Monday, February 23, 2015

My Ultimate .htaccess Recipe

About a year ago, I got really tired of seeing infinite "script not found or unable to stat (that's how you spell start, apache?) : xmlrpc.php" in my error logs. This file does not, did not, and will never exist on my server, yet bots from too many IP addresses to block would request it anyway, over and over... and over... 24/7.

So I turned to Google for a solution and discovered that .htaccess files can be pretty damn handy. Here is the .htaccess file of one of the servers I maintain, and explanations of what each directive does:

First, it's good to use custom error pages. Except for 404's, I like to send bogus error messages back to the user, because it throws attackers off. So, I have a friendly 404 page that explains the page the visitor is looking for does not exist, and that it's totally my fault, with a link back home and the webmaster (my) email address. All other common errors are sent to a generic "Error 696" page that explains an undeclared error has occured, and redirects them back home.
<Files *errorpage.php>
allow from all
</Files>

ErrorDocument 400 /errorpage.php
ErrorDocument 401 /errorpage.php
ErrorDocument 403 /errorpage.php
ErrorDocument 404 /404_errorpage.php
ErrorDocument 500 /errorpage.php
ErrorDocument 501 /errorpage.php


Next, we have mod rewrite directives. Mod rewrite kicks ass, and as you can see,  I can use it to send requests of questionable nature to 'mytrap.php' (a script I found online, credit to author 'Inque187' for writing it! I wish I could find his page to link you to.) Mytrap.php grabs the attackers IP address and adds a Deny from x.x.x.x to the end of the .htaccess file. This permanently bans the IP address, and with the custom error page, they get a bogus '696' error page forever after being greeted by mytrap.php's harsh "F*** You, Don't Come Again" page.

RewriteEngine On
RewriteRule ^cgi-bin /mytrap.php [NC,L]
RewriteRule ^cgi-bin/(.*)$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?cgi(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?chat(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?db(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?pma(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?rpc(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?xmlrpc(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?wp-login(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?ssh(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^xmlrpc.php /mytrap.php [NC]
RewriteRule ^(/*.*)?admin(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?config(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?manager(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?webdav(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?wp-content(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?cgibin(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?phppath(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?xbxb(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?phpMyAdmin(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?myadmin(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?.git(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?phpmyadmin(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?Admin(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?webmin(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?cpanel(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?panel(.*/*)?$ /mytrap.php [NC,L]
RewriteRule ^(/*.*)?restricted(.*/*)?$ /mytrap.php [NC,L]


Note: for all this to work properly, you need to make sure that the <Files> directives above allows access to the error pages. This is because if an attacker gets banned, he will get a double-403 error, as he is denied access to the error pages as well. That's not only not pretty, it's counterproductive. The code for mytrap can be found here, if you're interested. To be fair, I have modified it somewhat. The original code was slightly kinder to the attacker.

And of course, it is desirable to stop image 'hot-linking', because it consumes bandwidth. This works with mod rewrite as well, and makes sure that if the http referrer came from anywhere but my site, they are given a 403 (or, "696" in this case) error.

#hotlink kill


    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http://(www.)?donotaccept.tk/.*$ [NC]
    RewriteRule .*.(gif|jpg|jpeg|png|js|css)$ - [F]
To get you started, here is a starter list of IP addresses that have tried funny stuff on my server over the last year or so:

