UAEG – Uploads Anti-Exploit Guard, Uploads BulletProof Mode

Home Forums BulletProof Security Pro UAEG – Uploads Anti-Exploit Guard, Uploads BulletProof Mode

Viewing 15 posts - 1 through 15 (of 15 total)
  • Author
    Posts
  • #1014
    Benny Maisa
    Participant

    Hi. I just wanna ask one question. How to activate UAEG? I feel unsafe when see “off” notification in BPS. Thanks. ūüôā

    #1021
    AITpro Admin
    Keymaster

    Update:  A new Uploads Anti-Exploit Guard (UAEG) Read Me First Sticky Topic has been created in the link below.

    http://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/

    The Uploads Anti-Exploit Guard can be turned on by going to the B-Core Security Modes page and scrolling down too…

    Activate Uploads Folder htaccess Security Mode

    Click the Uploads Anti-Exploit Guard Activate button.

    #27137
    impart
    Participant

    Second is the problem we last had with the UAEG and caching in uploads folder which completely broke my site.
    I did this with setEnvIF on Apache and got it working then. ¬†On LiteSpeed we discussed a few days ago to use .htaccess files with just RewriteEngineOff in it in the directories. ¬†Again my site is broken now because this did not work out , I have the htaccess everywhere in /uploads/xxx, /uploads/xxx/cache, /uploads/yyy, /uploads/yyy/cache. Does also not work. without them in the cache dirs it√Ąs also not workin at all This is really a pity, please help me, thanks!

    REQUEST_URI: /wp-content/uploads/xxx/cache/responsive-grid-js-abdeff879689.js
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
    etc
    etc
    etc
    

    ________________________________
    As I told you last time / sadly you deleted it, you have a big bug in your custom UAEG handling. This time I DID first copy all of the standard UAEG htaccess in the custom code field. Everything ok, but if you want to revert to standard and delete the Custom UAEG field then nothing happens. After activating/deactvating, if you want 20 times, still the one you entried manually stays in htaccess. You told me it will be my server or anything else. I am on a completely new server with different infrastructure, litespeed instad apache and fresh bps pro and this is still the same, the only thing that remains me now is to delete this thing and start from scratch. I hope you can give me a solution that works on litespeed for whitelisting dirs in UAEG, otherwise this is lost.
    Thanks
    Thomas

    #27155
    AITpro Admin
    Keymaster

    BPS only creates 1 UAEG htaccess file in the root /uploads folder.  If other htaccess files are being created in other /uploads folders then either something else you have installed is doing that or there is some kind of specific server problem or setting problem occurring on your server/website that is causing that problem.  If you would like for me to figure out what that server or setting problem could be then send a WordPress Administrator login to this website to:  info at ait-pro dot com.

    For a LiteSpeed Server you will need to use this alternative UAEG htaccess code instead of the standard UAEG htaccess code. We will probably create a separate UAEG htaccess file for LiteSpeed Servers in BPS Pro 11.6.  A Reset button has been added in BPS Pro 11.6 to restore the default UAEG htaccess file, which handles/resolves the other issues with UAEG.

    # BULLETPROOF PRO UPLOADS FOLDER .HTACCESS
    #
    # BPS LiteSpeed
    #
    # FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY
    # Example: whitelist all js files in a particular folder.
    RewriteRule ^folder-name/(.*).js - [L]
    # Example: whitelist an individual file anywhere in the /uploads folder.
    RewriteRule ^file-name.js - [L]
    RewriteCond %{REQUEST_URI} ^.*\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|htx|idc|ini|ins|isp|jar|jav|java|js|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$ [NC]
    RewriteRule ^(.*)$ - [F]
    
    # FORBID PHP FILES DISGUISED AS AN IMAGE FILE - example.php.jpg - example.PHP.jpg
    <FilesMatch "\.(php|PHP|\.+(php)|\.+(PHP)).*$">
    Order Allow,Deny
    Deny from all
    </FilesMatch>
    #27156
    impart
    Participant

