-
Notifications
You must be signed in to change notification settings - Fork 5
/
8G-SetEnvIf
162 lines (136 loc) · 14 KB
/
8G-SetEnvIf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
# 8G FIREWALL v1.3 20240908
# https://perishablepress.com/8g-firewall/
# SetEnvIf version by Tonkünstler-on-the-Bund
# 8G:[QUERY STRING]
SetEnvIfExpr "%{QUERY_STRING} =~ m#^(?:%2d|-)[^=]+$#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:/|%2f)(?::|%3a)(?:/|%2f)#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#etc/(?:hosts|motd|shadow)#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#order(?:\s|%20)by(?:\s|%20)1--#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:/|%2f)(?:\*|%2a)(?:\*|%2a)(?:/|%2f)#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#`|<|>|\^|\|\\\\|0x00|%00|%0d%0a#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#f?ckfinder|f?ckeditor|fullclick#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#header:|set-cookie:.*=#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#localhost|127(?:\.|%2e)0(?:\.|%2e)0(?:\.|%2e)1#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:cmd|command)(?:=|%3d)(?:chdir|mkdir).*x20#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:globals|mosconfig[a-z_]{1,22}|request)(?:=|\[)#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:/|%2f)(?:wp-)?config(?:(?:\.|%2e)inc)?(?:\.|%2e)php#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:thumbs?(?:_editor|open)?|tim(?:thumbs?)?)(?:\.|%2e)php#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:absolute_|base|root_)(?:dir|path)(?:=|%3d)(?:ftp|https?)#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:s)?(?:ftp|inurl|php)(?:s)?:(?:/|%2f|%u2215)(?:/|%2f|%u2215)#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:\.|20)(?:get|the)(?:_|%5f)(?:permalink|posts_page_url)(?:\(|%28)#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:boot|win)(?:\.|%2e)ini|etc(?:/|%2f)passwd|self(?:/|%2f)environ#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:/|%2f){3,3}|(?:\.|%2e){3,3}|(?:\.|%2e){2,2}(?:/|%2f|%u2215)#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:benchmark|char|exec|fopen|function|html).*(?:\(|%28)#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#php[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#eval.*(?:\(|%28)#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:/|%2f)(?:=|%3d|$&|_mm|cgi(?:\.|-)|inurl(?::|%3a)(?:/|%2f)|(?:mod|path)(?:=|%3d)(?:\.|%2e))#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:<|%3c).*embed#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:<|%3c).*iframe#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:<|%3c).*object#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:<|%3c).*script#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:\+|%2b|%20)delete(?:\+|%2b|%20)#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:\+|%2b|%20)insert(?:\+|%2b|%20)#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:\+|%2b|%20)select(?:\+|%2b|%20)#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:\+|%2b|%20)update(?:\+|%2b|%20)#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#\\\\x00|(?:\"|%22|\'|%27)?0(?:\"|%22|\'|%27)?