# Since Implementing mytrap.php:

Deny from 89.46.101.153
Deny from 50.7.139.156
Deny from 50.7.139.117
Deny from 50.7.139.116
Deny from 50.7.139.154
Deny from 50.7.139.158
Deny from 94.242.206.199
Deny from 187.33.2.88
Deny from 31.210.96.90
Deny from 209.126.74.118
Deny from 87.98.252.201
Deny from 176.31.72.184
Deny from 162.217.204.10
Deny from 94.102.63.56
Deny from 89.248.172.145
Deny from 94.102.63.54
Deny from 89.248.169.48
Deny from 93.174.95.125
Deny from 94.102.49.207
Deny from 162.213.155.182
Deny from 184.107.148.154
Deny from 58.137.44.212
Deny from 185.56.80.133
Deny from 80.82.78.112
Deny from 46.105.132.145
Deny from 94.100.17.134
Deny from 91.223.89.150
Deny from 91.223.89.141
Deny from 91.223.89.148
Deny from 94.102.52.144
Deny from 85.17.123.29
Deny from 203.195.212.30
Deny from 176.109.195.139
Deny from 94.102.49.168
Deny from 176.123.2.6
Deny from 176.102.37.84
Deny from 94.102.49.218
Deny from 94.102.63.55
Deny from 50.30.42.71
Deny from 202.201.1.248
Deny from 94.102.52.76
Deny from 89.46.101.196
Deny from 76.73.74.82
Deny from 162.253.224.5
Deny from 69.64.72.41
Deny from 125.24.141.182
Deny from 61.144.224.28
Deny from 178.32.92.98
Deny from 188.40.114.21
Deny from 173.193.120.242
Deny from 1.214.212.74
Deny from 220.177.198.41
Deny from 115.239.248.58
Deny from 31.7.63.210
Deny from 176.123.7.31
Deny from 108.175.157.140
Deny from 222.190.118.224
Deny from 91.208.16.3
Deny from 77.238.15.68
Deny from 212.59.30.101
Deny from 84.17.0.17
Deny from 176.31.215.59
Deny from 162.248.101.225
Deny from 187.45.241.242
Deny from 37.57.231.220
Deny from 80.82.78.57
Deny from 93.174.93.204
Deny from 81.200.30.230
Deny from 212.152.254.101
Deny from 67.23.228.70
Deny from 209.151.165.199
Deny from 54.218.56.220
Deny from 192.42.116.16
Deny from 149.154.67.29
Deny from 107.170.53.191
Deny from 116.213.70.52
Deny from 54.232.227.221
Deny from 2.229.27.202
Deny from 80.82.65.50
Deny from 119.18.109.10
Deny from 162.243.209.165
Deny from 115.239.248.112
Deny from 118.26.205.224
Deny from 91.209.192.252
Deny from 50.7.139.198
Deny from 50.7.139.197
Deny from 50.7.139.202
Deny from 50.7.139.203
Deny from 94.242.206.146
Deny from 94.242.206.244
Deny from 61.227.20.77
Deny from 193.108.160.213
Deny from 118.161.189.190
Deny from 74.81.91.130
Deny from 67.23.249.124
Deny from 187.207.85.34
Deny from 222.186.56.7
Deny from 110.78.155.33
Deny from 92.63.104.233
Deny from 116.74.1.158
Deny from 111.252.179.12
Deny from 104.36.83.104
Deny from 117.21.191.205
Deny from 162.248.101.236
Deny from 198.46.158.94
Deny from 162.248.98.68
Deny from 212.227.114.158
Deny from 180.210.204.141
Deny from 216.128.23.172
Deny from 189.51.133.144
Deny from 91.202.25.217
Deny from 162.248.98.154
Deny from 188.143.234.100
Deny from 130.211.104.110
Deny from 5.45.74.37
Deny from 120.192.174.170
Deny from 95.111.68.120
Deny from 197.162.105.201
Deny from 114.46.8.59
Deny from 188.26.174.234
Deny from 58.177.134.182
Deny from 188.226.3.77
Deny from 207.46.13.98
Deny from 85.17.141.182
Deny from 186.155.250.225
Deny from 61.191.62.7
Deny from 69.85.84.88
Deny from 107.167.176.110
Deny from 46.18.76.4
Deny from 82.146.38.254
Deny from 66.85.171.10
Deny from 182.18.23.26
Deny from 193.169.195.67
Deny from 146.0.72.182
Deny from 195.3.144.84

