Categories
Whitehat

HTACCESS WHITEHAT SECURITY 2021

# WHITEHAT SECURITY ADDITIONS BY The Chameleon 2021
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} Nuclei [NC]
# RewriteCond %{HTTP_USER_AGENT} ^.*(SCspider|Textbot|s2bot).*$ [NC] MORE THAN ONE USER AGENT BLOCKING ADD TO THIS ARRAY REMOVE LINE CODE ABOVE
RewriteRule .* - [F,L]

##### Redirect Linux Programs/Commands Used By Hackers and Spammers To Honeypot -- START
# RewriteCond %{REQUEST_URI} !honeypot.php/
RewriteCond %{HTTP_USER_AGENT} ^.*Wget* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*curl* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*apache* [NC]
# RewriteRule ^(.*)$ /honeypot.php/ [NC,L]
##### Redirect Linux Programs/Commands Used By Hackers and Spammers To Honeypot -- END 

##### Redirect If QUERY_STRING Has SQL Injection To Honeypot -- START
#QUERY_STRING contains everything in the URL after the "?" ex.) mydomain.com/test.php?test=test
#Excluded the commands like, version, update, insert, and set because they are common words and have caused false positives
# RewriteEngine On
# RewriteCond %{QUERY_STRING} !^$
RewriteCond %{REQUEST_URI} !honeypot.php/
RewriteCond %{QUERY_STRING} union [NC,OR]
RewriteCond %{QUERY_STRING} select [NC,OR]
RewriteCond %{QUERY_STRING} cast [NC,OR]
RewriteCond %{QUERY_STRING} declare [NC,OR]
RewriteCond %{QUERY_STRING} drop [NC,OR]
RewriteCond %{QUERY_STRING} md5 [NC,OR]
RewriteCond %{QUERY_STRING} benchmark [NC,OR]
RewriteCond %{QUERY_STRING} table [NC,OR]
RewriteCond %{QUERY_STRING} column [NC,OR]
RewriteCond %{QUERY_STRING} distinct [NC,OR]
RewriteCond %{QUERY_STRING} substr [NC,OR]
RewriteCond %{QUERY_STRING} concat [NC,OR]
RewriteCond %{QUERY_STRING} schema [NC,OR]
RewriteCond %{QUERY_STRING} hex [NC,OR]
RewriteCond %{QUERY_STRING} truncate [NC,OR]
RewriteCond %{QUERY_STRING} convert [NC,OR]
RewriteCond %{QUERY_STRING} exec [NC,OR]
RewriteCond %{QUERY_STRING} passthru [NC,OR]
RewriteCond %{QUERY_STRING} system [NC,OR]
RewriteCond %{QUERY_STRING} popen [NC,OR]
RewriteCond %{QUERY_STRING} proc [NC,OR]
RewriteCond %{QUERY_STRING} load [NC,OR]
RewriteCond %{QUERY_STRING} between [NC,OR]
RewriteCond %{QUERY_STRING} null [NC,OR]
RewriteCond %{QUERY_STRING} delay [NC,OR]
RewriteCond %{QUERY_STRING} char [NC,OR]
RewriteCond %{QUERY_STRING} sleep [NC,OR]
RewriteCond %{QUERY_STRING} unhex [NC]
# RewriteRule ^(.*)$ /honeypot.php/ [NC,L]
##### Redirect If QUERY_STRING Has SQL Injection To Honeypot -- END

##### Redirect If QUERY_STRING Has Encoded Injection Characters To Honeypot -- START
#QUERY_STRING contains everyting in the URL after the "?" ex.) mydomain.com/test.php?test=test
#Excluded "%20", "%2F", "%26", "%3A", "%3D"  due to use in site URL variables
# RewriteCond %{QUERY_STRING} !^$
# RewriteCond %{REQUEST_URI} !honeypot.php/
RewriteCond %{QUERY_STRING} %00 [OR]
RewriteCond %{QUERY_STRING} %0A [NC,OR]
RewriteCond %{QUERY_STRING} %0D [NC,OR]
RewriteCond %{QUERY_STRING} %21 [OR]
RewriteCond %{QUERY_STRING} %22 [OR]
RewriteCond %{QUERY_STRING} %23 [OR]
RewriteCond %{QUERY_STRING} %24 [OR]
RewriteCond %{QUERY_STRING} %25 [OR]
RewriteCond %{QUERY_STRING} %27 [OR]
RewriteCond %{QUERY_STRING} %28 [OR]
RewriteCond %{QUERY_STRING} %29 [OR]
RewriteCond %{QUERY_STRING} %40 [OR]
RewriteCond %{QUERY_STRING} %60 [OR]
RewriteCond %{QUERY_STRING} %2A [NC,OR]
RewriteCond %{QUERY_STRING} %2B [NC,OR]
RewriteCond %{QUERY_STRING} %2C [NC,OR]
RewriteCond %{QUERY_STRING} %2D [NC,OR]
RewriteCond %{QUERY_STRING} %3B [NC,OR]
RewriteCond %{QUERY_STRING} %3C [NC,OR]
RewriteCond %{QUERY_STRING} %3E [NC,OR]
RewriteCond %{QUERY_STRING} %5B [NC,OR]
RewriteCond %{QUERY_STRING} %5C [NC,OR]
RewriteCond %{QUERY_STRING} %5D [NC,OR]
RewriteCond %{QUERY_STRING} %5E [NC,OR]
RewriteCond %{QUERY_STRING} %5F [NC,OR]
RewriteCond %{QUERY_STRING} %7B [NC,OR]
RewriteCond %{QUERY_STRING} %7C [NC,OR]
RewriteCond %{QUERY_STRING} %7D [NC,OR]
# RewriteCond %{QUERY_STRING} %7E [NC,OR]
RewriteCond %{QUERY_STRING} > [OR]
RewriteCond %{QUERY_STRING} < [OR]
RewriteCond %{QUERY_STRING} ;
RewriteRule ^(.*)$ /honeypot.php/ [NC,L]
##### Redirect If QUERY_STRING Has Encoded Injection Characters To Honeypot -- END

Leave a Reply

Your email address will not be published. Required fields are marked *