    No one and nothing else what I have installed did that nor a server, I did exactly what you told me what we talked a few days ago.
    And this does not work. RewriteEngine Off .htaccess File Method (if you have several files in a subfolder in the uploads folder. Example: /wp-content/uploads/my-subfolder/) All files in the /my-subfolder/ folder will no longer be checked or blocked by UAEG.
    1. Open Notepad or Notepad++ (NOT Word or WordPad) on your computer.
    2. Add this one line of text in your new Notepad text file: RewriteEngine Off.
    3. Save the text file with this name: securityoff.htaccess.
    4. Upload the securityoff.htaccess file to the folder/directory where you want to turn security Off/prevent the parent .htaccess file from applying its security rules/directives in this folder. In this example case the folder would be: /wp-content/uploads/my-subfolder/.
    5. Rename the securityoff.htaccess file to .htaccess (removing securityoff from the file name). /wp-content/uploads/my-subfolder/.htaccess

    #27159
    AITpro Admin
    Keymaster

    Ok remove those htaccess files that you created, copy the LiteSpeed UAEG htaccess file I posted in my previous reply to UAEG Custom Code, add your whitelist rule (in your case I believe you need to whitelist an entire folder), save your changes and activate UAEG BulletProof Mode.

    #27160
    impart
    Participant

    Yes the problem for me is how do I whitelist an entire folder= Just all files in it like this?
    RewriteRule ^folder-name/(.*).(.*) – [L]

    #27161
    AITpro Admin
    Keymaster

    You would add the actual folder name you want to whitelist in the example code that is posted above after copying the LiteSpeed UAEG code to BPS Custom Code.

    # Example: whitelist all js files in a particular folder.
    RewriteRule ^folder-name/(.*).js - [L]
    #27162
    impart
    Participant

    Hmmm, we are not talking same language I am afraid. The code you posted above and now once again whitelists all js files, I need a whole folder whitelisted or I would have to make one line for every file type. Which one should I take then here?

    #27163
    AITpro Admin
    Keymaster

    In order for the whitelist rule to work you MUST have at least 1 file extension in the whitelist rule.  So if you need to whitelist all js files and any other file types then you would do something like this:

    # Example: whitelist all js,css, png, jpg and swf files in a particular folder.
    RewriteRule ^folder-name/(.*)\.(js|php|css|png|jpg|swf) - [L]
    #27164
    impart
    Participant

    Ok, and this mod_authz_core should also not be there anymore becasue that’s what’s now in it??!?
    [mod_authz_core code example deleted]

    #27166
    AITpro Admin
    Keymaster

    Correct do not use the mod_authz_core code.  Replace your entire UAEG htaccess code in BPS UAEG Custom Code with the LiteSpeed UAEG code I posted above, add your whitelist rule, etc.

    #27167
    impart
    Participant

    Finally this seemed to work now, thanks.

    #27168
    AITpro Admin
    Keymaster

    Great! ¬†And yeah I think LiteSpeed may also have an issue/problem with processing IfModule directive conditions code and/or¬†mod_authz_core code so I should have had you use mod_access_compat code ONLY from the very beginning. ¬†The whole¬†fModule directive conditional code and mod_authz_core code also has problems on a lot of different web hosts including 1 of the top 5 biggest web hosts in the world. ¬†It is a train wreck waiting to happen so hopefully we are ahead of that trainwreck. ¬†The big picture is that Apache is phasing out mod_access_compat and using the new¬†mod_authz_core directives, but a lot of hosts are going to have transitional problems with this Apache change. ¬†We are seeing the first signs of that train wreck now and I imagine it will become a real mess in the next 2 years. ūüėČ

    #27169
    impart
    Participant

    Yah, the future doesn’t look good generally, why not also in this world ūüėČ

Viewing 15 posts - 1 through 15 (of 15 total)
  • You must be logged in to reply to this topic.