Uploads Anti-Exploit Guard whitelist domain or website

[AITpro Admin]

Email Question:

I can’t seem to get it any versions of files from the uploads + other folders to work.

I have removed js/htm/html/swf

I put an allow on the cdn for longtailvideo’s swf file with the allow on the domain

# FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY
<FilesMatch "\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htx|idc|ini|ins|isp|jar|jav|java|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$">
Order Deny,Allow
Deny from all
Allow from p.jwpcdn.com

[AITpro Admin]

Update:  A new Uploads Anti-Exploit Guard (UAEG) Read Me First Sticky Topic has been created in the link below.

http://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/

The Uploads Anti-Exploit Guard (UAEG) htaccess file works differently than the Plugin Firewall .htaccess file and adding Allow from example.com will not work in the UAEG .htaccess file.  By default it looks at the IP address and not the Referer.  To whitelist a Referer / domain name/website name use this method below.

SetEnvIf Referer "^http://www.example.com/" whitelist
# FORBID ALL image files by file extension from being viewed from any other domain except mine
<FilesMatch "\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htx|idc|ini|ins|isp|jar|jav|java|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$">
Order Deny,Allow
Allow from env=whitelist
Deny from all

Or you may need to add an addtional FilesMatch block of code instead of adding a whitelist rule in the existing FilesMatch block of code above in the UAEG .htaccess file.

SetEnvIf Referer "^http://www.example.com/" whitelist
# FORBID ALL image files by file extension from being viewed from any other domain except mine
<FilesMatch "\.(swf|mp4)$">
Order Deny,Allow
Allow from env=whitelist
Deny from all

[AITpro Admin]

Also if the way the file is being called simulates a hacking attempt then it will be blocked.  Please post the URL or the 403 error in your Security Log so I can see if it simulates a hacking attempt.

[AITpro Admin]

Since Long Tail Video is the same as the JW Player plugin then actually what is probably happening is the Plugin Firewall is blocking the plugin script.  You will see errors in your Security Log file for this.  I believe the JW Player plugin has 1 or 2 plugin scripts that need to be whitelisted in the Plugin Firewall.

[J Garner]

So I have put this code in (and checked it is OK at /wp-content/uploads/)

SetEnvIf Referer "^http: //p.jwpcdn.com/" whitelist
SetEnvIf Referer "^http: //sub.my_domain_name.com/" whitelist
# FORBID ALL image files by file extension from being viewed from any other domain except mine
Order Deny,Allow
Allow from env=whitelist
Deny from all

And I’m getting these 403 errors:

If I type http: //sub.my_domain_name.com/wp-content/uploads/2013/03/filename.mp4 then I get a 403 error :

HTTP_REFERER: http: //p.jwpcdn.com/6/2/jwplayer.flash.swf
REQUEST_URI: /wp-content/uploads/2013/03/filename.mp4
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0

and If I type http: //sub.my_domain_name.com/wp-content/uploads/foldername/filename.zip then I get a 403 error :

REQUEST_URI: /wp-content/uploads/foldername/filename.zip
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0

The JWplayer is whitelisted by the following (wasn’t sure if folders below were covered so did each):

SetEnvIf Request_URI "/jw-player-plugin-for-wordpress/jwp6/(.*).js$" whitelist
SetEnvIf Request_URI "/jw-player-plugin-for-wordpress/jwp6/js/(.*).js$" whitelist
SetEnvIf Request_URI "/jw-player-plugin-for-wordpress/js/(.*).js$" whitelist
SetEnvIf Request_URI "/jw-player-plugin-for-wordpress/media/js/(.*).js$" whitelist
SetEnvIf Request_URI "/jw-player-plugin-for-wordpress/media/msdropdown/js/(.*).js$" whitelist

[AITpro Admin]

Ok if you are getting errors trying to open these files with the direct URL to the file and you have removed the file extension from the filter then something is not right.  You should be able to open the files.  At this point I need to log into this site to see what is wrong.  I will be sending you an email in a minute,

[Kouichi Sugawara]

Hi AIPpro

Uploads Anti-Exploit Guard

I understand UAEG will protects WordPress uploads folder from being exploited with an .htaccess file.
Is UAEG also protects some one access to the Post/Page with server based such as Feed Attackers.
It is great, My Security Log have 403 Forbidde on some cases.

[AITpro Admin]

The Uploads Anti-Exploit Guard (UAEG) protects the WordPress uploads folder from being exploited with an .htaccess file that blocks remote access or execution of file types in your uploads folder that could be used to hack your website.  It would depend on the file type.  All file types that should NOT be allowed to be opened, accessed, processed or executed in your /uploads folder are protected by default.  You can of course whitelist individual files or file types.

http://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/

[Kouichi Sugawara]

[Topic moved to this relevant topic]

I understand UAEG will protects WordPress uploads folder from being exploited with an .htaccess file.
It is great, My Security Log have 403 Forbidde on some cases. Is UAEG also protects some one access to the Post/Page with server based such as Feed Attackers ?

[AITpro Admin]

“UAEG also protects some one access to the Post/Page with server based such as Feed Attackers”

Please describe in detail what this means. I do not understand the question.

[Kouichi Sugawara]

Hi AITpro

It is greate that “UAEG also protects some one access to the Post/Page with server based such as Feed Attackers”.
I would like to confirm only this protections.

Reason is follows:
It is protected by root .htaccess IP blocking until Oct 30/2014.
On this case Apache logging is 403 Forbidden for above IPs.
Root .htaccess IP blocking is cleared soon by attackers every times.
After Activate BPS PRO,  Apache loggings are HTTP 500 during two days.
It seems to be  HTTP 500 on UAEG protections.
Is this right ?
On this Morning, No Apache Loggins are shown as HTTP 500. Fine, Maybe stopped attacks.
It was continued almost three months.
During these perod, I have got Folloing attacks/UK Attacker.
1. Comment SPAM.
2. Server Based Mailform Access Evely Days/http 301 – Maybe Attackers Main Purpose
3.  Malware with WP Super Cache, wp-config.php was modified.
・Maybe overrides .httaccess by cache.
4. RSS Feed Attack by Own Server IP/Maybe own DoS.
5. Apache Logs many of xmlrpc.php attacks.
6. Apache Logs Attacks on phpMyAdmin/it seems to be Brute Force Attack
・No Damege on Database because of BPS PRO was Activated soon.

By the way, I have 200 rows of Attackers IP, IP adrress is up to 235,000 counts dynamic address.
Most of IPs are China and ukraine, by Japanese Laguage Spam and Feed Attack with server based.
How do you think, these IP Adress to be written on Secure.htaccess  by Costom Code to protect HTTP attackings ?
What % of protections will be estimated. About Value 1% ?

[AITpro Admin]

500 HTTP Status Response Code is an error or problem.  403 HTTP Status Response Code means blocked/forbidden.

We get on average 500,000 blocked and logged attacks per month

[Author]

Posts