### =================== Blue-plate Special Firewall =================== ### ### !!!!!! Always Backup Your Previous Unmodified .htaccess File !!!!!! ### !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ### ### =================== Blue-plate Special Firewall =================== ##### RewriteEngine enabled - BEGIN RewriteEngine On ##### RewriteEngine enabled - END ##### RewriteBase set - BEGIN RewriteBase / ##### RewriteBase set - END ##### Block directory browsing -- BEGIN IndexIgnore * Options -Indexes ##### Block directory browsing -- END ##### Redirect Linux Programs/Commands Used By Hackers and Spammers To Honeypot -- START RewriteCond %{REQUEST_URI} !honeypot.php/ RewriteCond %{HTTP_USER_AGENT} ^.*Wget* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*curl* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*apache* [NC] RewriteRule ^(.*)$ /honeypot.php/ [NC,L] ##### Redirect Linux Programs/Commands Used By Hackers and Spammers To Honeypot -- END ##### Redirect If QUERY_STRING Has SQL Injection To Honeypot -- START #QUERY_STRING contains everything in the URL after the "?" ex.) mydomain.com/test.php?test=test #Excluded the commands like, version, update, insert, and set because they are common words and have caused false positives RewriteCond %{QUERY_STRING} !^$ RewriteCond %{REQUEST_URI} !honeypot.php/ RewriteCond %{QUERY_STRING} union [NC,OR] RewriteCond %{QUERY_STRING} select [NC,OR] RewriteCond %{QUERY_STRING} cast [NC,OR] RewriteCond %{QUERY_STRING} declare [NC,OR] RewriteCond %{QUERY_STRING} drop [NC,OR] RewriteCond %{QUERY_STRING} md5 [NC,OR] RewriteCond %{QUERY_STRING} benchmark [NC,OR] RewriteCond %{QUERY_STRING} table [NC,OR] RewriteCond %{QUERY_STRING} column [NC,OR] RewriteCond %{QUERY_STRING} distinct [NC,OR] RewriteCond %{QUERY_STRING} substr [NC,OR] RewriteCond %{QUERY_STRING} concat [NC,OR] RewriteCond %{QUERY_STRING} schema [NC,OR] RewriteCond %{QUERY_STRING} hex [NC,OR] RewriteCond %{QUERY_STRING} truncate [NC,OR] RewriteCond %{QUERY_STRING} convert [NC,OR] RewriteCond %{QUERY_STRING} exec [NC,OR] RewriteCond %{QUERY_STRING} passthru [NC,OR] RewriteCond %{QUERY_STRING} system [NC,OR] RewriteCond %{QUERY_STRING} popen [NC,OR] RewriteCond %{QUERY_STRING} proc [NC,OR] RewriteCond %{QUERY_STRING} load [NC,OR] RewriteCond %{QUERY_STRING} between [NC,OR] RewriteCond %{QUERY_STRING} null [NC,OR] RewriteCond %{QUERY_STRING} delay [NC,OR] RewriteCond %{QUERY_STRING} char [NC,OR] RewriteCond %{QUERY_STRING} sleep [NC,OR] RewriteCond %{ QUERY_STRING } schema [NC,OR] RewriteCond %{QUERY_STRING} unhex [NC] RewriteRule ^(.*)$ /honeypot.php/ [NC,L] ##### Redirect If QUERY_STRING Has SQL Injection To Honeypot -- END ##### Redirect If QUERY_STRING Has Encoded Injection Characters To Honeypot -- START #QUERY_STRING contains everyting in the URL after the "?" ex.) mydomain.com/test.php?test=test #Excluded "%20", "%2F", "%26", "%3A", "%3D" due to use in site URL variables RewriteCond %{QUERY_STRING} !^$ RewriteCond %{REQUEST_URI} ! honeypot.php/ RewriteCond %{QUERY_STRING} %00 [OR] RewriteCond %{QUERY_STRING} %0A [NC,OR] RewriteCond %{QUERY_STRING} %0D [NC,OR] RewriteCond %{QUERY_STRING} %21 [OR] RewriteCond %{QUERY_STRING} %22 [OR] RewriteCond %{QUERY_STRING} %23 [OR] RewriteCond %{QUERY_STRING} %24 [OR] RewriteCond %{QUERY_STRING} %25 [OR] RewriteCond %{QUERY_STRING} %27 [OR] RewriteCond %{QUERY_STRING} %28 [OR] RewriteCond %{QUERY_STRING} %29 [OR] RewriteCond %{QUERY_STRING} %40 [OR] RewriteCond %{QUERY_STRING} %60 [OR] RewriteCond %{QUERY_STRING} %2A [NC,OR] RewriteCond %{QUERY_STRING} %2B [NC,OR] RewriteCond %{QUERY_STRING} %2C [NC,OR] RewriteCond %{QUERY_STRING} %2D [NC,OR] RewriteCond %{QUERY_STRING} %3B [NC,OR] RewriteCond %{QUERY_STRING} %3C [NC,OR] RewriteCond %{QUERY_STRING} %3E [NC,OR] RewriteCond %{QUERY_STRING} %5B [NC,OR] RewriteCond %{QUERY_STRING} %5C [NC,OR] RewriteCond %{QUERY_STRING} %5D [NC,OR] RewriteCond %{QUERY_STRING} %5E [NC,OR] RewriteCond %{QUERY_STRING} %5F [NC,OR] RewriteCond %{QUERY_STRING} %7B [NC,OR] RewriteCond %{QUERY_STRING} %7C [NC,OR] RewriteCond %{QUERY_STRING} %7D [NC,OR] RewriteCond %{QUERY_STRING} %7E [NC,OR] RewriteCond %{QUERY_STRING} > [OR] RewriteCond %{QUERY_STRING} < [OR] RewriteCond %{QUERY_STRING} ; RewriteRule ^(.*)$ / honeypot.php/ [NC,L] ##### Redirect If QUERY_STRING Has Encoded Injection Characters To Honeypot -- END ##### Redirect If HTTP_USER_AGENT Has Common Programatic Commands Potentially Injected To Honeypot -- START RewriteCond %{QUERY_STRING} !^$ RewriteCond %{REQUEST_URI} !honeypot.php/ RewriteCond %{QUERY_STRING} sanitize [NC,OR] RewriteCond %{QUERY_STRING} eval [NC,OR] RewriteCond %{QUERY_STRING} base64 [NC,OR] RewriteCond %{QUERY_STRING} echo [NC,OR] RewriteCond %{QUERY_STRING} @set [NC,OR] RewriteCond %{QUERY_STRING} @ini [NC,OR] RewriteCond %{QUERY_STRING} dirname [NC,OR] RewriteCond %{QUERY_STRING} decode [NC] RewriteRule ^(.*)$ / honeypot.php/ [NC,L] ##### Redirect If HTTP_USER_AGENT Has Common Programatic Commands Potentially Injected To Honeypot -- END