The 6G Firewall in LiteSpeed?

#1
Hello

I am on a Version 5.1.13 Linux Enterprise virtual server and would like to integrate the so called "6G Firewall" (see URL https://perishablepress.com/6g/) in LiteSpeed via .htaccess - am I able to do this direct with the following code?

Code:
# 6G FIREWALL/BLACKLIST
# @ https://perishablepress.com/6g/

# 6G:[QUERY STRINGS]
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
    RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} ([a-z0-9]{2000,}) [NC,OR]
    RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
    RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR]
    RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR]
    RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR]
    RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
    RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
    RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|insert|md5|select|union) [NC]
    RewriteRule .* - [F]
</IfModule>

# 6G:[REQUEST METHOD]
<IfModule mod_rewrite.c>
    RewriteCond %{REQUEST_METHOD} ^(connect|debug|move|put|trace|track) [NC]
    RewriteRule .* - [F]
</IfModule>

# 6G:[REFERRERS]
<IfModule mod_rewrite.c>
    RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000,}) [NC,OR]
    RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC]
    RewriteRule .* - [F]
</IfModule>

# 6G:[REQUEST STRINGS]
<IfModule mod_alias.c>
    RedirectMatch 403 (?i)([a-z0-9]{2000,})
    RedirectMatch 403 (?i)(https?|ftp|php):/
    RedirectMatch 403 (?i)(base64_encode)(.*)(\()
    RedirectMatch 403 (?i)(=\\\'|=\\%27|/\\\'/?)\.
    RedirectMatch 403 (?i)/(\$(\&)?|\*|\"|\.|,|&|&amp;?)/?$
    RedirectMatch 403 (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")
    RedirectMatch 403 (?i)(~|`|<|>|:|;|,|%|\\|\s|\{|\}|\[|\]|\|)
    RedirectMatch 403 (?i)/(=|\$&|_mm|cgi-|etc/passwd|muieblack)
    RedirectMatch 403 (?i)(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)
    RedirectMatch 403 (?i)\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$
    RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php
</IfModule>

# 6G:[USER AGENTS]
<IfModule mod_setenvif.c>
    SetEnvIfNoCase User-Agent ([a-z0-9]{2000,}) bad_bot
    SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot
   
    # Apache < 2.3
    <IfModule !mod_authz_core.c>
        Order Allow,Deny
        Allow from all
        Deny from env=bad_bot
    </IfModule>

    # Apache >= 2.3
    <IfModule mod_authz_core.c>
        <RequireAll>
            Require all Granted
            Require not env bad_bot
        </RequireAll>
    </IfModule>
</IfModule>

# 6G:[BAD IPS]
<Limit GET HEAD OPTIONS POST PUT>
    Order Allow,Deny
    Allow from All
    # uncomment/edit/repeat next line to block IPs
    # Deny from 123.456.789
</Limit>
Any help is welcome!

Thanks in advance and ...

kind regards.

Norbert
 
#3
First, thank you!

Yes, I was not successful with this syntax on LiteSpeed! It's weird, on Apache it SEEMS nevertheless okay, because many people use it ... (i can't say something about that, I have no apache available).

However: I will TRY to "convert" those lines ...
 
#4
Ok, after some work I have a solution now.

BTW: The RedirectMatch syntax is okay as you can see below:

Code:
RedirectMatch 403 (?i)([a-z0-9]{2000,})
for example means:

Code:
RedirectMatch 403
Redirect to HTTP 403 Forbidden status
--> Was anyway clear probably.

Code:
(?i)
Explanation from a ruby doc:
The end delimiter for a regexp can be followed by one or more single-letter options which control how the pattern can match.

/pat/i - Ignore case

i, m, and x can also be applied on the subexpression level with the (?on-off) construct, which enables options on, and disables options off for the expression enclosed by the parentheses.
That was probably your question.

Code:
([a-z0-9]{2000,})
2000 times a-z0-9
--> Was anyway clear probably.


So, I was wrong with that. Instead I had a problem with the following part:
Code:
# 6G:[USER AGENTS]
<IfModule mod_setenvif.c>
    SetEnvIfNoCase User-Agent ([a-z0-9]{2000,}) bad_bot
    SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot
   
    # Apache < 2.3
    <IfModule !mod_authz_core.c>
        Order Allow,Deny
        Allow from all
        Deny from env=bad_bot
    </IfModule>

    # Apache >= 2.3
    <IfModule mod_authz_core.c>
        <RequireAll>
            Require all Granted
            Require not env bad_bot
        </RequireAll>
    </IfModule>
</IfModule>
Maybe because no exist/activated "mod_setenvif.c" and/or "mod_authz_core.c" ... However: I replaced it with the following:
Code:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) [NC]
RewriteRule .* - [F,L]
Now it runs.
Note: there is no more a module-check, because I know that THIS code is okay on MY virtual server anyway ...


If I remember correctly, I had also a problem with the following part (no more tested out now):
Code:
# 6G:[BAD IPS]
<Limit GET HEAD OPTIONS POST PUT>
Order Allow,Deny
Allow from All
# uncomment/edit/repeat next line to block IPs
# Deny from 123.456.789
</Limit>
I had replaced this anyway with the following "structure":
Code:
<Files *>
order deny,allow
#deny from 123.456.789
</Files>
This runs.


Greetings!

Norbert
 

NiteWave

Administrator
#5
Maybe because no exist/activated "mod_setenvif.c" and/or "mod_authz_core.c" ... However: I replaced it with the following:
Code:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) [NC]
RewriteRule .* - [F,L]
Now it runs.
yes, rewrite rule do the same trick.

if you comment out
# Apache >= 2.3 <IfModule mod_authz_core.c>
and leave only
# Apache < 2.3 <IfModule !mod_authz_core.c>
block, it should work too.
 
#7
Could someone please be so kind as to post a now fully functional working version of the 6G Firewall that works 100% for Litespeed? It would be greatly appreciated! And also, will this interfere in any way with mod_security being enabled in Cpanel or be duplicating stuff un-necessarily? Thanks so much!
 
#8
Hi
the basic of 6G is ok anyway, but you must tweak it to suit your needs.
I use it since 3G and helped on the 4G to suit joomla compliance.

No problem with cPanel and mod_security.

But mod_security already handle pretty much all of those sections
# 6G:[QUERY STRINGS]
and
# 6G:[REQUEST STRINGS]

But I recommend to activate the rules (I mean the most specials ones) one by one, and see if all is fine after some times.
So start with the very specific rules commented with a "#" in front of each.

regards
 
Last edited by a moderator:
Top