Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Obviously this would all be part of a defense-in-depth strategy, and I don't know which of these you already use.
- ## Near the top of .htaccess, set X-Powered-By to any dummy value you want; I know it's security by obscurity but every little bit helps.
- Header set X-Powered-By "Ingenuity"
- ServerSignature Off
- ## This beats putting a dummy index.html file in every single directory.
- <IfModule mod_autoindex.c>
- Options -Indexes
- </IfModule>
- IndexIgnore *
- ## You can also set Content-Security Policy to a list of particular domains you use scripts from, but in my experience it caused crashes.
- Header set X-Frame-Options DENY
- Header set X-XSS-Protection "1; mode=block"
- Header set X-Content-Type-Options "nosniff"
- ## Only allow GET and POST to your site.
- <Limit GET POST>
- order deny,allow
- deny from all
- allow from all
- </Limit>
- <Limit PUT DELETE>
- order deny,allow
- deny from all
- </Limit>
- ## About halfway through .htaccess, a bevy of blocking rules; HTTP 100 should not be used as a redirect status.
- RewriteEngine On
- RewriteCond %{REQUEST_URI} !^/(robots\.txt|favicon\.ico|sitemap\.xml)$
- RewriteCond %{ENV:REDIRECT_STATUS} 100
- RewriteRule .* - [L]
- ## Here's a huge list of malicious and potentially malicious Web crawler user-agents; add as necessary.
- RewriteBase /
- RewriteCond %{REQUEST_URI} !^/(robots\.txt|favicon\.ico|sitemap\.xml)$
- # IF THE UA STARTS WITH THESE
- RewriteCond %{HTTP_USER_AGENT} ^(aesop_com_spiderman|alexibot|backweb|bandit|batchftp|bigfoot) [NC,OR]
- RewriteCond %{HTTP_USER_AGENT} ^(black.?hole|blackwidow|blowfish|botalot|buddy|builtbottough|bullseye) [NC,OR]
- RewriteCond %{HTTP_USER_AGENT} ^(cheesebot|cherrypicker|chinaclaw|collector|copier|copyrightcheck) [NC,OR]
- RewriteCond %{HTTP_USER_AGENT} ^(cosmos|crescent|curl|custo|da|diibot|disco|dittospyder|dragonfly) [NC,OR]
- RewriteCond %{HTTP_USER_AGENT} ^(drip|easydl|ebingbong|ecatch|eirgrabber|emailcollector|emailsiphon) [NC,OR]
- RewriteCond %{HTTP_USER_AGENT} ^(emailwolf|erocrawler|exabot|eyenetie|filehound|flashget|flunky) [NC,OR]
- RewriteCond %{HTTP_USER_AGENT} ^(frontpage|getright|getweb|go.?zilla|go-ahead-got-it|gotit|grabnet) [NC,OR]
- RewriteCond %{HTTP_USER_AGENT} ^(grafula|harvest|hloader|hmview|httplib|httrack|humanlinks|ilsebot) [NC,OR]
- RewriteCond %{HTTP_USER_AGENT} ^(infonavirobot|infotekies|intelliseek|interget|iria|jennybot|jetcar) [NC,OR]
- RewriteCond %{HTTP_USER_AGENT} ^(joc|justview|jyxobot|kenjin|keyword|larbin|leechftp|lexibot|lftp|libweb) [NC,OR]
- RewriteCond %{HTTP_USER_AGENT} ^(likse|linkscan|linkwalker|lnspiderguy|lwp|magnet|mag-net|markwatch) [NC,OR]
- RewriteCond %{HTTP_USER_AGENT} ^(mata.?hari|memo|microsoft.?url|midown.?tool|miixpc|mirror|missigua) [NC,OR]
- RewriteCond %{HTTP_USER_AGENT} ^(mister.?pix|moget|mozilla.?newt|nameprotect|navroad|backdoorbot|nearsite) [NC,OR]
- RewriteCond %{HTTP_USER_AGENT} ^(net.?vampire|netants|netcraft|netmechanic|netspider|nextgensearchbot) [NC,OR]
- RewriteCond %{HTTP_USER_AGENT} ^(attach|nicerspro|nimblecrawler|npbot|octopus|offline.?explorer) [NC,OR]
- RewriteCond %{HTTP_USER_AGENT} ^(offline.?navigator|openfind|outfoxbot|pagegrabber|papa|pavuk) [NC,OR]
- RewriteCond %{HTTP_USER_AGENT} ^(pcbrowser|php.?version.?tracker|pockey|propowerbot|prowebwalker) [NC,OR]
- RewriteCond %{HTTP_USER_AGENT} ^(psbot|pump|queryn|recorder|realdownload|reaper|reget|true_robot) [NC,OR]