# since server transfer

Deny from 78.191.212.15
Deny from 91.232.21.238
Deny from 114.252.43.77
Deny from 157.55.39.203
Deny from 192.227.227.107
Deny from 107.178.219.218
Deny from 23.251.155.105
Deny from 162.243.197.28
Deny from 91.121.18.214
Deny from 123.110.225.234
Deny from 176.123.3.14
Deny from 111.207.253.234
Deny from 46.105.24.37
Deny from 69.28.85.57
Deny from 207.46.13.0
Deny from 159.224.160.42
Deny from 86.34.134.179
Deny from 157.55.39.139
Deny from 96.8.115.114
Deny from 115.239.248.56
Deny from 69.174.245.163
Deny from 157.55.39.140
Deny from 117.21.191.208
Deny from 184.171.255.59
Deny from 117.21.226.160
Deny from 218.188.39.201
Deny from 184.154.150.120
Deny from 208.70.160.45
Deny from 117.27.158.108
Deny from 222.76.242.219
Deny from 88.35.245.157
Deny from 23.250.11.26
Deny from 124.160.193.67
Deny from 207.46.13.63
Deny from 108.178.24.130
Deny from 104.131.231.235
Deny from 202.176.80.22
Deny from 207.46.13.65
Deny from 198.57.210.19
Deny from 182.52.60.66
Deny from 81.82.255.164
Deny from 130.211.101.147
Deny from 5.248.87.10
Deny from 82.107.207.117
Deny from 218.245.6.22
Deny from 117.21.225.176
Deny from 114.24.153.21
Deny from 188.226.216.40
Deny from 162.253.66.76
Deny from 8.18.225.37
Deny from 50.6.77.43
Deny from 74.208.16.123
Deny from 83.64.10.186
Deny from 183.91.14.219
Deny from 194.72.112.130
Deny from 207.12.89.139
Deny from 216.158.84.92
Deny from 208.89.211.195
Deny from 189.164.59.181
Deny from 95.211.188.230
Deny from 46.105.121.70
Deny from 125.25.203.57
Deny from 89.42.216.25
Deny from 64.34.169.249
Deny from 69.64.38.144
Deny from 184.168.200.12
Deny from 68.90.68.227
Deny from 184.168.200.33
Deny from 96.8.125.27
Deny from 114.45.29.212
Deny from 122.155.174.172
Deny from 103.253.73.170
Deny from 207.46.13.104
Deny from 216.158.84.79
Deny from 201.219.60.5
Deny from 95.211.188.234
Deny from 74.91.127.130
Deny from 123.204.159.141
Deny from 146.0.72.185
Deny from 114.35.47.170
Deny from 114.35.183.103
Deny from 117.21.191.211
Deny from 217.40.96.250
Deny from 212.126.101.3
Deny from 140.119.19.28
Deny from 211.22.8.125
Deny from 50.22.53.71
Deny from 77.38.197.67
Deny from 140.113.146.59
Deny from 115.84.107.150
Deny from 192.210.200.51
Deny from 23.94.13.28
Deny from 217.70.142.135
Deny from 110.168.5.86
Deny from 62.210.167.201
Deny from 114.40.49.196
Deny from 103.31.204.82
Deny from 23.94.13.30
Deny from 192.210.200.254
Deny from 192.210.200.253
Deny from 192.210.200.130
Deny from 46.28.206.150
Deny from 23.94.13.106
Deny from 192.210.200.115
Deny from 220.133.153.220
Deny from 211.149.187.150
Deny from 222.74.129.6
Deny from 117.21.173.155
Deny from 81.88.49.30
Deny from 79.170.44.113
Deny from 184.168.200.234
Deny from 123.240.235.46
Deny from 188.225.72.145
Deny from 114.35.8.11
Deny from 64.187.235.199
Deny from 192.99.144.140
Deny from 27.28.52.129
Deny from 125.230.145.168
Deny from 195.206.253.146
Deny from 189.222.228.125
Deny from 188.225.34.139
Deny from 69.26.171.195
Deny from 74.63.199.120
Deny from 113.107.235.80
Deny from 218.152.216.82
Deny from 123.157.150.56
Deny from 162.17.16.249
Deny from 82.104.65.14
Deny from 187.174.166.135
Deny from 23.94.13.43
Deny from 27.159.203.63
Deny from 213.136.75.23
Deny from 123.192.113.27
Deny from 46.165.244.13
Deny from 75.102.34.114
Deny from 218.248.232.24
Deny from 5.11.36.140
Deny from 188.120.253.137
Deny from 5.238.81.96
Deny from 209.54.40.31
Deny from 213.136.79.113
