Uploads Anti-Exploit Guard UAEG – Read Me First

Home Forums BulletProof Security Pro Uploads Anti-Exploit Guard UAEG – Read Me First

This topic contains 27 replies, has 4 voices, and was last updated by  AITpro Admin 1 year, 9 months ago.

Viewing 15 posts - 1 through 15 (of 28 total)
  • Author
    Posts
  • #13280

    AITpro Admin
    Keymaster

    Uploads Anti-Exploit GuardUploads Anti-Exploit Guard (UAEG)
    The Uploads Anti-Exploit Guard (UAEG) protects the WordPress uploads folder from being exploited with an .htaccess file that blocks remote access or execution of file types in your uploads folder that could be used to hack your website.  UAEG is automatically activated on BPS Pro installation.  UAEG can be manually deactivated on the B-Core >>> Security Modes page.

    NOTE: LiteSpeed Servers do not support the Apache SetEnvIf directive. The SetEnvIf directive is ignored on LiteSpeed servers.  See the LiteSpeed UAEG htaccess Whitelisting Code help section for how to whitelist folders and files if your server is a LiteSpeed server.

    NOTE:  BPS Pro Custom Code has a CUSTOM CODE UAEG text box that is used for copying the UAEG .htaccess file code from the htaccess File Editor page > “Your Current Uploads htaccess File tab” so that you can edit and customize your UAEG htaccess file to add whitelist rules (allow certain files to be accessed remotely or executed) or other customizations.  See the CUSTOM CODE UAEG Whitelisting Method section below.

    CUSTOM CODE UAEG Whitelisting Method

    To edit/customize your Uploads Anti-Exploit Guard (UAEG) .htaccess file go to the B-Core > htaccess File Editor tab page > “Your Current Uploads htaccess File” tab and do the steps below.
    1. Copy and paste your entire Uploads .htaccess file code from the “Your Current Uploads htaccess File” tab on the htaccess File Editor page into the CUSTOM CODE UAEG text box.
    2. Edit/modify/customize your UAEG htaccess code in the CUSTOM CODE UAEG text box.
    3. Click the Save UAEG Custom Code button to save your UAEG custom code.
    4. Go to the Security Modes page and click the UAEG BulletProof Mode Activate button.

    The edit that you want to do in step #2 is this below (see other examples for whitelisting files or folders for Apache and LiteSpeed servers below):

    If you have an Apache server:
    To whitelist a folder: Remove/delete the # sign from infront of this line of code in your UAEG htaccess code and change the folder name to your actual folder name that you want to whitelist.
    To whitelist a file: Remove/delete the # sign from infront of this line of code in your UAEG htaccess code and change the file name to your actual file name that you want to whitelist.

    #SetEnvIf Request_URI "example-folder/.*$" whitelist
    #SetEnvIf Request_URI "example-file.js$" whitelist

    If you have a LiteSpeed server:
    To whitelist a folder: Remove/delete the # sign from infront of this line of code in your UAEG htaccess code and change the folder name to your actual folder name that you want to whitelist.
    To whitelist a file: Remove/delete the # sign from infront of this line of code in your UAEG htaccess code and change the file name to your actual file name that you want to whitelist.

    #RewriteRule ^example-folder/.*$ - [L]
    #RewriteRule ^example-file.js$ - [L]

    If you have an Apache server (this step is not required if you have a LiteSpeed server):
    Delete the # signs in front of #Require env whitelist and #Allow from env=whitelist shown highlighted in yellow below in your UAEG code that you copied to CUSTOM CODE UAEG.

    # FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY
    <FilesMatch "\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|htx|idc|ini|ins|isp|jar|jav|java|js|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$">
    <IfModule mod_authz_core.c>
    #Require env whitelist
    Require all denied
    </IfModule>
    
    <IfModule !mod_authz_core.c>
    <IfModule mod_access_compat.c>
    Order Allow,Deny
    #Allow from env=whitelist
    Deny from all
    </IfModule>
    </IfModule>
    </FilesMatch>

    Example:  Apache UAEG htaccess Whitelisting Code using SetEnvIf for specific files or folders

    How to whitelist a specific file and an entire folder:  The whitelisting code below shows how to whitelist a specific example.js file in the uploads folder and how to whitelist an entire subfolder in the uploads folder:  /uploads/example-folder/.  Notes:  Copy your entire UAEG htaccess file to BPS UAEG Custom Code and then edit your UAEG htaccess code.  For complete steps see the CUSTOM CODE UAEG Whitelisting Method help section above.  Don’t forget to remove/delete the # sign in front of #Require env whitelist and #Allow from env=whitelist.

