

RewriteRule ^(.*)$ /honeypot.php/ [NC,L]

 

##### Redirect Non-Existent and Therefore Probably Fake Windows Versions In USER_AGENT String To The Honeypot -- END

  

 

The working file is available for download here.  We welcome questions, comments, and thoughts on these techniques, reach out to the PCCS Labs Team at This email address is being protected from spambots. You need JavaScript enabled to view it..

About Private Client Cyber Security

Former U.S. defense industry cybersecurity executives founded PCCS after struggling to convince large cybersecurity companies to address the cyber risks of public persons and small sized business. 

PCCS provides enterprise-grade cybersecurity consulting and services to professional practices, executives, athletes, and high net worth families.

We strive to provide a personal, professional and a next-generation technology level of cyber protection to our clients. 

 

Twitter @PCCyberSecurity


New Technique Recycles Exploit Chain to Keep Antivirus Silent https://t.co/YJDyTcVzTc

@verizonfios customers can use @nomorobo for free to block known #robocalls and #telemarketers on their FiOs phone… https://t.co/8XoVUAezR9
Follow Private Client Cyber Security on Twitter
New York NY | Washington DC | Bethesda MD | Chicago IL | Los Angeles CA
© 2015 Private Client Cyber Security. All Rights Reserved.

Search