Deny from 179.182.55.179
Deny from 192.99.152.38
Deny from 201.155.192.248
Deny from 213.136.75.34
Deny from 202.129.28.14
Deny from 37.187.78.33
Deny from 219.139.115.221
Deny from 117.26.248.30
Deny from 187.210.68.89
Deny from 186.37.78.157
Deny from 91.232.21.1
Deny from 103.253.73.229
Deny from 23.250.37.218
Deny from 201.243.63.188
Deny from 188.54.6.140
Deny from 81.17.20.38
Deny from 117.21.191.206
Deny from 120.43.22.104
Deny from 213.136.84.220
Deny from 123.30.213.33
Deny from 117.26.253.251
Deny from 27.153.231.194
Deny from 27.159.210.3
Deny from 114.32.175.165
Deny from 118.244.201.4
Deny from 201.163.235.196
Deny from 219.84.201.20
Deny from 196.42.30.146
Deny from 37.57.200.107
Deny from 95.70.30.78
Deny from 220.161.168.201
Deny from 27.159.213.115
Deny from 192.99.47.125
Deny from 27.159.252.12
Deny from 123.192.250.35
Deny from 202.119.166.37
Deny from 178.205.85.192
Deny from 93.94.219.69
Deny from 120.37.235.107
Deny from 222.79.146.2
Deny from 190.215.113.83
Deny from 110.169.153.246
Deny from 116.0.23.222
Deny from 188.40.137.21
Deny from 198.101.223.246
Deny from 88.100.179.195
Deny from 213.108.208.111
Deny from 89.248.166.139
Deny from 198.12.87.153
Deny from 203.158.167.2
Deny from 173.54.103.58
Deny from 46.105.158.150
Deny from 192.228.107.187
Deny from 114.27.35.93
Deny from 205.186.157.200
Deny from 117.26.255.56
Deny from 202.29.178.12
Deny from 27.159.202.129
Deny from 219.77.242.61
Deny from 201.166.63.25
Deny from 207.46.13.18
Deny from 189.167.17.122
Deny from 96.8.117.98
Deny from 140.123.226.217
Deny from 198.12.87.152
Deny from 113.252.247.235
Deny from 39.118.12.172
Deny from 93.89.232.19
Deny from 207.46.13.49
Deny from 189.236.145.1
Deny from 89.207.135.125
Deny from 71.86.48.83
Deny from 59.124.2.157
Deny from 84.52.30.37
Deny from 23.95.113.232
Deny from 201.214.3.74
Deny from 121.40.134.116
Deny from 192.187.110.179
Deny from 204.11.35.6
Deny from 173.45.100.18
Deny from 218.30.21.144
Deny from 60.18.147.183
Deny from 5.39.90.148
Deny from 125.212.197.67
Deny from 94.102.49.82
Deny from 140.117.53.39
Deny from 178.18.250.4
Deny from 193.150.120.74
Deny from 116.113.96.171
Deny from 104.192.103.24
Deny from 94.242.58.132
Deny from 74.208.105.217
Deny from 209.190.11.26
Deny from 162.244.32.47
Deny from 176.10.100.226
Deny from 142.4.215.115
Deny from 207.46.13.44
Deny from 200.90.118.98
Deny from 5.39.222.250
Deny from 46.4.93.52
Deny from 198.8.90.61
Deny from 182.48.49.155
Deny from 79.170.40.232
Deny from 209.239.114.46
Deny from 174.136.50.43
Deny from 192.163.236.48
Deny from 69.162.74.146
Deny from 203.114.105.46
Deny from 104.192.103.3
Deny from 117.21.173.34
Deny from 94.102.52.84
Deny from 149.210.135.28
Deny from 192.3.140.202
Deny from 146.71.111.226
Deny from 85.25.199.119
Deny from 88.135.0.50
Deny from 80.82.78.87
Deny from 91.200.12.28
Deny from 192.161.174.151
Deny from 128.73.172.235
Deny from 123.196.124.103
Deny from 46.72.212.75
Deny from 59.126.171.82
Deny from 58.96.172.3
Deny from 107.182.136.203
Deny from 109.86.15.95
Deny from 198.46.154.202
Deny from 173.199.73.34
Deny from 140.113.68.233
Deny from 110.82.157.175
Deny from 200.85.205.25
Deny from 176.102.38.45
Deny from 124.121.248.39
Deny from 124.192.229.236
Deny from 60.164.173.49
Deny from 188.225.76.82
Deny from 86.57.189.220
Deny from 180.186.121.254
Deny from 182.92.11.194
Deny from 80.244.35.222
Deny from 188.225.76.102
Deny from 178.20.229.132
Deny from 200.93.183.56

