Forked from r3code/htaccess-php-malware-protection.txt
Created
January 27, 2022 14:45
-
-
Save krlabs/a5cd07f79477dc0d69a9b5b512c3e805 to your computer and use it in GitHub Desktop.
.htaccess правила для предотвращения исполнения вредоносных PHP-скриптов
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Блокировка XSS | |
| RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] | |
| # Блокируем выставление переменной PHP GLOBALS через URL | |
| RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] | |
| # Блокируем возможность изменять переменную _REQUEST через URL | |
| RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) | |
| # Блокировка MySQL инъекций, RFI, base64, и др. | |
| RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR] | |
| RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR] | |
| RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR] | |
| RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR] | |
| RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR] | |
| RewriteCond %{QUERY_STRING} ftp\: [NC,OR] | |
| RewriteCond %{QUERY_STRING} http\: [NC,OR] | |
| RewriteCond %{QUERY_STRING} https\: [NC,OR] | |
| RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR] | |
| RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR] | |
| RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR] | |
| RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] | |
| RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [OR] | |
| RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] | |
| RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR] | |
| RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR] | |
| RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR] | |
| RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] | |
| RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR] | |
| RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR] | |
| RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR] | |
| RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR] | |
| RewriteCond %{QUERY_STRING} (sp_executesql) [NC] | |
| RewriteCond %{QUERY_STRING} (eval\() [NC,OR] | |
| RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR] | |
| RewriteCond %{QUERY_STRING} ([a-z0-9]{2000,}) [NC,OR] | |
| RewriteRule ^(.*)$ - [F,L] | |
| # Отклонение запросов TRACE|TRACK | |
| RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) | |
| RewriteRule .* - [F] | |
| # Фильтрация URL на служебные символы | |
| RewriteCond %{QUERY_STRING} (<|>|'|\+|%2B|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] | |
| # Блокировка известных Shell | |
| RewriteEngine on | |
| RewriteCond %{REQUEST_URI} .*((php|my)?shell|remview.*|phpremoteview.*|sshphp.*|pcom|nstview.*|c99|r57|webadmin.*|phpget.*|phpwriter.*|fileditor.*|locus7.*|storm7.*).(p?s?x?htm?l?|txt|aspx?|cfml?|cgi|pl|php[3-9]{0,1}|jsp?|sql|xml) [NC,OR] | |
| RewriteCond %{REQUEST_METHOD} (GET|POST) [NC] | |
| RewriteCond %{QUERY_STRING} ^(.*)=(/|%2F)(h|%68|%48)(o|%6F|%4F)(m|%6D|%4D)(e|%65|%45)(.+)?(/|%2F)(.*)(/|%2F)(.*)$ [OR] | |
| RewriteCond %{QUERY_STRING} ^work_dir=.*$ [OR] | |
| RewriteCond %{QUERY_STRING} ^command=.*&output.*$ [OR] | |
| RewriteCond %{QUERY_STRING} ^nts_[a-z0-9_]{0,10}=.*$ [OR] | |
| RewriteCond %{QUERY_STRING} ^c=(t|setup|codes)$ [OR] | |
| RewriteCond %{QUERY_STRING} ^act=((about|cmd|selfremove|chbd|trojan|backc|massbrowsersploit|exploits|grablogins|upload.*)|((chmod|f)&f=.*))$ [OR] | |
| RewriteCond %{QUERY_STRING} ^act=(ls|search|fsbuff|encoder|tools|processes|ftpquickbrute|security|sql|eval|update|feedback|cmd|gofile|mkfile)&d=.*$ [OR] | |
| RewriteCond %{QUERY_STRING} ^&?c=(l?v?i?&d=|v&fnot=|setup&ref=|l&r=|d&d=|tree&d|t&d=|e&d=|i&d=|codes|md5crack).*$ [OR] | |
| RewriteCond %{QUERY_STRING} ^(.*)([-_a-z]{1,15})=(chmod|chdir|mkdir|rmdir|clear|whoami|uname|unzip|gzip|gunzip|grep|more|umask|telnet|ssh|ftp|head|tail|which|mkmode|touch|logname|edit_file|search_text|find_text|php_eval|download_file|ftp_file_down|ftp_file_up|ftp_brute|mail_file|mysql|mysql_dump|db_query)([^a-zA-Z0-9].+)*$ [OR] | |
| # Удалите из слудующей строки слово "system" для нормальной работы информационных систем HostCMS | |
| RewriteCond %{QUERY_STRING} ^(.*)(wget|shell_exec|passthru|system|exec|popen|proc_open)(.*)$ | |
| RewriteRule .* - [F] | |
| # Отклонение плохо сформированных запросов HTTP | |
| RewriteEngine on | |
| RewriteCond %{THE_REQUEST} !^[A-Z]{3,9} .+ HTTP/(0.9|1.0|1.1) [NC] | |
| RewriteRule .* - [F,NS,L] | |
| # Запрет любых запросов кроме GET,PROPFIND,POST,OPTIONS,PUT,HEAD | |
| RewriteEngine on | |
| RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST|PROPFIND|OPTIONS|PUT)$ [NC] | |
| RewriteRule .* - [F,NS,L] | |
| # Блокировка от LFi-атак (экспериментальное, см. комментарии) | |
| RewriteCond %{REQUEST_METHOD} GET | |
| RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR] | |
| RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http%3A%2F%2F [OR] | |
| RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(..//?)+ [OR] | |
| RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC] | |
| RewriteRule .* - [F] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment