8G-SetEnvIf

# 8G FIREWALL v1.3 20240908
# https://perishablepress.com/8g-firewall/
# SetEnvIf version by Tonkünstler-on-the-Bund

# 8G:[QUERY STRING]

	SetEnvIfExpr "%{QUERY_STRING} =~ m#^(?:%2d|-)[^=]+$#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:/|%2f)(?::|%3a)(?:/|%2f)#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#etc/(?:hosts|motd|shadow)#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#order(?:\s|%20)by(?:\s|%20)1--#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:/|%2f)(?:\*|%2a)(?:\*|%2a)(?:/|%2f)#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#`|<|>|\^|\|\\\\|0x00|%00|%0d%0a#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#f?ckfinder|f?ckeditor|fullclick#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#header:|set-cookie:.*=#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#localhost|127(?:\.|%2e)0(?:\.|%2e)0(?:\.|%2e)1#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:cmd|command)(?:=|%3d)(?:chdir|mkdir).*x20#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:globals|mosconfig[a-z_]{1,22}|request)(?:=|\[)#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:/|%2f)(?:wp-)?config(?:(?:\.|%2e)inc)?(?:\.|%2e)php#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:thumbs?(?:_editor|open)?|tim(?:thumbs?)?)(?:\.|%2e)php#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:absolute_|base|root_)(?:dir|path)(?:=|%3d)(?:ftp|https?)#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:s)?(?:ftp|inurl|php)(?:s)?:(?:/|%2f|%u2215)(?:/|%2f|%u2215)#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:\.|20)(?:get|the)(?:_|%5f)(?:permalink|posts_page_url)(?:\(|%28)#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:boot|win)(?:\.|%2e)ini|etc(?:/|%2f)passwd|self(?:/|%2f)environ#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:/|%2f){3,3}|(?:\.|%2e){3,3}|(?:\.|%2e){2,2}(?:/|%2f|%u2215)#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:benchmark|char|exec|fopen|function|html).*(?:\(|%28)#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#php[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#eval.*(?:\(|%28)#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:/|%2f)(?:=|%3d|$&|_mm|cgi(?:\.|-)|inurl(?::|%3a)(?:/|%2f)|(?:mod|path)(?:=|%3d)(?:\.|%2e))#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:<|%3c).*embed#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:<|%3c).*iframe#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:<|%3c).*object#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:<|%3c).*script#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:\+|%2b|%20)delete(?:\+|%2b|%20)#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:\+|%2b|%20)insert(?:\+|%2b|%20)#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:\+|%2b|%20)select(?:\+|%2b|%20)#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:\+|%2b|%20)update(?:\+|%2b|%20)#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#\\\\x00|(?:\"|%22|\'|%27)?0(?:\"|%22|\'|%27)?(?:=|%3d)(?:\"|%22|\'|%27)?0|cast(?:\(|%28)0x|or%201(?:=|%3d)1#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#globals(?:=|\[|%[0-9A-Z]{0,2})#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#_request(?:=|\[|%[0-9A-Z]{2,})#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#javascript(?::|%3a).*(?:;|%3b|\)|%29)#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#base64_(?:en|de)code.*\)#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#@copy|\$_(?:files|get|post)|allow_url_(?:fopen|include)|auto_prepend_file|blexbot|browsersploit|call_user_func_array|(?:php|web)shell|curl(?:_exec|test)|disable_functions?|document_root#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#elastix|encodeuricom|exploit|fclose|fgets|file_put_contents|fputs|fsbuff|fsockopen|gethostbyname|ghost|grablogin|hmei7|hubs_post-cta|input_file|invokefunction|\bload_file|open_basedir|outfile|p3dlite#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#pass(?:=|%3d)shell|passthru|phpshells|popen|proc_open|quickbrute|remoteview|root_path|safe_mode|shell_exec|site.{0,2}copier|sp_executesql|sux0r|trojan|udtudt|user_func_array|wget|wp_insert_user|xertive#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:\+|%2b)(?:concat|delete|get|select|union)(?:\+|%2b)#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#union.*select#i" bot
	SetEnvIfExpr "%{QUERY_STRING} =~ m#(?:concat|eval).*(?:\(|%28)#i" bot


