Global httpd.conf rules

Discussion in 'Security' started by brandshouter, Aug 3, 2018.

  1. brandshouter

    brandshouter New Member

    I've compiled a list of static security rules for all of the sites on my server from hours of web research and searching. I'm currently using .htaccess to serve these rules.

    I'm wanting to serve these rules globally from my server. As a pretty novice .htaccess user, I was hoping someone here (much smarter than me) could help me clean up these rules so I could add them globally via httpd.conf rather than having to remember to manually add them to each of my client's sites via .htaccess.

    Is this a good idea? If not, why would you recommend against it? My ultimate goal is to secure my server specifically for WordPress and eliminate the need for plugins. (This all started from this thread and has evolved).

    I only host WordPress sites on my server (hence the focus of these rules).

    Thanks in advance!

    ================

    #Protect error_log, .htaccess, php.ini, and wp-config.php
    <FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$">
    Order deny,allow
    Deny from all
    </FilesMatch>

    # Protect /wp-includes/
    <ifmodule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    </ifmodule>

    # Block PHP execution in uploads folder
    <Directory "/var/www/wp-content/uploads/">
    <Files "*.php">
    Order Deny,Allow
    Deny from All
    </Files>
    </Directory>

    #Protect from SQL Script Injection
    Options +FollowSymLinks
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (< |%3C).*script.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
    RewriteRule ^(.*)$ index.php [F,L]

    # Restrict Direct Access to Plugin and Theme PHP files
    RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
    RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
    RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
    RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
    RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
    RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]

    # Disable directory browsing
    Options All -Indexes

    # BEGIN block author scans
    RewriteEngine On
    RewriteBase /
    RewriteCond %{QUERY_STRING} (author=\d+) [NC]
    RewriteRule .* - [F]

    # Block WordPress xmlrpc.php requests
    <files xmlrpc.php>
    order deny,allow
    deny from all
    </files>

    # 6G FIREWALL/BLACKLIST
    # @ https://perishablepress.com/6g/

    # 6G:[QUERY STRINGS]
    <ifmodule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
    RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} ([a-z0-9]{2000,}) [NC,OR]
    RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
    RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR]
    RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR]
    RewriteCond %{QUERY_STRING} (< |%3C)(.*)script(.*)(>|%3) [NC,OR]
    RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|`|< |>|\|) [NC,OR]
    RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
    RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
    RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|insert|md5|select|union) [NC]
    RewriteRule .* - [F]
    </ifmodule>

    # 6G:[REQUEST METHOD]
    <ifmodule mod_rewrite.c>
    RewriteCond %{REQUEST_METHOD} ^(connect|debug|move|put|trace|track) [NC]
    RewriteRule .* - [F]
    </ifmodule>

    # 6G:[REFERRERS]
    <ifmodule mod_rewrite.c>
    RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000,}) [NC,OR]
    RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC]
    RewriteRule .* - [F]
    </ifmodule>

    # 6G:[REQUEST STRINGS]
    <ifmodule mod_alias.c>
    RedirectMatch 403 (?i)([a-z0-9]{2000,})
    RedirectMatch 403 (?i)(https?|ftp|php):/
    RedirectMatch 403 (?i)(base64_encode)(.*)(\()
    RedirectMatch 403 (?i)(=\\\'|=\\%27|/\\\'/?)\.
    RedirectMatch 403 (?i)/(\$(\&amp;)?|\*|\"|\.|,|&amp;|&amp;amp;?)/?$
    RedirectMatch 403 (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")
    RedirectMatch 403 (?i)(~|`|< |>|:|;|,|%|\\|\s|\{|\}|\[|\]|\|)
    RedirectMatch 403 (?i)/(=|\$&amp;|_mm|cgi-|etc/passwd|muieblack)
    RedirectMatch 403 (?i)(&amp;pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)
    RedirectMatch 403 (?i)\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$
    RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php
    </ifmodule>

    # 6G:[USER AGENTS]
    <ifmodule mod_setenvif.c>
    SetEnvIfNoCase User-Agent ([a-z0-9]{2000,}) bad_bot
    SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot

    # Apache < 2.3
    <IfModule !mod_authz_core.c>
    Order Allow,Deny
    Allow from all
    Deny from env=bad_bot
    </ifmodule>

    # Apache >= 2.3
    <ifmodule mod_authz_core.c>
    <requireall>
    Require all Granted
    Require not env bad_bot
    </requireall>
    </ifmodule>

    # 6G:[BAD IPS]
    <limit GET HEAD OPTIONS POST PUT>
    Order Allow,Deny
    Allow from All
    # uncomment/edit/repeat next line to block IPs
    # Deny from 123.456.789
    </limit>
     
  2. Dan

    Dan Moderator

    Hi brandshouter!

    I am definitely not a .htaccess professional however I can say that if you take your .htaccess and drop it into /home (owned by root of course) that it will work for all of your domains. No need to worry about modifying each user's files :p

    Looking forward to hearing from from some others about this your file!
     
  3. brandshouter

    brandshouter New Member

    Dan, I was just looking at that file an hour ago. Thanks for the response!

    I imagine the code on a couple of these rules would have to be altered because I would be back two directories (/home/ rather than /home/<username>/public_html/). Is that correct? If so, since each client has a different user folder, I'm not certain how to adjust it. Any pointers?
     
  4. Dan

    Dan Moderator

    brandshouter,

    I don't think it should be an issue as Apache treats it as though the .htaccess were running for each user. The only time I'd see that being an issue would be if you used direct paths.

    Looking again I do see an issue with some of your rules:

    Code:
    RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
    RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
    RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
    RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
    RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
    You need to replace the "file/to/exclude" and/or "directory/to/exclude/ parts with files or directories you want to exclude. Personally I'd think if direct access were blocked to the plugins and themes folders that would address the issue but, again, no expert here lol
     

Share This Page