(?:=|%3d)(?:\"|%22|\'|%27)?0|cast(?:\(|%28)0x|or%201(?:=|%3d)1#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#globals(?:=|\[|%[0-9A-Z]{0,2})#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#_request(?:=|\[|%[0-9A-Z]{2,})#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#javascript(?::|%3a).*(?:;|%3b|\)|%29)#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#base64_(?:en|de)code.*\)#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#@copy|\$_(?:files|get|post)|allow_url_(?:fopen|include)|auto_prepend_file|blexbot|browsersploit|call_user_func_array|(?:php|web)shell|curl(?:_exec|test)|disable_functions?|document_root#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#elastix|encodeuricom|exploit|fclose|fgets|file_put_contents|fputs|fsbuff|fsockopen|gethostbyname|ghost|grablogin|hmei7|hubs_post-cta|input_file|invokefunction|\bload_file|open_basedir|outfile|p3dlite#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#pass(?:=|%3d)shell|passthru|phpshells|popen|proc_open|quickbrute|remoteview|root_path|safe_mode|shell_exec|site.{0,2}copier|sp_executesql|sux0r|trojan|udtudt|user_func_array|wget|wp_insert_user|xertive#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:\+|%2b)(?:concat|delete|get|select|union)(?:\+|%2b)#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#union.*select#i" bot
SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:concat|eval).*(?:\(|%28)#i" bot
# 8G:[REQUEST URI]
SetEnvIfNoCase Request_URI ,,, bot
SetEnvIfNoCase Request_URI ------- bot
SetEnvIfNoCase Request_URI \^|`|<|>|\\\\|\| bot
SetEnvIfNoCase Request_URI =?\\\(?:\'|%27)/?\. bot
SetEnvIfNoCase Request_URI /(?:\*|\"|\'|\.|,|&|&?)/?$ bot
SetEnvIfNoCase Request_URI \.php(\()?[0-9]+\)?/?$ bot
SetEnvIfNoCase Request_URI (?:header:|set-cookie:.*=) bot
SetEnvIfNoCase Request_URI \.s?ftp-?config|s?ftp-?config\. bot
SetEnvIfNoCase Request_URI /(?:f?ckfinder|fck/|f?ckeditor|fullclick) bot
SetEnvIfNoCase Request_URI /(?:(?:force-)?download|framework/main)\.php bot
SetEnvIfNoCase Request_URI \{0\}|\"?0\"?=\"?0|\(/\(|\.\.\.|\+\+\+|\\\\\" bot
SetEnvIfNoCase Request_URI /(?:vbull(?:etin)?|boards|vbforum|vbweb|webvb)/? bot
SetEnvIfNoCase Request_URI (?:\.|20)(?:get|the)_(?:permalink|posts_page_url)\( bot
SetEnvIfNoCase Request_URI ///|\?\?|/&&|/\*.*\*/|/:/|\\\\\\\\|0x00|%00|%0d%0a bot
SetEnvIfNoCase Request_URI /(?:cgi_?)?alfa(?:_?cgiapi|_?data|_?v[0-9]+)?\.php bot
SetEnvIfNoCase Request_URI (?:thumbs?(?:_editor|open)?|tim(?:thumbs?)?)(?:\.|%2e)php bot
SetEnvIfNoCase Request_URI /(?:boot)?_?admin(?:er|istrator|s)(?:_events)?\.php bot
SetEnvIfNoCase Request_URI /%7e(?:root|ftp|bin|nobody|named|guest|logs|sshd)/ bot
SetEnvIfNoCase Request_URI (?:archive|backup|db|master|sql|wp|www|wwwroot)\.(?:gz|zip) bot
