Uploads Anti-Exploit Guard UAEG – Read Me First

Home Forums BulletProof Security Pro Uploads Anti-Exploit Guard UAEG – Read Me First

This topic contains 41 replies, has 5 voices, and was last updated by  Rami M 7 months ago.

Viewing 12 posts - 31 through 42 (of 42 total)
  • Author
    Posts
  • #37255

    Rami M
    Participant

    Thanks for your reply.

    I am on a LiteSpeed server, and here is my code. Kindly advise on white listing REQUEST_URI: /wp-content/uploads/astra-addon/astra-addon-5cd15edc0462b9-78934553.js?

    Many thanks,

    Rami

    ——————————————————–

    # BULLETPROOF PRO UPLOADS FOLDER .HTACCESS
    #
    # BPS LiteSpeed mod_rewrite
    #
    # BEGIN WHITELIST
    # Examples of whitelisting are commented out below. To create whitelist rules you would delete the # sign in front
    # of the whitelist rule you want to use and add the actual filename or folder name you want to whitelist.
    # Whitelist a specific js file in the uploads folder: example.js
    #RewriteRule ^example.js$ - [L]
    # Whitelist an entire folder in the uploads folder: /uploads/example-folder/
    #RewriteRule ^example-folder/.*$ - [L]
    # END WHITELIST
    #
    # FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY
    RewriteCond %{REQUEST_URI} ^.*\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|htx|idc|ini|ins|isp|jar|jav|java|js|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$ [NC]
    RewriteRule ^(.*)$ - [F]
    
    # FORBID PHP FILES DISGUISED AS AN IMAGE FILE - example.php.jpg - example.PHP.jpg
    <FilesMatch "\.(php|PHP|\.+(php)|\.+(PHP)).*$">
    Order Allow,Deny
    Deny from all
    </FilesMatch>
    
    
    		
    	
    #37256

    AITpro Admin
    Keymaster

    @ Rami M –

    1. Copy and paste your entire Uploads .htaccess file code below into the CUSTOM CODE UAEG text box on the BPS Custom Code tab page under the UAEG htaccess File Custom Code accordion tab button.
    2. Click the Save UAEG Custom Code button to save your UAEG custom code.
    3. Go to the Security Modes page and click the UAEG BulletProof Mode Activate button.

    # BULLETPROOF PRO UPLOADS FOLDER .HTACCESS
    #
    # BPS LiteSpeed mod_rewrite
    #
    # BEGIN WHITELIST
    # Examples of whitelisting are commented out below. To create whitelist rules you would delete the # sign in front
    # of the whitelist rule you want to use and add the actual filename or folder name you want to whitelist.
    # Whitelist a specific js file in the uploads folder: example.js
    #RewriteRule ^example.js$ – [L]
    # Whitelist an entire folder in the uploads folder: /uploads/example-folder/
    RewriteRule ^astra-addon/.*$ – [L]
    # END WHITELIST
    #
    # FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY
    RewriteCond %{REQUEST_URI} ^.*\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|htx|idc|ini|ins|isp|jar|jav|java|js|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$ [NC]
    RewriteRule ^(.*)$ – [F]
    
    # FORBID PHP FILES DISGUISED AS AN IMAGE FILE – example.php.jpg – example.PHP.jpg
    <FilesMatch “\.(php|PHP|\.+(php)|\.+(PHP)).*$”>
    Order Allow,Deny
    Deny from all
    </FilesMatch>
    #37257

    Rami M
    Participant

    This quality and response time is premium. Many thanks.

    One more thing, I see PHP Error Log Path Does Not Match error message. Couldn’t find a way to fix that using the link in the tooltip.

    #37258

    AITpro Admin
    Keymaster

    @ Rami M – What do you see for “Error Log Path Seen by Server” on the PHP Error Log page?

    #37259

    Rami M
    Participant

    ini_set PHP Error Log Location (Recommended): /home/…/public_html/wp-content/bps-backup/logs/bps_php_error.log

    PHP Error Log Location Set To:
    /home/…/public_html/wp-content/bps-backup/logs/bps_php_error.log

    Error Log Path Seen by Server: error_log

    Thanks again.

     

    #37260

    AITpro Admin
    Keymaster

    @ Rami M – Ok use your host server default PHP Error Log variable:  error_log. Copy: error_log into the PHP Error Log Location Set To text box and click the Set Error Log Location button.

    #37261

    Rami M
    Participant

    Brilliant!

    Now I’m seeing some PhP errors mentioning “bulletproof-security/includes…” on the log. Should I post them here or send them via support form?

    Thanks

    #37262

    AITpro Admin
    Keymaster

    @ Rami M – If they are are “Notice” PHP errors you can ignore them.  Also on first time setup of BPS Pro there can be a couple of PHP errors.  If the PHP errors only happened once then ignore them.  If the PHP errors are occurring repeatedly then post them in your forum reply.

    Related Forum Topic:  https://forum.ait-pro.com/forums/topic/how-to-troubleshoot-php-errors-php-errors-in-your-php-error-log/

    #37263

    Rami M
    Participant

    Thanks a million!

    #37270

    Rami M
    Participant

    Hi,

    Not sure if this has to do with the custom codes or PBS Pro. Hope you can help.

    After applying the code above, I see no warnings related to Astra in the security log. But I noticed today when I inspect elements on front-end using Chrome, I got these in console:

    (index):1 Refused to apply style from 'https://....com/wp-content/uploads/astra-addon/astra-addon-5cd5bc506db0c8-78247854.css?ver=1.8.1' because its MIME type ('text/html') is not a supported stylesheet MIME type, and strict MIME checking is enabled.
    
    astra-addon-5cd5bc507019d0-53063167.js:1 Failed to load resource: the server responded with a status of 404 ()
    (index):1 Refused to apply style from 'https://....com/wp-content/uploads/astra-addon/astra-addon-5cd5bc506db0c8-78247854.css?ver=1.8.1' because its MIME type ('text/html') is not a supported stylesheet MIME type, and strict MIME checking is enabled.

    MIME sniffing|Drive-by Download Attack + with the External iFrame|Clickjacking Bonus Custom Codes added + LiteSpeed Cache server

    #37271

    AITpro Admin
    Keymaster

    Rami M – This problem is not being caused by BPS.  Do some Google searches for the error message – “because its MIME type (‘text/html’) is not a supported stylesheet MIME type, and strict MIME checking is enabled.” This StackOverflow topic has several things that could be causing the problem > https://stackoverflow.com/questions/48248832/stylesheet-not-loaded-because-of-mime-type

    #37274

    Rami M
    Participant

    Thanks a million. Your response time and quality are one of the best I have seen.

Viewing 12 posts - 31 through 42 (of 42 total)

You must be logged in to reply to this topic.