- RewriteCond %{HTTP_USER_AGENT} ^(repomonkey|rma|internetseer|sitesnagger|siphon|slysearch|smartdownload) [NC,OR]
- RewriteCond %{HTTP_USER_AGENT} ^(snake|snapbot|snoopy|sogou|spacebison|spankbot|spanner|sqworm|superbot) [NC,OR]
- RewriteCond %{HTTP_USER_AGENT} ^(superhttp|surfbot|asterias|suzuran|szukacz|takeout|teleport) [NC,OR]
- RewriteCond %{HTTP_USER_AGENT} ^(telesoft|the.?intraformant|thenomad|tighttwatbot|titan|urldispatcher) [NC,OR]
- RewriteCond %{HTTP_USER_AGENT} ^(turingos|turnitinbot|urly.?warning|vacuum|vci|voideye|whacker) [NC,OR]
- RewriteCond %{HTTP_USER_AGENT} ^(libwww-perl|widow|wisenutbot|wwwoffle|xaldon|xenu|zeus|zyborg|anonymouse) [NC,OR]
- # STARTS WITH WEB
- RewriteCond %{HTTP_USER_AGENT} ^web(zip|emaile|enhancer|fetch|go.?is|auto|bandit|clip|copier|master|reaper|sauger|site.?quester|whack) [NC,OR]
- # OTHERS
- RewriteCond %{HTTP_USER_AGENT} ^(atraxbot|azureus|geohasher|pycurl|python-urllib|research-scan-bot|sosospider|wget) [NC,OR]
- # ANYWHERE IN UA -- GREEDY REGEX
- RewriteCond %{HTTP_USER_AGENT} ^.*(casper|craftbot|download|extract|goblox|stripper|sucker|sun4u|ninja|clshttp|webspider|leacher|collector|grabber|webpictures|twiceler).*$ [NC]
- RewriteRule ^(.*)$ - [F]
- ## Block requests for which both user-agent and referrer are empty, because they're usually shady.
- RewriteCond %{REQUEST_URI} !^/(robots\.txt|favicon\.ico|sitemap\.xml)$
- RewriteCond %{HTTP_REFERER} ^$ [NC]
- RewriteCond %{HTTP_USER_AGENT} ^$ [NC]
- RewriteRule ^(.*)$ - [F,L]
- ## Now here's a big list of suspicious requests to be blocked, based on filename or method;
- ## tweak as necessary, because what I started out with caused parts of the CMS to break.
- RewriteCond %{REQUEST_URI} !^/(robots\.txt|favicon\.ico|sitemap\.xml)$
- RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
- RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).* [NC,OR]
- RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(htpasswd|htaccess|aahtpasswd).*\ HTTP/ [NC,OR]
- RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ .+\ HTTP/(0\.9|1\.0|1\.1) [NC,OR]
- RewriteCond %{HTTP_REFERER} ^https?://(www\.)?.*(-|.)?adult(-|.).*$ [NC,OR]
- RewriteCond %{HTTP_REFERER} ^https?://(www\.)?.*(-|.)?poker(-|.).*$ [NC,OR]
- RewriteCond %{HTTP_REFERER} ^https?://(www\.)?.*(-|.)?drugs(-|.).*$ [NC,OR]
- RewriteCond %{HTTP_REFERER} ^(.*)(<|>|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
- RewriteCond %{HTTP_COOKIE} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
- RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR]
- RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
- RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).* [NC,OR]
- RewriteCond %{QUERY_STRING} ^.*(md5|benchmark|union|select|_insert|cast|_set_|declare|drop|_update).* [NC,OR]
- RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1|::1).* [NC]
- RewriteRule ^(.*)$ - [F,L]
- RewriteCond %{REQUEST_URI} !^/(robots\.txt|favicon\.ico|sitemap\.xml)$
- RewriteCond %{REQUEST_METHOD} GET
- RewriteCond %{QUERY_STRING} proc\/self\/environ [NC,OR]
- RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
- RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http%3A%2F%2F [OR]
- RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
- RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
- RewriteRule ^(.*)$ - [F]
- RewriteCond %{REQUEST_URI} !^/(robots\.txt|favicon\.ico|sitemap\.xml)$
- RewriteCond %{HTTP:Content-Disposition} \.php [NC]
- RewriteCond %{HTTP:Content-Type} image/.+ [NC]
- RewriteRule ^(.*)$ - [F]
- # Block access to hidden files and directories.