SetEnvIfNoCase Request_URI /(?:\.?mad|alpha|c99|php|web)?sh(?:3|e)ll(?:[0-9]+|\w)\.php bot
SetEnvIfNoCase Request_URI /(?:admin-?|file-?)upload(?:bg|_?file|ify|svu|ye)?\.php bot
SetEnvIfNoCase Request_URI /(?:etc|var)/(?:hidden|secret|shadow|ninja|passwd|tmp)/?$ bot
SetEnvIfNoCase Request_URI s?(?:ftp|http|inurl|php)s?:(?:/|%2f|%u2215)(?:/|%2f|%u2215) bot
SetEnvIfNoCase Request_URI /(?:=|\$&?|&?(?:pws|rk)=0|_mm|_vti_|cgi(?:\.|-)?|(?:=|/|;|,)nt\.) bot
SetEnvIfNoCase Request_URI \.(?:ds_store|htaccess|htpasswd|init?|mysql-select-db)/?$ bot
SetEnvIfNoCase Request_URI /bin/(?:cc|chmod|chsh|cpp|echo|id|kill|mail|nasm|perl|ping|ps|python|tclsh)/?$ bot
SetEnvIfNoCase Request_URI /(?:::[0-9999]|%3a%3a[0-9999]|127\.0\.0\.1|ccx|localhost|makefile|pingserver|wwwroot)/? bot
SetEnvIfNoCase Request_URI ^/(?:123|backup|bak|beta|bkp|default|demo|dev(?:new|old)?|home|new-?site|null|old|old_files|old1)/?$ bot
SetEnvIfNoCase Request_URI j\s*a\s*v\s*a bot
SetEnvIfNoCase Request_URI ^/(?:old-?site(?:back)?|old(?:web)?site(?:here)?|sites?|staging|undefined|wordpress[0-9]+|wordpress-old)/?$ bot
SetEnvIfNoCase Request_URI /(?:filemanager|htdocs|httpdocs|https?|login|mailman|mailto|msoffice|undefined|usage|var|vhosts|webmaster|www)/ bot
SetEnvIfNoCase Request_URI \(null\)|\{\$itemURL\}|cast\(0x|echo.*kae|etc/passwd|eval\(|null.*null|open_basedir|self/environ|\+union\+all\+select bot
SetEnvIfNoCase Request_URI (?:conf\b|conf(?:ig)?)(?:uration)?(?:\.?bak|\.inc|\.old|\.php|\.txt) bot
SetEnvIfNoCase Request_URI /(?:.*crlf-?injection|.*xss-?protection|__(?:inc|jsc)|administrator|author-panel|cgi-bin|database|downloader|(?:db|mysql)-?admin)/ bot
SetEnvIfNoCase Request_URI /(?:haders|head|hello|helpear|incahe|includes?|indo(?:sec)?|infos?|ioptimizes?|jmail|js|king|kiss|kodox|kro|legion|libsoft)\.php bot
SetEnvIfNoCase Request_URI /(?:awstats|document_root|dologin\.action|error.log|extension/ext|htaccess\.|lib/php|listinfo|phpunit/php|remoteview|server/php|www\.root\.) bot
SetEnvIfNoCase Request_URI (?:base64_(?:en|de)code|benchmark|curl_exec|e?chr|eval|function|fwrite|(?:f|p)open|html|leak|passthru|p?fsockopen|phpinfo).*(?:\)|%29) bot
SetEnvIfNoCase Request_URI (?:posix_(?:kill|mkfifo|setpgid|setsid|setuid)|(?:child|proc)_(?:close|get_status|nice|open|terminate)|(?:shell_)?exec|system).*(?:\)|%29) bot
SetEnvIfNoCase Request_URI /(?:(?:c99|php|web)?shell|crossdomain|fileditor|locus7|nstview|php(?:get|remoteview|writer)|r57|remview|sshphp|storm7|webadmin).*(?:\.|%2e|\(|%28) bot
SetEnvIfNoCase Request_URI /wp-(?:201\d|202\d|[0-9]{2}|ad|admin(?:fx|rss|setup)|booking|confirm|crons|data|file|mail|one|plugins?|readindex|reset|setups?|story)\.php bot
SetEnvIfNoCase Request_URI /(?:^$|-|\!|\w|\..*|100|123|[^iI]?ndex|index\.php/index|3xp|777|7yn|90sec|99|active|aill|ajs\.delivery|al277|alexuse?|ali|allwrite)\.php bot
SetEnvIfNoCase Request_URI /(?:analyser|apache|apikey|apismtp|authenticat(?:e|ing)|autoload_classmap|backup(?:_index)?|bakup|bkht|black|bogel|bookmark|bypass|cachee?)\.php bot