    # BEGIN WHITELIST
    # Examples of whitelisting are commented out below. To create whitelist rules you would delete the # sign in front
    # of the whitelist rule you want to use, add the actual filename or folder name you want to whitelist and also 
    # delete the # sign in front of #Require env whitelist and #Allow from env=whitelist.
    # Whitelist a specific js file in the uploads folder: example.js
    SetEnvIf Request_URI "example-file.js$" whitelist
    # Whitelist an entire folder in the uploads folder: /uploads/example-folder/
    SetEnvIf Request_URI "example-folder/.*$" whitelist
    # END WHITELIST

    Example:  LiteSpeed UAEG htaccess Whitelisting Code for specific files or folders

    How to whitelist a specific file and an entire folder:  The whitelisting code below shows how to whitelist a specific example.js file in the uploads folder and how to whitelist an entire folder in the uploads folder:  /uploads/example-folder/.  Note:  Copy your entire UAEG htaccess file to BPS UAEG Custom Code and then edit your UAEG htaccess code.  For complete steps see the CUSTOM CODE UAEG Whitelisting Method help section above.

    # BEGIN WHITELIST
    # Examples of whitelisting are commented out below. To create whitelist rules you would delete the # sign in front
    # of the whitelist rule you want to use and add the actual filename or folder name you want to whitelist.
    # Whitelist a specific js file in the uploads folder: example.js
    RewriteRule ^example-file.js$ - [L]
    # Whitelist an entire folder in the uploads folder: /uploads/example-folder/
    RewriteRule ^example-folder/.*$ - [L]
    # END WHITELIST

    Alternative Method: Whitelist all .js files by removing js from the security filter

    Delete the file extension that you want to allow and click the Update File button to save your changes. In this case delete js as shown below.

    # FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY
    <FilesMatch "\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|htx|idc|ini|ins|isp|jar|jav|java|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$">
    Order Deny,Allow
    Deny from all
    </FilesMatch>

    Alternative Method: RewriteEngine Off .htaccess File Method (if you have several files in a subfolder in the uploads folder. Example:  /wp-content/uploads/my-subfolder/)

    All files in the /my-subfolder/ folder will no longer be checked or blocked by UAEG.
    1. Open Notepad or Notepad++ (NOT Word or WordPad) on your computer.
    2. Add this one line of text in your new Notepad text file: RewriteEngine Off.
    3. Save the text file with this name: securityoff.htaccess.
    4. Upload the securityoff.htaccess file to the folder/directory where you want to turn security Off/prevent the parent .htaccess file from applying its security rules/directives in this folder. In this example case the folder would be: /wp-content/uploads/my-subfolder/.
    5. Rename the securityoff.htaccess file to .htaccess (removing securityoff from the file name).  /wp-content/uploads/my-subfolder/.htaccess

    Uploads Anti-Exploit Guard (UAEG) Blue Read Me button help text

    Forum Help Links:
    UAEG Forum Help Link
    BPS Pro Troubleshooting Steps

    General Help Info
    The Setup Wizard automatically sets up and activates all BulletProof Modes and all other BPS settings with default settings. The Setup Wizard can be re-run at any time. If you change any BPS default settings, your custom settings will not be changed/reset by re-running the Setup Wizard. The manual Security Modes option settings are for doing things like changing default settings, adding custom htaccess code to BPS Custom Code, testing and troubleshooting by deactivating (turning Off) BulletProof Modes.

    Uploads Anti-Exploit Guard (UAEG) is activated automatically. If your Server type does not allow the /uploads/.htaccess file to be created automatically then use these manual controls to activate BulletProof Mode for your WordPress uploads folder.

    Reset UAEG htaccess File:
    Clicking the Reset UAEG htaccess File button will reset your UAEG htaccess file back to the default BPS Pro UAEG htaccess file and also delete UAEG htaccess code that has been saved to BPS UAEG Custom Code. If you have made any customizations to your UAEG file either directly or in BPS UAEG Custom Code then save your UAEG htaccess code/file before clicking the Reset button. You can then add any of your saved UAEG customizations into your new default UAEG htaccess file that is created after clicking the Reset button. If UAEG is currently deactivated then the default UAEG files will be replaced, but UAEG will not be activated until you Activate UAEG BulletProof Mode again.