# 8G:[REQUEST URI]

	SetEnvIfNoCase Request_URI ,,, bot
	SetEnvIfNoCase Request_URI ------- bot
	SetEnvIfNoCase Request_URI \^|`|<|>|\\\\|\| bot
	SetEnvIfNoCase Request_URI =?\\\(?:\'|%27)/?\. bot
	SetEnvIfNoCase Request_URI /(?:\*|\"|\'|\.|,|&|&amp;?)/?$ bot
	SetEnvIfNoCase Request_URI \.php(\()?[0-9]+\)?/?$ bot
	SetEnvIfNoCase Request_URI (?:header:|set-cookie:.*=) bot
	SetEnvIfNoCase Request_URI \.s?ftp-?config|s?ftp-?config\. bot
	SetEnvIfNoCase Request_URI /(?:f?ckfinder|fck/|f?ckeditor|fullclick) bot
	SetEnvIfNoCase Request_URI /(?:(?:force-)?download|framework/main)\.php bot
	SetEnvIfNoCase Request_URI \{0\}|\"?0\"?=\"?0|\(/\(|\.\.\.|\+\+\+|\\\\\" bot
	SetEnvIfNoCase Request_URI /(?:vbull(?:etin)?|boards|vbforum|vbweb|webvb)/? bot
	SetEnvIfNoCase Request_URI (?:\.|20)(?:get|the)_(?:permalink|posts_page_url)\( bot
	SetEnvIfNoCase Request_URI ///|\?\?|/&&|/\*.*\*/|/:/|\\\\\\\\|0x00|%00|%0d%0a bot
	SetEnvIfNoCase Request_URI /(?:cgi_?)?alfa(?:_?cgiapi|_?data|_?v[0-9]+)?\.php bot
	SetEnvIfNoCase Request_URI (?:thumbs?(?:_editor|open)?|tim(?:thumbs?)?)(?:\.|%2e)php bot
	SetEnvIfNoCase Request_URI /(?:boot)?_?admin(?:er|istrator|s)(?:_events)?\.php bot
	SetEnvIfNoCase Request_URI /%7e(?:root|ftp|bin|nobody|named|guest|logs|sshd)/ bot
	SetEnvIfNoCase Request_URI (?:archive|backup|db|master|sql|wp|www|wwwroot)\.(?:gz|zip) bot
	SetEnvIfNoCase Request_URI /(?:\.?mad|alpha|c99|php|web)?sh(?:3|e)ll(?:[0-9]+|\w)\.php bot
	SetEnvIfNoCase Request_URI /(?:admin-?|file-?)upload(?:bg|_?file|ify|svu|ye)?\.php bot
	SetEnvIfNoCase Request_URI /(?:etc|var)/(?:hidden|secret|shadow|ninja|passwd|tmp)/?$ bot
	SetEnvIfNoCase Request_URI s?(?:ftp|http|inurl|php)s?:(?:/|%2f|%u2215)(?:/|%2f|%u2215) bot
	SetEnvIfNoCase Request_URI /(?:=|\$&?|&?(?:pws|rk)=0|_mm|_vti_|cgi(?:\.|-)?|(?:=|/|;|,)nt\.) bot
	SetEnvIfNoCase Request_URI \.(?:ds_store|htaccess|htpasswd|init?|mysql-select-db)/?$ bot
	SetEnvIfNoCase Request_URI /bin/(?:cc|chmod|chsh|cpp|echo|id|kill|mail|nasm|perl|ping|ps|python|tclsh)/?$ bot
	SetEnvIfNoCase Request_URI /(?:::[0-9999]|%3a%3a[0-9999]|127\.0\.0\.1|ccx|localhost|makefile|pingserver|wwwroot)/? bot
	SetEnvIfNoCase Request_URI ^/(?:123|backup|bak|beta|bkp|default|demo|dev(?:new|old)?|home|new-?site|null|old|old_files|old1)/?$ bot
	SetEnvIfNoCase Request_URI j\s*a\s*v\s*a bot
	SetEnvIfNoCase Request_URI ^/(?:old-?site(?:back)?|old(?:web)?site(?:here)?|sites?|staging|undefined|wordpress[0-9]+|wordpress-old)/?$ bot