- # This includes directories used by version control systems such as Git and SVN.
- RewriteCond %{SCRIPT_FILENAME} -d [OR]
- RewriteCond %{SCRIPT_FILENAME} -f
- RewriteRule "(^|/)\." - [F]
- ## If you want to ban hotlinking, here's how! (Place a suitably nasty image if you like instead of blank.gif,
- ## making sure to replace the name in the top and bottom of this ruleset, and be sure to fill in the list
- ## with all domains you allow to hotlink, like domain.example for example; also that last RewriteCond is for
- ## a scheme in which I made all HTTP errors send you to an image like /404.jpg)
- RewriteCond %{REQUEST_URI} !^/(blank\.gif|robots\.txt|favicon\.ico|sitemap\.xml)$
- RewriteCond %{HTTP_REFERER} !^$
- RewriteCond %{HTTP_REFERER} !^http(s)?://([^.]+\.)?buttcoin\.org/ [NC]
- RewriteCond %{HTTP_REFERER} !^http(s)?://([^.]+\.)?domain\.example/ [NC]
- RewriteCond %{HTTP_REFERER} !^http(s)?://([^.]+\.)?(bing|yahoo|ask|google)\.[a-z0-9-]+/ [NC]
- RewriteCond %{REQUEST_URI} !^/[4-5][0-2][0-9]\.jpg$
- RewriteRule \.(gif|jpe?g|png|tiff?|pdf|bmp|webp|swf|css|js|es|php)$ /blank.gif [NC,R=302,L]
- ## Put in multiple FilesMatch blocks if you have more diagnostic files you don't want the public to run.
- # Block access to backup and source files.
- # These files may be left by some text editors and can pose a great security
- # danger when anyone has access to them.
- <FilesMatch "(^#.*#|\.(bak|config|dist|fla|inc|ini|log|psd|sh|sql|sw[op])|~)$">
- Order allow,deny
- Deny from all
- Satisfy All
- </FilesMatch>
- <Files info.php>
- order deny,allow
- deny from all
- #allow from 0.0.0.0
- </Files>
- ## Finally, a swift IP-bannination for evildoers and troublemakers; I think this is an outdated list of some bot IPs
- ## and a particular malicious domain, and if you truncate this, remember to keep the "allow from all" at the end,
- ## or else nobody will be able to visit the site!
- order deny,allow
- deny from 76.73.0.0/17
- deny from 211.154.211.209
- deny from 66.94.35.20
- deny from 38.99.13.121
- deny from 38.99.13.122
- deny from 38.99.13.123
- deny from 38.99.13.124
- deny from 38.99.13.125
- deny from 38.99.13.126
- deny from 38.99.44.101
- deny from 38.99.44.102
- deny from 38.99.44.103
- deny from 38.99.44.104
- deny from 38.99.44.105
- deny from 38.99.44.106
- deny from 64.1.215.162
- deny from 64.1.215.163
- deny from 64.1.215.164
- deny from 64.1.215.165
- deny from 64.1.215.166
- deny from 67.218.116.130
- deny from 67.218.116.131
- deny from 67.218.116.132
- deny from 67.218.116.133
- deny from 67.218.116.134
- deny from 67.218.116.162
- deny from 67.218.116.164
- deny from 67.218.116.165
- deny from 67.218.116.166
- deny from 67.222.30.85
- deny from 208.36.144.6
- deny from 208.36.144.7
- deny from 208.36.144.8
- deny from 208.36.144.9
- deny from 208.36.144.10
- deny from 216.82.71.253
- deny from 216.129.119.10
- deny from 216.129.119.11
- deny from 216.129.119.12
- deny from 216.129.119.13
- deny from 216.129.119.40
- deny from 216.129.119.41
- deny from 216.129.119.42
- deny from 216.129.119.43
- deny from 216.129.119.44
- deny from cuill.com
- allow from all
Add Comment
Please, Sign In to add comment