API tools faq
paste
lewisje

some helpful .htaccess rules for securing buttcoin.org

lewisje
May 23rd, 2014
103
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.74 KB | None | 0 0
raw download clone embed print report
  1. ## Obviously this would all be part of a defense-in-depth strategy, and I don't know which of these you already use.
  2.  
  3. ## Near the top of .htaccess, set X-Powered-By to any dummy value you want; I know it's security by obscurity but every little bit helps.
  4. Header set X-Powered-By "Ingenuity"
  5. ServerSignature Off
  6.  
  7. ## This beats putting a dummy index.html file in every single directory.
  8. <IfModule mod_autoindex.c>
  9. Options -Indexes
  10. </IfModule>
  11. IndexIgnore *
  12.  
  13. ## You can also set Content-Security Policy to a list of particular domains you use scripts from, but in my experience it caused crashes.
  14. Header set X-Frame-Options DENY
  15. Header set X-XSS-Protection "1; mode=block"
  16. Header set X-Content-Type-Options "nosniff"
  17.  
  18. ## Only allow GET and POST to your site.
  19. <Limit GET POST>
  20. order deny,allow
  21. deny from all
  22. allow from all
  23. </Limit>
  24. <Limit PUT DELETE>
  25. order deny,allow
  26. deny from all
  27. </Limit>
  28.  
  29. ## About halfway through .htaccess, a bevy of blocking rules; HTTP 100 should not be used as a redirect status.
  30. RewriteEngine On
  31. RewriteCond %{REQUEST_URI} !^/(robots\.txt|favicon\.ico|sitemap\.xml)$
  32. RewriteCond %{ENV:REDIRECT_STATUS} 100
  33. RewriteRule .* - [L]
  34.  
  35. ## Here's a huge list of malicious and potentially malicious Web crawler user-agents; add as necessary.
  36. RewriteBase /
  37. RewriteCond %{REQUEST_URI} !^/(robots\.txt|favicon\.ico|sitemap\.xml)$
  38. # IF THE UA STARTS WITH THESE
  39. RewriteCond %{HTTP_USER_AGENT} ^(aesop_com_spiderman|alexibot|backweb|bandit|batchftp|bigfoot) [NC,OR]
  40. RewriteCond %{HTTP_USER_AGENT} ^(black.?hole|blackwidow|blowfish|botalot|buddy|builtbottough|bullseye) [NC,OR]
  41. RewriteCond %{HTTP_USER_AGENT} ^(cheesebot|cherrypicker|chinaclaw|collector|copier|copyrightcheck) [NC,OR]
  42. RewriteCond %{HTTP_USER_AGENT} ^(cosmos|crescent|curl|custo|da|diibot|disco|dittospyder|dragonfly) [NC,OR]
  43. RewriteCond %{HTTP_USER_AGENT} ^(drip|easydl|ebingbong|ecatch|eirgrabber|emailcollector|emailsiphon) [NC,OR]
  44. RewriteCond %{HTTP_USER_AGENT} ^(emailwolf|erocrawler|exabot|eyenetie|filehound|flashget|flunky) [NC,OR]
  45. RewriteCond %{HTTP_USER_AGENT} ^(frontpage|getright|getweb|go.?zilla|go-ahead-got-it|gotit|grabnet) [NC,OR]
  46. RewriteCond %{HTTP_USER_AGENT} ^(grafula|harvest|hloader|hmview|httplib|httrack|humanlinks|ilsebot) [NC,OR]
  47. RewriteCond %{HTTP_USER_AGENT} ^(infonavirobot|infotekies|intelliseek|interget|iria|jennybot|jetcar) [NC,OR]
  48. RewriteCond %{HTTP_USER_AGENT} ^(joc|justview|jyxobot|kenjin|keyword|larbin|leechftp|lexibot|lftp|libweb) [NC,OR]
  49. RewriteCond %{HTTP_USER_AGENT} ^(likse|linkscan|linkwalker|lnspiderguy|lwp|magnet|mag-net|markwatch) [NC,OR]
  50. RewriteCond %{HTTP_USER_AGENT} ^(mata.?hari|memo|microsoft.?url|midown.?tool|miixpc|mirror|missigua) [NC,OR]
  51. RewriteCond %{HTTP_USER_AGENT} ^(mister.?pix|moget|mozilla.?newt|nameprotect|navroad|backdoorbot|nearsite) [NC,OR]
  52. RewriteCond %{HTTP_USER_AGENT} ^(net.?vampire|netants|netcraft|netmechanic|netspider|nextgensearchbot) [NC,OR]
  53. RewriteCond %{HTTP_USER_AGENT} ^(attach|nicerspro|nimblecrawler|npbot|octopus|offline.?explorer) [NC,OR]
  54. RewriteCond %{HTTP_USER_AGENT} ^(offline.?navigator|openfind|outfoxbot|pagegrabber|papa|pavuk) [NC,OR]
  55. RewriteCond %{HTTP_USER_AGENT} ^(pcbrowser|php.?version.?tracker|pockey|propowerbot|prowebwalker) [NC,OR]
  56. RewriteCond %{HTTP_USER_AGENT} ^(psbot|pump|queryn|recorder|realdownload|reaper|reget|true_robot) [NC,OR]