	SetEnvIfNoCase Request_URI /(?:filemanager|htdocs|httpdocs|https?|login|mailman|mailto|msoffice|undefined|usage|var|vhosts|webmaster|www)/ bot
	SetEnvIfNoCase Request_URI \(null\)|\{\$itemURL\}|cast\(0x|echo.*kae|etc/passwd|eval\(|null.*null|open_basedir|self/environ|\+union\+all\+select bot
	SetEnvIfNoCase Request_URI (?:conf\b|conf(?:ig)?)(?:uration)?(?:\.?bak|\.inc|\.old|\.php|\.txt) bot
	SetEnvIfNoCase Request_URI /(?:.*crlf-?injection|.*xss-?protection|__(?:inc|jsc)|administrator|author-panel|cgi-bin|database|downloader|(?:db|mysql)-?admin)/ bot
	SetEnvIfNoCase Request_URI /(?:haders|head|hello|helpear|incahe|includes?|indo(?:sec)?|infos?|ioptimizes?|jmail|js|king|kiss|kodox|kro|legion|libsoft)\.php bot
	SetEnvIfNoCase Request_URI /(?:awstats|document_root|dologin\.action|error.log|extension/ext|htaccess\.|lib/php|listinfo|phpunit/php|remoteview|server/php|www\.root\.) bot
	SetEnvIfNoCase Request_URI (?:base64_(?:en|de)code|benchmark|curl_exec|e?chr|eval|function|fwrite|(?:f|p)open|html|leak|passthru|p?fsockopen|phpinfo).*(?:\)|%29) bot
	SetEnvIfNoCase Request_URI (?:posix_(?:kill|mkfifo|setpgid|setsid|setuid)|(?:child|proc)_(?:close|get_status|nice|open|terminate)|(?:shell_)?exec|system).*(?:\)|%29) bot
	SetEnvIfNoCase Request_URI /(?:(?:c99|php|web)?shell|crossdomain|fileditor|locus7|nstview|php(?:get|remoteview|writer)|r57|remview|sshphp|storm7|webadmin).*(?:\.|%2e|\(|%28) bot
	SetEnvIfNoCase Request_URI /wp-(?:201\d|202\d|[0-9]{2}|ad|admin(?:fx|rss|setup)|booking|confirm|crons|data|file|mail|one|plugins?|readindex|reset|setups?|story)\.php bot
	SetEnvIfNoCase Request_URI /(?:^$|-|\!|\w|\..*|100|123|[^iI]?ndex|index\.php/index|3xp|777|7yn|90sec|99|active|aill|ajs\.delivery|al277|alexuse?|ali|allwrite)\.php bot
	SetEnvIfNoCase Request_URI /(?:analyser|apache|apikey|apismtp|authenticat(?:e|ing)|autoload_classmap|backup(?:_index)?|bakup|bkht|black|bogel|bookmark|bypass|cachee?)\.php bot
	SetEnvIfNoCase Request_URI /(?:clean|cm(?:d|s)|con|connector\.minimal|contexmini|contral|curl(?:test)?|data(?:base)?|db|db-cache|db-safe-mode|defau11|defau1t|dompdf|dst)\.php bot
	SetEnvIfNoCase Request_URI /(?:elements|emails?|error.log|ecscache|edit-form|eval-stdin|evil|fbrrchive|filemga|filenetworks?|f0x|gank(?:\.php)?|gass|gel|guide)\.php bot