#Since server upgrade


Deny from 89.163.227.192
Deny from 72.249.47.87
Deny from 184.154.202.243
Deny from 94.102.77.42
Deny from 207.240.10.33
Deny from 212.59.30.110
Deny from 37.57.231.123
Deny from 84.45.122.217
Deny from 159.226.170.29
Deny from 46.4.97.132
Deny from 174.142.192.166
Deny from 5.248.10.80
Deny from 213.175.205.68
Deny from 93.170.147.174
Deny from 177.224.62.184
Deny from 144.76.70.133
Deny from 89.248.171.2
Deny from 193.150.120.176
Deny from 198.23.149.154
Deny from 94.102.63.155
Deny from 64.95.98.210
Deny from 64.95.98.214
Deny from 23.229.20.17
Deny from 95.128.246.45
Deny from 95.128.246.45
Deny from 95.128.246.45
Deny from 200.98.200.144
Deny from 37.115.185.37
Deny from 208.97.71.66
Deny from 187.61.61.120
Deny from 95.172.83.162
Deny from 1.10.218.171
Deny from 62.133.183.223
Deny from 82.165.150.150
Deny from 23.95.82.42
Deny from 217.126.50.212
Deny from 5.39.222.252
Deny from 174.129.126.216
Deny from 37.57.231.110
Deny from 198.211.30.100
Deny from 46.118.159.153
Deny from 74.208.173.45
Deny from 5.102.190.148
Deny from 93.158.200.18
Deny from 94.247.40.140
Deny from 37.57.231.235
Deny from 189.1.161.210
Deny from 120.126.36.198
Deny from 24.97.237.154
Deny from 188.40.84.105
Deny from 198.154.60.143
Deny from 203.146.170.165
Deny from 61.147.103.173
Deny from 64.95.98.10
Deny from 176.209.215.188
Deny from 93.186.202.16
Deny from 176.67.25.127
Deny from 46.32.239.84
Deny from 201.2.79.42
Deny from 190.221.1.136
Deny from 93.158.200.40
Deny from 85.17.25.195
Deny from 208.52.149.222
Deny from 111.226.131.113
Deny from 176.102.38.151
Deny from 176.103.49.29
Deny from 194.126.139.13
Deny from 23.94.186.154
Deny from 217.114.212.26
Deny from 2.139.237.110
Deny from 37.187.169.132
Deny from 89.46.101.145
Deny from 175.102.9.100
Deny from 76.178.222.142
Deny from 65.196.87.161
Deny from 198.154.63.131
Deny from 192.3.182.186
Deny from 64.95.98.11
Deny from 108.166.85.126
Deny from 23.94.17.82
Deny from 62.210.189.161
Deny from 85.194.82.10
Deny from 37.220.35.142
Deny from 195.154.169.102
Deny from 82.213.78.2

#Since move to new server


Deny from 64.188.44.114
Deny from 220.132.34.57
Deny from 220.241.216.6
Deny from 189.170.162.100
Deny from 58.96.180.91
Deny from 59.124.165.52
Deny from 103.253.113.172
Deny from 59.148.184.220
Deny from 219.232.247.108
Deny from 189.222.209.244
Deny from 121.199.17.183
Deny from 211.67.208.79
Deny from 212.175.87.57
Deny from 103.240.220.164
Deny from 42.3.128.111
Deny from 110.78.141.125
Deny from 194.27.60.106
Deny from 77.223.129.145
Deny from 194.27.68.28
Deny from 199.217.115.37
Deny from 186.115.6.148
Deny from 113.53.250.75
Deny from 222.124.155.106

 Enjoy.

1 comment:

  1. Here's the link to Inque that you may have started from: -

    http://www.lunarforums.com/lunarpages-security-center/auto-ip-ban-script-(stop-rogue-scanning-and-trap-bad-spidersbots)/?PHPSESSID=rdapu8bp030vvrjkir672stee1

    ReplyDelete