SetEnvIfNoCase Request_URI /(?:clean|cm(?:d|s)|con|connector\.minimal|contexmini|contral|curl(?:test)?|data(?:base)?|db|db-cache|db-safe-mode|defau11|defau1t|dompdf|dst)\.php bot
SetEnvIfNoCase Request_URI /(?:elements|emails?|error.log|ecscache|edit-form|eval-stdin|evil|fbrrchive|filemga|filenetworks?|f0x|gank(?:\.php)?|gass|gel|guide)\.php bot
SetEnvIfNoCase Request_URI /(?:logo_img|lufix|mage|marg|mass|mide|moon|mssqli|mybak|myshe|mysql|mytag_js?|nasgor|newfile|news|nf_?tracking|nginx|ngoi|ohayo|old-?index)\.php bot
SetEnvIfNoCase Request_URI /(?:olux|owl|pekok|petx|php-?info|phpping|popup-pomo|priv|r3x|radio|rahma|randominit|readindex|readmy|reads|repair-?bak|robot(?:s\.txt)?|root)\.php bot
SetEnvIfNoCase Request_URI /(?:router|savepng|semayan|shell|shootme|sky|socket(?:c|i|iasrgasf)ontrol|sql(?:bak|_?dump)?|support|sym403|sys|system_log|test|tmp-?(?:uploads)?)\.php bot
SetEnvIfNoCase Request_URI /(?:traffic-advice|u2p|udd|ukauka|up__uzegp|up14|upa?|upxx?|vega|vip|vu(?:ln)?\w?|webroot|weki|wikindex|wordpress|wp_logns?|wp_wrong_datlib)\.php bot
SetEnvIfNoCase Request_URI /(?:wp-?install|installation|wp(?:3|4|5|6)|wpfootes|wpzip|ws0|wsdl|wso\w?|www|(?:uploads|wp-admin)?xleet(?:-shell)?|xmlsrpc|xup|xxu|xxx|zibi|zipy)\.php bot
SetEnvIfNoCase Request_URI bkv74|cachedsimilar|core-stab|crgrvnkb|ctivrc|deadcode|deathshop|dkiz|e7xue|eqxafaj90zir|exploits|ffmkpcal|filellli7|(?:fox|sid)wso|gel4y|goog1es|gvqqpinc bot
SetEnvIfNoCase Request_URI @md5|00.temp00|0byte|0d4y|0day|0xor|wso1337|1h6j5|3xp|40dd1d|4price|70bex?|a57bze893|abbrevsprl|abruzi|adminer|aqbmkwwx|archivarix|backdoor|beez5|bgvzc29 bot
SetEnvIfNoCase Request_URI handler_to_code|hax(?:0|o)r|hmei7|hnap1|home_url=|ibqyiove|icxbsx|indoxploi|jahat|jijle3|kcrew|keywordspy|laobiao|lock360|longdog|marijuan|mod_(?:aratic|ariimag) bot
SetEnvIfNoCase Request_URI mobiquo|muiebl|nessus|osbxamip|phpunit|priv8|qcmpecgy|r3vn330|racrew|raiz0|reportserver|r00t|respectmus|rom2823|roseleif|sh3ll|site.{0,2}copier|sqlpatch|sux0r bot
SetEnvIfNoCase Request_URI sym403|telerik|uddatasql|utchiha|visualfrontend|w0rm|wangdafa|wpyii2|wsoyanzo|x5cv|xattack|xbaner|xertive|xiaolei|xltavrat|xorz|xsamxad|xsvip|xxxs?s?|zabbix|zebda bot
SetEnvIfNoCase Request_URI \.(?:7z|ab4|ace|afm|alfa|as(?:h|m)x?|aspx?|aws|axd|bash|ba?k?|bat|bin|bz2|cfg|cfml?|cgi|cms|conf\b|config|ctl|dat|db|dist|dll|eml|eng(?:ine)?|env|et2|exe|fec|fla|git(?:ignore)?)$ bot
SetEnvIfNoCase Request_URI \.(?:hg|idea|inc|index|ini|inv|jar|jspa?|lib|local|log|lqd|make|mbf|mdb|mmw|mny|mod(?:ule)?|msi|old|one|orig|out|passwd|pdb|php\.(?:php|suspect(?:ed)?)|php[^\/]|phtml?|pl|profiles?)$ bot
SetEnvIfNoCase Request_URI \.(?:psd|pst|ptdb|production|pwd|py|qbb|qdf|rar|rdf|remote|save|sdb|sql|sh|soa|svn|swf|swl|swo|swp|stx|tar|tax|tgz?|theme|tls|tmb|tmd|wok|wow|xsd|xtmpl|xz|ya?ml|za|zlib)$ bot
# 8G:[USER AGENT]
SetEnvIfNoCase User-Agent ^[a-z0-9]$ bot