	SetEnvIfNoCase Request_URI /(?:logo_img|lufix|mage|marg|mass|mide|moon|mssqli|mybak|myshe|mysql|mytag_js?|nasgor|newfile|news|nf_?tracking|nginx|ngoi|ohayo|old-?index)\.php bot
	SetEnvIfNoCase Request_URI /(?:olux|owl|pekok|petx|php-?info|phpping|popup-pomo|priv|r3x|radio|rahma|randominit|readindex|readmy|reads|repair-?bak|robot(?:s\.txt)?|root)\.php bot
	SetEnvIfNoCase Request_URI /(?:router|savepng|semayan|shell|shootme|sky|socket(?:c|i|iasrgasf)ontrol|sql(?:bak|_?dump)?|support|sym403|sys|system_log|test|tmp-?(?:uploads)?)\.php bot
	SetEnvIfNoCase Request_URI /(?:traffic-advice|u2p|udd|ukauka|up__uzegp|up14|upa?|upxx?|vega|vip|vu(?:ln)?\w?|webroot|weki|wikindex|wordpress|wp_logns?|wp_wrong_datlib)\.php bot
	SetEnvIfNoCase Request_URI /(?:wp-?install|installation|wp(?:3|4|5|6)|wpfootes|wpzip|ws0|wsdl|wso\w?|www|(?:uploads|wp-admin)?xleet(?:-shell)?|xmlsrpc|xup|xxu|xxx|zibi|zipy)\.php bot
	SetEnvIfNoCase Request_URI bkv74|cachedsimilar|core-stab|crgrvnkb|ctivrc|deadcode|deathshop|dkiz|e7xue|eqxafaj90zir|exploits|ffmkpcal|filellli7|(?:fox|sid)wso|gel4y|goog1es|gvqqpinc bot
	SetEnvIfNoCase Request_URI @md5|00.temp00|0byte|0d4y|0day|0xor|wso1337|1h6j5|3xp|40dd1d|4price|70bex?|a57bze893|abbrevsprl|abruzi|adminer|aqbmkwwx|archivarix|backdoor|beez5|bgvzc29 bot
	SetEnvIfNoCase Request_URI handler_to_code|hax(?:0|o)r|hmei7|hnap1|home_url=|ibqyiove|icxbsx|indoxploi|jahat|jijle3|kcrew|keywordspy|laobiao|lock360|longdog|marijuan|mod_(?:aratic|ariimag) bot
	SetEnvIfNoCase Request_URI mobiquo|muiebl|nessus|osbxamip|phpunit|priv8|qcmpecgy|r3vn330|racrew|raiz0|reportserver|r00t|respectmus|rom2823|roseleif|sh3ll|site.{0,2}copier|sqlpatch|sux0r bot
	SetEnvIfNoCase Request_URI sym403|telerik|uddatasql|utchiha|visualfrontend|w0rm|wangdafa|wpyii2|wsoyanzo|x5cv|xattack|xbaner|xertive|xiaolei|xltavrat|xorz|xsamxad|xsvip|xxxs?s?|zabbix|zebda bot
	SetEnvIfNoCase Request_URI \.(?:7z|ab4|ace|afm|alfa|as(?:h|m)x?|aspx?|aws|axd|bash|ba?k?|bat|bin|bz2|cfg|cfml?|cgi|cms|conf\b|config|ctl|dat|db|dist|dll|eml|eng(?:ine)?|env|et2|exe|fec|fla|git(?:ignore)?)$ bot
	SetEnvIfNoCase Request_URI \.(?:hg|idea|inc|index|ini|inv|jar|jspa?|lib|local|log|lqd|make|mbf|mdb|mmw|mny|mod(?:ule)?|msi|old|one|orig|out|passwd|pdb|php\.(?:php|suspect(?:ed)?)|php[^\/]|phtml?|pl|profiles?)$ bot
	SetEnvIfNoCase Request_URI \.(?:psd|pst|ptdb|production|pwd|py|qbb|qdf|rar|rdf|remote|save|sdb|sql|sh|soa|svn|swf|swl|swo|swp|stx|tar|tax|tgz?|theme|tls|tmb|tmd|wok|wow|xsd|xtmpl|xz|ya?ml|za|zlib)$ bot