  57. RewriteCond %{HTTP_USER_AGENT} ^(repomonkey|rma|internetseer|sitesnagger|siphon|slysearch|smartdownload) [NC,OR]
  58. RewriteCond %{HTTP_USER_AGENT} ^(snake|snapbot|snoopy|sogou|spacebison|spankbot|spanner|sqworm|superbot) [NC,OR]
  59. RewriteCond %{HTTP_USER_AGENT} ^(superhttp|surfbot|asterias|suzuran|szukacz|takeout|teleport) [NC,OR]
  60. RewriteCond %{HTTP_USER_AGENT} ^(telesoft|the.?intraformant|thenomad|tighttwatbot|titan|urldispatcher) [NC,OR]
  61. RewriteCond %{HTTP_USER_AGENT} ^(turingos|turnitinbot|urly.?warning|vacuum|vci|voideye|whacker) [NC,OR]
  62. RewriteCond %{HTTP_USER_AGENT} ^(libwww-perl|widow|wisenutbot|wwwoffle|xaldon|xenu|zeus|zyborg|anonymouse) [NC,OR]
  63. # STARTS WITH WEB
  64. RewriteCond %{HTTP_USER_AGENT} ^web(zip|emaile|enhancer|fetch|go.?is|auto|bandit|clip|copier|master|reaper|sauger|site.?quester|whack) [NC,OR]
  65. # OTHERS
  66. RewriteCond %{HTTP_USER_AGENT} ^(atraxbot|azureus|geohasher|pycurl|python-urllib|research-scan-bot|sosospider|wget) [NC,OR]
  67. # ANYWHERE IN UA -- GREEDY REGEX
  68. RewriteCond %{HTTP_USER_AGENT} ^.*(casper|craftbot|download|extract|goblox|stripper|sucker|sun4u|ninja|clshttp|webspider|leacher|collector|grabber|webpictures|twiceler).*$ [NC]
  69. RewriteRule ^(.*)$ - [F]
  70.  
  71. ## Block requests for which both user-agent and referrer are empty, because they're usually shady.
  72. RewriteCond %{REQUEST_URI} !^/(robots\.txt|favicon\.ico|sitemap\.xml)$
  73. RewriteCond %{HTTP_REFERER} ^$ [NC]
  74. RewriteCond %{HTTP_USER_AGENT} ^$ [NC]
  75. RewriteRule ^(.*)$ - [F,L]
  76.  
  77. ## Now here's a big list of suspicious requests to be blocked, based on filename or method;
  78. ## tweak as necessary, because what I started out with caused parts of the CMS to break.
  79. RewriteCond %{REQUEST_URI} !^/(robots\.txt|favicon\.ico|sitemap\.xml)$
  80. RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
  81. RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).* [NC,OR]
  82. RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(htpasswd|htaccess|aahtpasswd).*\ HTTP/ [NC,OR]
  83. RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ .+\ HTTP/(0\.9|1\.0|1\.1) [NC,OR]
  84. RewriteCond %{HTTP_REFERER} ^https?://(www\.)?.*(-|.)?adult(-|.).*$ [NC,OR]
  85. RewriteCond %{HTTP_REFERER} ^https?://(www\.)?.*(-|.)?poker(-|.).*$ [NC,OR]
  86. RewriteCond %{HTTP_REFERER} ^https?://(www\.)?.*(-|.)?drugs(-|.).*$ [NC,OR]
  87. RewriteCond %{HTTP_REFERER} ^(.*)(<|>|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
  88. RewriteCond %{HTTP_COOKIE} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
  89. RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR]
  90. RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
  91. RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).* [NC,OR]
  92. RewriteCond %{QUERY_STRING} ^.*(md5|benchmark|union|select|_insert|cast|_set_|declare|drop|_update).* [NC,OR]
  93. RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1|::1).* [NC]
  94. RewriteRule ^(.*)$ - [F,L]
  95. RewriteCond %{REQUEST_URI} !^/(robots\.txt|favicon\.ico|sitemap\.xml)$
  96. RewriteCond %{REQUEST_METHOD} GET
  97. RewriteCond %{QUERY_STRING} proc\/self\/environ [NC,OR]
  98. RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
  99. RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http%3A%2F%2F [OR]
  100. RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
  101. RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
  102. RewriteRule ^(.*)$ - [F]
  103. RewriteCond %{REQUEST_URI} !^/(robots\.txt|favicon\.ico|sitemap\.xml)$
  104. RewriteCond %{HTTP:Content-Disposition} \.php [NC]
  105. RewriteCond %{HTTP:Content-Type} image/.+ [NC]
  106. RewriteRule ^(.*)$ - [F]
  107. # Block access to hidden files and directories.
