Some rules on website security

Posted byroot Leave a comment on Some rules on website security

The following configs are obtained from iThemes Security, a WordPress plugin. I believe this is a suitable configuration for nearly all websites.

Nginx is more and more widely used in recent years, so the filter rules will be based on nginx settings.

The following rules are derived from HackRepair.com, generated by iTheme Security:

if ($http_user_agent ~* "^[Ww]eb[Bb]andit"){ return 403; }
if ($http_user_agent ~* "^binlar"){ return 403; }
if ($http_user_agent ~* "^BlackWidow"){ return 403; }
if ($http_user_agent ~ "^Bolt"){ return 403; }
if ($http_user_agent ~* "^casper"){ return 403; }
if ($http_user_agent ~* "^ChinaClaw"){ return 403; }
if ($http_user_agent ~* "^cmsworldmap"){ return 403; }
if ($http_user_agent ~* "^comodo"){ return 403; }
if ($http_user_agent ~* "^Custo"){ return 403; }
if ($http_user_agent ~ "^Default"){ return 403; }
if ($http_user_agent ~* "^diavol"){ return 403; }
if ($http_user_agent ~* "^DIIbot"){ return 403; }
if ($http_user_agent ~* "^DISCo"){ return 403; }
if ($http_user_agent ~* "^dotbot"){ return 403; }
if ($http_user_agent ~* "^eCatch"){ return 403; }
if ($http_user_agent ~* "^EirGrabber"){ return 403; }
if ($http_user_agent ~* "^EmailCollector"){ return 403; }
if ($http_user_agent ~* "^EmailSiphon"){ return 403; }
if ($http_user_agent ~* "^EmailWolf"){ return 403; }
if ($http_user_agent ~* "^ExtractorPro"){ return 403; }
if ($http_user_agent ~* "^EyeNetIE"){ return 403; }
if ($http_user_agent ~* "^feedfinder"){ return 403; }
if ($http_user_agent ~* "^FlashGet"){ return 403; }
if ($http_user_agent ~* "^flicky"){ return 403; }
if ($http_user_agent ~* "^GetRight"){ return 403; }
if ($http_user_agent ~* "^GetWeb!"){ return 403; }
if ($http_user_agent ~* "^Go-Ahead-Got-It"){ return 403; }
if ($http_user_agent ~* "^Go!Zilla"){ return 403; }
if ($http_user_agent ~* "^GrabNet"){ return 403; }
if ($http_user_agent ~* "^Grafula"){ return 403; }
if ($http_user_agent ~* "^HMView"){ return 403; }
if ($http_user_agent ~* "^ia_archiver"){ return 403; }
if ($http_user_agent ~* "^InterGET"){ return 403; }
if ($http_user_agent ~* "^InternetSeer.com"){ return 403; }
if ($http_user_agent ~* "^jakarta"){ return 403; }
if ($http_user_agent ~* "^Java"){ return 403; }
if ($http_user_agent ~* "^JetCar"){ return 403; }
if ($http_user_agent ~* "^kmccrew"){ return 403; }
if ($http_user_agent ~* "^larbin"){ return 403; }
if ($http_user_agent ~* "^LeechFTP"){ return 403; }
if ($http_user_agent ~* "^Link"){ return 403; }
if ($http_user_agent ~* "^Maxthon$"){ return 403; }
if ($http_user_agent ~* "^microsoft.url"){ return 403; }
if ($http_user_agent ~* "^Mozilla.*Indy"){ return 403; }
if ($http_user_agent ~* "^Mozilla.*NEWT"){ return 403; }
if ($http_user_agent ~* "^MSFrontPage"){ return 403; }
if ($http_user_agent ~* "^Navroad"){ return 403; }
if ($http_user_agent ~* "^NearSite"){ return 403; }
if ($http_user_agent ~* "^NetAnts"){ return 403; }
if ($http_user_agent ~* "^NetSpider"){ return 403; }
if ($http_user_agent ~* "^NetZIP"){ return 403; }
if ($http_user_agent ~* "^nutch"){ return 403; }
if ($http_user_agent ~* "^Octopus"){ return 403; }
if ($http_user_agent ~* "^PageGrabber"){ return 403; }
if ($http_user_agent ~* "^pavuk"){ return 403; }
if ($http_user_agent ~* "^pcBrowser"){ return 403; }
if ($http_user_agent ~* "^PeoplePal"){ return 403; }
if ($http_user_agent ~* "^planetwork"){ return 403; }