    Troubleshooting the UAEG/uploads folder htaccess file
    Check your BPS Security Log file for any security log entries showing that something is being blocked in your WordPress uploads folder. If you think the /uploads/.htaccess file may be causing a problem then click the UAEG BulletProof Mode Deactivate button. This deletes the /uploads/.htaccess file. Test whatever was not working and see if the problem is still occurring. If the problem is still occurring then UAEG is not causing the problem. Activate UAEG BulletProof Mode again by clicking the UAEG BulletProof Mode Activate button.

    IMPORTANT NOTE:
    If you Deactivate UAEG BulletProof Mode using this manual control then this also turns Off automatic creation of the /uploads/.htaccess file and you will need to use this manual control to activate UAEG BulletProof Mode again to turn automatic creation of the /uploads/.htaccess file back On again.

    General Info
    Activating UAEG BulletProof Mode for your WordPress uploads folder copies and renames the uploads.htaccess file located in the /plugins/bulletproof-security/admin/htaccess/ folder to your /uploads folder and renames it to just .htaccess.

    UAEG htaccess File Custom Code Steps
    1. Copy and paste your entire Uploads .htaccess file code from the “Your Current Uploads htaccess File” tab on the htaccess File Editor page into the CUSTOM CODE UAEG text box.
    2. Edit/modify/customize your UAEG htaccess code in the CUSTOM CODE UAEG text box.
    3. Click the Save UAEG Custom Code button to save your UAEG custom code.
    4. Go to the Security Modes page and click the UAEG BulletProof Mode Activate button

    #26949

    impart
    Participant

    Hi,

    was this NOTE: LiteSpeed Servers do not support the Apache SetEnvIf directive. These whitelist rules will be ignored on LiteSpeed servers. at the time when you wrote this page?

    Because there should be SetEnvIf definitely with LiteSpeed. They even mention it in their own wiki. I am asking because I might switch to a LiteSpeed hoster and will crosscheck that I have no issues with BPS there.

    Cheers

    #26950

    AITpro Admin
    Keymaster

    https://www.litespeedtech.com/support/forum/threads/a-setenv-question.9846/#post-82814

    The first time I asked LiteSpeed about the Apache SetEnvIf directive was October 29, 2014 (13 months ago).  At that time the Apache SetEnvIf directive was not supported.  I checked again in August 2015 (4 months ago) and the Apache SetEnvIf directive was not supported.  So it may or may not be supported now.  Let me know what you find out.

    #26951

    impart
    Participant

    this is from an excerpt from their wiki on their own homepage
    https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:php:run-without-timeouts?s%5B%5D=setenvif
    Ah ok I read your post he told you that ‘Allow from env=whitelist’ does not work but you wrote that setEnvIf does not work. This seems to be some misunderstanding then

    #26957

    AITpro Admin
    Keymaster

    Nope, there was no misunderstanding.  The LiteSpeed Administrator knew exactly what I was talking about and I tested SetEnvIf on various LiteSpeed servers on different hosts – it did not work/was ignored.  I also saw that Wiki page, but what is not known is when and if that information is valid.  ie when you check the LiteSpeed Changelog there is no information about SetEnvIf.  So at this point you just need to try it and see if it works or not.  If the LiteSpeed server version is older on your host then SetEnvIf will only be supported on LiteSpeed server version X.  I have no idea what version that is since there is nothing in the LiteSpeed Changelog about SetEnvIf.

    The only reference to SetEnvIf in the LiteSpeed Server changelog is this: https://www.litespeedtech.com/products/litespeed-web-server/release-log and SetEnvIf has not worked for at least a few years now on LiteSpeed servers.

    LSWS 4.2.14 8-6-2014 Bug fix
    Improvement: Added support for Apache mod_env and mod_setenvif.

    #26959

    impart
    Participant

    I did not talk about you, I talked about that I misunderstood. But obviously this might also not be the case. Ok, we don’t know, I know that now 😉 No the only thing you can see there is that the entry is last modified on 28/07/2015 but that was before your try and in the changelog you can only find this which was even way before that all

    8-6-2014
    Improvement: Added support for Apache mod_env and mod_setenvif.

    Yes I found the same entry 😉

    #26965

    AITpro Admin
    Keymaster

    Yep, exactly.  It will either work or not work and you will have to use an alternative whitelisting method instead of SetEnvIf on LiteSpeed.