SetEnvIfNoCase User-Agent <|%0a|%0d|%27|%3c|%3e|%00|0x00|\\\\\x22 bot
SetEnvIfNoCase User-Agent ahrefs|archiver|curl|libwww-perl|pycurl|scan bot
SetEnvIfNoCase User-Agent oppo\sa33|(?:c99|php|web)shell|site.{0,2}copier bot
SetEnvIfNoCase User-Agent base64_decode|bin/bash|disconnect|eval|unserializ bot
SetEnvIfNoCase User-Agent acapbot|acoonbot|alexibot|asterias|attackbot|awario|backdor|becomebot|binlar|blackwidow|blekkobot|blex|blowfish|bullseye|bunnys|butterfly|careerbot|casper bot
SetEnvIfNoCase User-Agent checkpriv|cheesebot|cherrypick|chinaclaw|choppy|clshttp|cmsworld|copernic|copyrightcheck|cosmos|crescent|datacha|\bdemon\b|diavol|discobot|dittospyder bot
SetEnvIfNoCase User-Agent dotbot|dotnetdotcom|dumbot|econtext|emailcollector|emailsiphon|emailwolf|eolasbot|eventures|extract|eyenetie|feedfinder|flaming|flashget|flicky|foobot|fuck bot
SetEnvIfNoCase User-Agent g00g1e|getright|gigabot|go-ahead-got|gozilla|grabnet|grafula|harvest|heritrix|httracks?|icarus6j|jetbot|jetcar|jikespider|kmccrew|leechftp|libweb|liebaofast bot
SetEnvIfNoCase User-Agent linkscan|linkwalker|loader|lwp-download|majestic|masscan|miner|mechanize|mj12bot|morfeus|moveoverbot|netmechanic|netspider|nicerspro|nikto|ninja|nominet|nutch bot
SetEnvIfNoCase User-Agent octopus|pagegrabber|planetwork|postrank|proximic|purebot|queryn|queryseeker|radian6|radiation|realdownload|remoteview|rogerbot|scan|scooter|seekerspid bot
SetEnvIfNoCase User-Agent semalt|siclab|sindice|sistrix|sitebot|siteexplorer|sitesnagger|skygrid|smartdownload|snoopy|sosospider|spankbot|spbot|sqlmap|stackrambler|stripper|sucker|surftbot bot
SetEnvIfNoCase User-Agent sux0r|suzukacz|suzuran|takeout|teleport|telesoft|true_robots|turingos|turnit|vampire|vikspider|voideye|webleacher|webreaper|webstripper|webvac|webviewer|webwhacker bot
SetEnvIfNoCase User-Agent winhttp|wwwoffle|woxbot|xaldon|xxxyy|yamanalab|yioopbot|youda|zeus|zmeu|zune|zyborg bot
# 8G:[REMOTE HOST]
SetEnvIfNoCase Remote_Host 163data|amazonaws|colocrossing|crimea|g00g1e|justhost|kanagawa|loopia|masterhost|onlinehome|poneytel|sprintdatacenter|reverse.softlayer|safenet|ttnet|woodpecker|wowrack bot
# 8G:[HTTP REFERRER]
SetEnvIfNoCase Referer order(?:\s|%20)by(?:\s|%20)1-- bot
SetEnvIfNoCase Referer @unlink|assert\(|print_r\(|x00|xbshell bot
SetEnvIfNoCase Referer 100dollars|best-seo|blue\spill|cocaine|ejaculat|erectile|erections|hoodia|huronriveracres|impotence|levitra|libido|lipitor|mopub\.com|phentermin bot
SetEnvIfNoCase Referer pornhelm|pro[sz]ac|sandyauer|semalt\.com|social-buttions|todaperfeita|tramadol|troyhamby|ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo bot
# 8G:[HTTP COOKIE]
SetEnvIfNoCase Cookie <|>|\'|%0A|%0D|%27|%3C|%3E|%00 bot
# 8G:[REQUEST METHOD]
SetEnvIfNoCase Request_Method ^(?:connect|debug|move|trace|track) bot
# Extra:[HTTP HOST]
SetEnvIfNoCase Host ^\d|^$ bot
# Controls who can get stuff from this server.
<RequireAll>
Require all granted
Require not env bot
</RequireAll>