if ($http_user_agent ~* "^psbot"){ return 403; }
if ($http_user_agent ~* "^purebot"){ return 403; }
if ($http_user_agent ~* "^pycurl"){ return 403; }
if ($http_user_agent ~* "^RealDownload"){ return 403; }
if ($http_user_agent ~* "^ReGet"){ return 403; }
if ($http_user_agent ~* "^Rippers"){ return 403; }
if ($http_user_agent ~* "^SeaMonkey$"){ return 403; }
if ($http_user_agent ~* "^sitecheck.internetseer.com"){ return 403; }
if ($http_user_agent ~* "^SiteSnagger"){ return 403; }
if ($http_user_agent ~* "^skygrid"){ return 403; }
if ($http_user_agent ~* "^SmartDownload"){ return 403; }
if ($http_user_agent ~* "^sucker"){ return 403; }
if ($http_user_agent ~* "^SuperBot"){ return 403; }
if ($http_user_agent ~* "^SuperHTTP"){ return 403; }
if ($http_user_agent ~* "^Surfbot"){ return 403; }
if ($http_user_agent ~* "^tAkeOut"){ return 403; }
if ($http_user_agent ~* "^Teleport"){ return 403; }
if ($http_user_agent ~* "^Toata"){ return 403; }
if ($http_user_agent ~* "^turnit"){ return 403; }
if ($http_user_agent ~* "^vikspider"){ return 403; }
if ($http_user_agent ~* "^VoidEYE"){ return 403; }
if ($http_user_agent ~* "^WebAuto"){ return 403; }
if ($http_user_agent ~* "^WebCopier"){ return 403; }
if ($http_user_agent ~* "^WebFetch"){ return 403; }
if ($http_user_agent ~* "^WebLeacher"){ return 403; }
if ($http_user_agent ~* "^WebReaper"){ return 403; }
if ($http_user_agent ~* "^WebSauger"){ return 403; }
if ($http_user_agent ~* "^WebStripper"){ return 403; }
if ($http_user_agent ~* "^WebWhacker"){ return 403; }
if ($http_user_agent ~* "^WebZIP"){ return 403; }
if ($http_user_agent ~* "^Wget"){ return 403; }
if ($http_user_agent ~* "^Widow"){ return 403; }
if ($http_user_agent ~* "^WWW-Mechanize"){ return 403; }
if ($http_user_agent ~* "^WWWOFFLE"){ return 403; }
if ($http_user_agent ~* "^Zeus"){ return 403; }
if ($http_user_agent ~* "^zmeu"){ return 403; }
if ($http_user_agent ~* "CazoodleBot"){ return 403; }
if ($http_user_agent ~* "discobot"){ return 403; }
if ($http_user_agent ~* "ecxi"){ return 403; }
if ($http_user_agent ~* "GT::WWW"){ return 403; }
if ($http_user_agent ~* "heritrix"){ return 403; }
if ($http_user_agent ~* "HTTP::Lite"){ return 403; }
if ($http_user_agent ~* "HTTrack"){ return 403; }
if ($http_user_agent ~* "ia_archiver"){ return 403; }
if ($http_user_agent ~* "id-search"){ return 403; }
if ($http_user_agent ~* "id-search.org"){ return 403; }
if ($http_user_agent ~* "IDBot"){ return 403; }
if ($http_user_agent ~* "IRLbot"){ return 403; }
if ($http_user_agent ~* "LinksManager.com_bot"){ return 403; }
if ($http_user_agent ~* "linkwalker"){ return 403; }
if ($http_user_agent ~* "lwp-trivial"){ return 403; }
if ($http_user_agent ~* "MFC_Tear_Sample"){ return 403; }
if ($http_user_agent ~* "panscient.com"){ return 403; }
if ($http_user_agent ~* "PECL::HTTP"){ return 403; }
if ($http_user_agent ~* "PHPCrawl"){ return 403; }
if ($http_user_agent ~* "PleaseCrawl"){ return 403; }
if ($http_user_agent ~* "SBIder"){ return 403; }
if ($http_user_agent ~* "Snoopy"){ return 403; }
if ($http_user_agent ~* "Steeler"){ return 403; }
if ($http_user_agent ~* "URI::Fetch"){ return 403; }
if ($http_user_agent ~* "urllib"){ return 403; }
if ($http_user_agent ~* "User-Agent"){ return 403; }
if ($http_user_agent ~* "webalta"){ return 403; }
if ($http_user_agent ~* "WebCollage"){ return 403; }
if ($http_user_agent ~* "zermelo"){ return 403; }
if ($http_user_agent ~* "ZyBorg"){ return 403; }