    #26966

    impart
    Participant

    So what would be the best method for a directory on LiteSpeed then? The securityOff.htaccess mentioned above?
    Are there any other issues known with LiteSpeed or do we have full compatibility else?
    Can I just backup my wp directory and db and reinstall?

    #26968

    AITpro Admin
    Keymaster

    If you need to whitelist a folder under the /uploads folder then the RewriteEngine Off method is the best method to use.
    This below may or may not work. I do not think it will work, but I will be testing this sometime today.

    RewriteRule ^name-of-folder-or-name-of-file/(.*).js - [L]
    #26970

    impart
    Participant

    Ok great, thanks.
    Are there any other issues known with LiteSpeed or do we have full compatibility else?
    Can I just backup my wp directory and db and reinstall?

    #26971

    AITpro Admin
    Keymaster

    And nope there are no other LiteSpeed problems.  The Plugin Firewall code was completely changed to deal with the lack of LiteSpeed compatibility with some Apache directives. “Can I just backup my wp directory and db and reinstall?”  Are you asking how to migrate your website to another host server and what to do about BPS Pro?  If so, see this forum topic:   http://forum.ait-pro.com/forums/topic/migrating-moving-or-cloning-websites/#post-20407

    #26975

    impart
    Participant

    Yes, that was exactly what I needed, thanks. Why is that with the AutoRestore and the Firewall? Anything to do with paths?

    #26976

    AITpro Admin
    Keymaster

    Personally if it was me I would do a completely new installation of BPS Pro since the old server and the new server are obviously going to have a lot of differences, but the Setup Wizard will change everything to match the new server configuration.  Has to do with a lot of differences between servers since they are different servers and probably a path difference too.

    #26977

    impart
    Participant

    Ok, then I will already deactivate it completely on the old server and do a backup immediately afterwards. Seems to be the best solution without getting into trouble then. Then I can install a backup that is completely “BPS free”.

    #27342

    Samm
    Participant

    [Topic has been merged into this relevant Topic]
    I have tried, but I have not been able to solve it.  I am currently getting the following errors:

    BPS PRO SECURITY LOG
    =====================
    =====================
    
    [403 GET Request: December 14, 2015 - 4:54 pm]
    Event Code: UAEGWR-HPR
    Solution: http://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/
    REMOTE_ADDR: 98.103.79.2
    Host Name: rrcs-98-103-79-2.central.biz.rr.com
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 98.103.79.2
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https://rhyno.co/payment/
    REQUEST_URI: /payment/wp-content/uploads/sites/8/freshframework/assetsmin/8957f310e1c16754f4eb149d8c889f3b.js
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
    
    [403 GET Request: December 14, 2015 - 4:54 pm]
    Event Code: UAEGWR-HPR
    Solution: http://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/
    REMOTE_ADDR: 98.103.79.2
    Host Name: rrcs-98-103-79-2.central.biz.rr.com
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 98.103.79.2
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https://rhyno.co/payment/
    REQUEST_URI: /payment/wp-content/uploads/sites/8/freshframework/assetsmin/15bad5440d9f0b2462cc4bc19f6f628a.js
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
    
    [403 GET Request: December 14, 2015 - 4:54 pm]
    Event Code: UAEGWR-HPR
    Solution: http://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/
    REMOTE_ADDR: 98.103.79.2
    Host Name: rrcs-98-103-79-2.central.biz.rr.com
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 98.103.79.2
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https://rhyno.co/payment/
    REQUEST_URI: /payment/wp-content/uploads/sites/8/freshframework/assetsmin/49759ebef28185425b43c1416540dc4d.js
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
    
    [403 GET Request: December 14, 2015 - 4:54 pm]
    Event Code: UAEGWR-HPR
    Solution: http://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/
    REMOTE_ADDR: 98.103.79.2
    Host Name: rrcs-98-103-79-2.central.biz.rr.com
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 98.103.79.2
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https://rhyno.co/payment/
    REQUEST_URI: /payment/wp-content/uploads/sites/8/freshframework/assetsmin/15bad5440d9f0b2462cc4bc19f6f628a.js
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0

    I have tried to whitelist all js files in the upload folder with the following:

    # FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY
    <FilesMatch "\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|htx|idc|ini|ins|isp|jar|jav|java|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$">
    Order Deny,Allow
    Deny from all
    </FilesMatch>

    This did not have any effect.  I am still getting the same errors.

Viewing 15 posts - 1 through 15 (of 28 total)

You must be logged in to reply to this topic.