# 8G:[USER AGENT]

	SetEnvIfNoCase User-Agent ^[a-z0-9]$ bot
	SetEnvIfNoCase User-Agent &lt;|%0a|%0d|%27|%3c|%3e|%00|0x00|\\\\\x22 bot
	SetEnvIfNoCase User-Agent ahrefs|archiver|curl|libwww-perl|pycurl|scan bot
	SetEnvIfNoCase User-Agent oppo\sa33|(?:c99|php|web)shell|site.{0,2}copier bot
	SetEnvIfNoCase User-Agent base64_decode|bin/bash|disconnect|eval|unserializ bot
	SetEnvIfNoCase User-Agent acapbot|acoonbot|alexibot|asterias|attackbot|awario|backdor|becomebot|binlar|blackwidow|blekkobot|blex|blowfish|bullseye|bunnys|butterfly|careerbot|casper bot
	SetEnvIfNoCase User-Agent checkpriv|cheesebot|cherrypick|chinaclaw|choppy|clshttp|cmsworld|copernic|copyrightcheck|cosmos|crescent|datacha|\bdemon\b|diavol|discobot|dittospyder bot
	SetEnvIfNoCase User-Agent dotbot|dotnetdotcom|dumbot|econtext|emailcollector|emailsiphon|emailwolf|eolasbot|eventures|extract|eyenetie|feedfinder|flaming|flashget|flicky|foobot|fuck bot
	SetEnvIfNoCase User-Agent g00g1e|getright|gigabot|go-ahead-got|gozilla|grabnet|grafula|harvest|heritrix|httracks?|icarus6j|jetbot|jetcar|jikespider|kmccrew|leechftp|libweb|liebaofast bot
	SetEnvIfNoCase User-Agent linkscan|linkwalker|loader|lwp-download|majestic|masscan|miner|mechanize|mj12bot|morfeus|moveoverbot|netmechanic|netspider|nicerspro|nikto|ninja|nominet|nutch bot
	SetEnvIfNoCase User-Agent octopus|pagegrabber|planetwork|postrank|proximic|purebot|queryn|queryseeker|radian6|radiation|realdownload|remoteview|rogerbot|scan|scooter|seekerspid bot
	SetEnvIfNoCase User-Agent semalt|siclab|sindice|sistrix|sitebot|siteexplorer|sitesnagger|skygrid|smartdownload|snoopy|sosospider|spankbot|spbot|sqlmap|stackrambler|stripper|sucker|surftbot bot
	SetEnvIfNoCase User-Agent sux0r|suzukacz|suzuran|takeout|teleport|telesoft|true_robots|turingos|turnit|vampire|vikspider|voideye|webleacher|webreaper|webstripper|webvac|webviewer|webwhacker bot
	SetEnvIfNoCase User-Agent winhttp|wwwoffle|woxbot|xaldon|xxxyy|yamanalab|yioopbot|youda|zeus|zmeu|zune|zyborg bot


# 8G:[REMOTE HOST]

	SetEnvIfNoCase Remote_Host 163data|amazonaws|colocrossing|crimea|g00g1e|justhost|kanagawa|loopia|masterhost|onlinehome|poneytel|sprintdatacenter|reverse.softlayer|safenet|ttnet|woodpecker|wowrack bot


# 8G:[HTTP REFERRER]

	SetEnvIfNoCase Referer order(?:\s|%20)by(?:\s|%20)1-- bot
	SetEnvIfNoCase Referer @unlink|assert\(|print_r\(|x00|xbshell bot
	SetEnvIfNoCase Referer 100dollars|best-seo|blue\spill|cocaine|ejaculat|erectile|erections|hoodia|huronriveracres|impotence|levitra|libido|lipitor|mopub\.com|phentermin bot
	SetEnvIfNoCase Referer pornhelm|pro[sz]ac|sandyauer|semalt\.com|social-buttions|todaperfeita|tramadol|troyhamby|ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo bot


# 8G:[HTTP COOKIE]

	SetEnvIfNoCase Cookie <|>|\'|%0A|%0D|%27|%3C|%3E|%00 bot


# 8G:[REQUEST METHOD]

	SetEnvIfNoCase Request_Method ^(?:connect|debug|move|trace|track) bot


# Extra:[HTTP HOST]

	SetEnvIfNoCase Host ^\d|^$ bot


# Controls who can get stuff from this server.

    	<RequireAll>
            Require all granted
            Require not env bot
    	</RequireAll>