I didn’t use all of those, some might be genuine browser user agent, like Maxthon

The following rules are to block WordPress specific locations and files. For other web programmes you can change the directories to whatever suits you.

# Rules to block access to WordPress specific files and wp-includes
location ~ /\.ht { deny all; }
location ~ wp-config.php { deny all; }
location ~ readme.html { deny all; }
location ~ readme.txt { deny all; }
location ~ /install.php { deny all; }
location ^wp-includes/(.*).php { deny all; }
location ^/wp-admin/includes(.*)$ { deny all; }

Block execution of use-uploaded .php files.

# Rules to prevent php execution in uploads
location ^(.*)/uploads/(.*).php(.?){ deny all; }

Block suspicious URLs:

# Rules to block suspicious URIs
set $susquery 0;
if ($args ~* "\.\./") { set $susquery 1; }
if ($args ~* "\.(bash|git|hg|log|svn|swp|cvs)") { set $susquery 1; }
if ($args ~* "etc/passwd") { set $susquery 1; }
if ($args ~* "boot.ini") { set $susquery 1; }
if ($args ~* "ftp:") { set $susquery 1; }
if ($args ~* "http:") { set $susquery 1; }
if ($args ~* "https:") { set $susquery 1; }
if ($args ~* "(<|%3C).*script.*(>|%3E)") { set $susquery 1; }
if ($args ~* "mosConfig_[a-zA-Z_]{1,21}(=|%3D)") { set $susquery 1; }
if ($args ~* "base64_encode") { set $susquery 1; }
if ($args ~* "(%24&x)") { set $susquery 1; }
if ($args ~* "("|'|<|>|\|{|||%24&x)"){ set $susquery 1; }
if ($args ~* "(127.0)") { set $susquery 1; }
if ($args ~* "(globals|encode|localhost|loopback)") { set $susquery 1; }
# Note this might will cause some problems, such as WordPress plugin/theme update.
# .../update.php?action=update-selected...
if ($args ~* "(request|select|insert|concat|union|declare)") { set $susquery 1; } 
if ($susquery = 1) { return 403; }

Rules to help reduce spam

location /wp-comments-post.php {
valid_referers jetpack.wordpress.com/jetpack-comment/ *.luxing.im;
set $rule_0 0;
if ($request_method ~ "POST"){ set $rule_0 1$rule_0; }
if ($invalid_referer) { set $rule_0 2$rule_0; }
if ($http_user_agent ~ "^$"){ set $rule_0 3$rule_0; }
if ($rule_0 = "3210") { return 403; }
}

Leave a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.