  108. # This includes directories used by version control systems such as Git and SVN.
  109. RewriteCond %{SCRIPT_FILENAME} -d [OR]
  110. RewriteCond %{SCRIPT_FILENAME} -f
  111. RewriteRule "(^|/)\." - [F]
  112.  
  113. ## If you want to ban hotlinking, here's how! (Place a suitably nasty image if you like instead of blank.gif,
  114. ## making sure to replace the name in the top and bottom of this ruleset, and be sure to fill in the list
  115. ## with all domains you allow to hotlink, like domain.example for example; also that last RewriteCond is for
  116. ## a scheme in which I made all HTTP errors send you to an image like /404.jpg)
  117. RewriteCond %{REQUEST_URI} !^/(blank\.gif|robots\.txt|favicon\.ico|sitemap\.xml)$
  118. RewriteCond %{HTTP_REFERER} !^$
  119. RewriteCond %{HTTP_REFERER} !^http(s)?://([^.]+\.)?buttcoin\.org/ [NC]
  120. RewriteCond %{HTTP_REFERER} !^http(s)?://([^.]+\.)?domain\.example/ [NC]
  121. RewriteCond %{HTTP_REFERER} !^http(s)?://([^.]+\.)?(bing|yahoo|ask|google)\.[a-z0-9-]+/ [NC]
  122. RewriteCond %{REQUEST_URI} !^/[4-5][0-2][0-9]\.jpg$
  123. RewriteRule \.(gif|jpe?g|png|tiff?|pdf|bmp|webp|swf|css|js|es|php)$ /blank.gif [NC,R=302,L]
  124.  
  125. ## Put in multiple FilesMatch blocks if you have more diagnostic files you don't want the public to run.
  126. # Block access to backup and source files.
  127. # These files may be left by some text editors and can pose a great security
  128. # danger when anyone has access to them.
  129. <FilesMatch "(^#.*#|\.(bak|config|dist|fla|inc|ini|log|psd|sh|sql|sw[op])|~)$">
  130. Order allow,deny
  131. Deny from all
  132. Satisfy All
  133. </FilesMatch>
  134. <Files info.php>
  135. order deny,allow
  136. deny from all
  137. #allow from 0.0.0.0
  138. </Files>
  139.  
  140. ## Finally, a swift IP-bannination for evildoers and troublemakers; I think this is an outdated list of some bot IPs
  141. ## and a particular malicious domain, and if you truncate this, remember to keep the "allow from all" at the end,
  142. ## or else nobody will be able to visit the site!
  143. order deny,allow
  144. deny from 76.73.0.0/17
  145. deny from 211.154.211.209
  146. deny from 66.94.35.20
  147. deny from 38.99.13.121
  148. deny from 38.99.13.122
  149. deny from 38.99.13.123
  150. deny from 38.99.13.124
  151. deny from 38.99.13.125
  152. deny from 38.99.13.126
  153. deny from 38.99.44.101
  154. deny from 38.99.44.102
  155. deny from 38.99.44.103
  156. deny from 38.99.44.104
  157. deny from 38.99.44.105
  158. deny from 38.99.44.106
  159. deny from 64.1.215.162
  160. deny from 64.1.215.163
  161. deny from 64.1.215.164
  162. deny from 64.1.215.165
  163. deny from 64.1.215.166
  164. deny from 67.218.116.130
  165. deny from 67.218.116.131
  166. deny from 67.218.116.132
  167. deny from 67.218.116.133
  168. deny from 67.218.116.134
  169. deny from 67.218.116.162
  170. deny from 67.218.116.164
  171. deny from 67.218.116.165
  172. deny from 67.218.116.166
  173. deny from 67.222.30.85
  174. deny from 208.36.144.6
  175. deny from 208.36.144.7
  176. deny from 208.36.144.8
  177. deny from 208.36.144.9
  178. deny from 208.36.144.10
  179. deny from 216.82.71.253
  180. deny from 216.129.119.10
  181. deny from 216.129.119.11
  182. deny from 216.129.119.12
  183. deny from 216.129.119.13
  184. deny from 216.129.119.40
  185. deny from 216.129.119.41
  186. deny from 216.129.119.42
  187. deny from 216.129.119.43
  188. deny from 216.129.119.44
  189. deny from cuill.com
  190. allow from all
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!