Forked from r3code/htaccess-php-malware-protection.txt
Created
August 9, 2021 18:35
-
-
Save jerrydeakins/d6af1c74ca2a331377f48a303e63a208 to your computer and use it in GitHub Desktop.
.htaccess правила для предотвращения исполнения вредоносных PHP-скриптов
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Блокировка XSS | |
| RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] | |
| # Блокируем выставление переменной PHP GLOBALS через URL | |
| RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] | |
| # Блокируем возможность изменять переменную _REQUEST через URL | |
| RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) | |
| # Блокировка MySQL инъекций, RFI, base64, и др. | |
| RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR] | |
| RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR] | |
| RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR] | |
| RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR] | |
| RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR] | |
| RewriteCond %{QUERY_STRING} ftp\: [NC,OR] | |
| RewriteCond %{QUERY_STRING} http\: [NC,OR] | |
| RewriteCond %{QUERY_STRING} https\: [NC,OR] | |
| RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR] | |
| RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR] | |
| RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR] | |
| RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] | |
| RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [OR] | |
| RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] | |
| RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR] | |
| RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR] | |
| RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR] | |
| RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] | |
| RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR] | |
| RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR] | |
| RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR] | |
| RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR] | |
| RewriteCond %{QUERY_STRING} (sp_executesql) [NC] | |
| RewriteCond %{QUERY_STRING} (eval\() [NC,OR] | |
| RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR] | |
| RewriteCond %{QUERY_STRING} ([a-z0-9]{2000,}) [NC,OR] | |
| RewriteRule ^(.*)$ - [F,L] | |
| # Отклонение запросов TRACE|TRACK | |
| RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) | |
| RewriteRule .* - [F] | |
| # Фильтрация URL на служебные символы | |
| RewriteCond %{QUERY_STRING} (<|>|'|\+|%2B|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] | |
| # Блокировка известных Shell | |
| RewriteEngine on | |
| RewriteCond %{REQUEST_URI} .*((php|my)?shell|remview.*|phpremoteview.*|sshphp.*|pcom|nstview.*|c99|r57|webadmin.*|phpget.*|phpwriter.*|fileditor.*|locus7.*|storm7.*).(p?s?x?htm?l?|txt|aspx?|cfml?|cgi|pl|php[3-9]{0,1}|jsp?|sql|xml) [NC,OR] | |
| RewriteCond %{REQUEST_METHOD} (GET|POST) [NC] | |
| RewriteCond %{QUERY_STRING} ^(.*)=(/|%2F)(h|%68|%48)(o|%6F|%4F)(m|%6D|%4D)(e|%65|%45)(.+)?(/|%2F)(.*)(/|%2F)(.*)$ [OR] | |
| RewriteCond %{QUERY_STRING} ^work_dir=.*$ [OR] | |
| RewriteCond %{QUERY_STRING} ^command=.*&output.*$ [OR] | |
| RewriteCond %{QUERY_STRING} ^nts_[a-z0-9_]{0,10}=.*$ [OR] | |
| RewriteCond %{QUERY_STRING} ^c=(t|setup|codes)$ [OR] | |
| RewriteCond %{QUERY_STRING} ^act=((about|cmd|selfremove|chbd|trojan|backc|massbrowsersploit|exploits|grablogins|upload.*)|((chmod|f)&f=.*))$ [OR] | |
| RewriteCond %{QUERY_STRING} ^act=(ls|search|fsbuff|encoder|tools|processes|ftpquickbrute|security|sql|eval|update|feedback|cmd|gofile|mkfile)&d=.*$ [OR] | |
| RewriteCond %{QUERY_STRING} ^&?c=(l?v?i?&d=|v&fnot=|setup&ref=|l&r=|d&d=|tree&d|t&d=|e&d=|i&d=|codes|md5crack).*$ [OR] | |
| RewriteCond %{QUERY_STRING} ^(.*)([-_a-z]{1,15})=(chmod|chdir|mkdir|rmdir|clear|whoami|uname|unzip|gzip|gunzip|grep|more|umask|telnet|ssh|ftp|head|tail|which|mkmode|touch|logname|edit_file|search_text|find_text|php_eval|download_file|ftp_file_down|ftp_file_up|ftp_brute|mail_file|mysql|mysql_dump|db_query)([^a-zA-Z0-9].+)*$ [OR] | |
| # Удалите из слудующей строки слово "system" для нормальной работы информационных систем HostCMS | |
| RewriteCond %{QUERY_STRING} ^(.*)(wget|shell_exec|passthru|system|exec|popen|proc_open)(.*)$ | |
| RewriteRule .* - [F] | |
| # Отклонение плохо сформированных запросов HTTP | |
| RewriteEngine on | |
| RewriteCond %{THE_REQUEST} !^[A-Z]{3,9} .+ HTTP/(0.9|1.0|1.1) [NC] | |
| RewriteRule .* - [F,NS,L] | |
| # Запрет любых запросов кроме GET,PROPFIND,POST,OPTIONS,PUT,HEAD | |
| RewriteEngine on | |
| RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST|PROPFIND|OPTIONS|PUT)$ [NC] | |
| RewriteRule .* - [F,NS,L] | |
| # Блокировка от LFi-атак (экспериментальное, см. комментарии) | |
| RewriteCond %{REQUEST_METHOD} GET | |
| RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR] | |
| RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http%3A%2F%2F [OR] | |
| RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(..//?)+ [OR] | |
| RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC] | |
| RewriteRule .* - [F] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment