.htaccess and 7g firewall

To begin with I would like to say that my account got suspended (now is working again) as I was replacing the .htaccess file (inside htdocs) because it was getting deleted.

The first step is to download the 7G Firewall (open it with 7zip, WinRAR will show it as corrupted zip). 7G Firewall | Perishable Press

The second step is to create a .htaccess file including the 7G Firewall code and place it in the htdocs folder.

The code that results in the .htaccess file to be deleted is the following:

# 7G:[USER AGENT]
<IfModule mod_rewrite.c>
	RewriteCond %{REQUEST_URI} !(7g_log.php) [NC]
	RewriteCond %{HTTP_USER_AGENT} ([a-z0-9]{2000,}) [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} (&lt;|%0a|%0d|%27|%3c|%3e|%00|0x00) [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} ((c99|php|web)shell|remoteview|site((.){0,2})copier) [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} (base64_decode|bin/bash|disconnect|eval|lwp-download|unserialize|\\\x22) [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} (360Spider|acapbot|acoonbot|ahrefs|alexibot|asterias|attackbot|backdorbot|becomebot|binlar|blackwidow|blekkobot|blexbot|blowfish|bullseye|bunnys|butterfly|careerbot|casper|checkpriv|cheesebot|cherrypick|chinaclaw|choppy|clshttp|cmsworld|copernic|copyrightcheck|cosmos|crescent|cy_cho|datacha|demon|diavol|discobot|dittospyder|dotbot|dotnetdotcom|dumbot|emailcollector|emailsiphon|emailwolf|exabot|extract|eyenetie|feedfinder|flaming|flashget|flicky|foobot|g00g1e|getright|gigabot|go-ahead-got|gozilla|grabnet|grafula|harvest|heritrix|httrack|icarus6j|jetbot|jetcar|jikespider|kmccrew|leechftp|libweb|linkextractor|linkscan|linkwalker|loader|miner|majestic|mechanize|mj12bot|morfeus|moveoverbot|netmechanic|netspider|nicerspro|nikto|ninja|nutch|octopus|pagegrabber|planetwork|postrank|proximic|purebot|pycurl|python|queryn|queryseeker|radian6|radiation|realdownload|rogerbot|scooter|seekerspider|semalt|seznambot|siclab|sindice|sistrix|sitebot|siteexplorer|sitesnagger|skygrid|smartdownload|snoopy|sosospider|spankbot|spbot|sqlmap|stackrambler|stripper|sucker|surftbot|sux0r|suzukacz|suzuran|takeout|teleport|telesoft|true_robots|turingos|turnit|vampire|vikspider|voideye|webleacher|webreaper|webstripper|webvac|webviewer|webwhacker|winhttp|wwwoffle|woxbot|xaldon|xxxyy|yamanalab|yioopbot|youda|zeus|zmeu|zune|zyborg) [NC]
	RewriteRule .* - [F,L]
</IfModule>

As I cannot further test (I don’t want my account to be again suspended), my question is which part of this code shall be removed in order to still use the firewall.

Please forgive me for editing your message, I just wanted to add a code block around the .htaccess sample to make it a bit easier to read.

Your .htaccess code checks for known suspicious keywords in user agents, and will block those. Our abuse filters also check files for suspicious keywords, and will block those as well. So our system detects a .htaccess file being uploaded with lots of references to shells, exploits, bots and other hacking tools. So our abuse filter thinks that these lines are actually harmful.

I can’t tell you which keywords exactly triggered the suspension. In general, I would suggest to ignore this firewall entirely. Our hosting already has more sophisticated hacking protection than your .htaccess snippet adds. Your site will be just fine without these few rules.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.