Home › Forums › BulletProof Security Pro › Uploads Anti-Exploit Guard whitelist domain or website
- This topic has 11 replies, 3 voices, and was last updated 10 years, 1 month ago by AITpro Admin.
-
AuthorPosts
-
AITpro AdminKeymaster
Email Question:
I can’t seem to get it any versions of files from the uploads + other folders to work.
I have removed js/htm/html/swf
I put an allow on the cdn for longtailvideo’s swf file with the allow on the domain
# FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY <FilesMatch "\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htx|idc|ini|ins|isp|jar|jav|java|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$"> Order Deny,Allow Deny from all Allow from p.jwpcdn.com
AITpro AdminKeymasterUpdate: A new Uploads Anti-Exploit Guard (UAEG) Read Me First Sticky Topic has been created in the link below.
http://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/
The Uploads Anti-Exploit Guard (UAEG) htaccess file works differently than the Plugin Firewall .htaccess file and adding Allow from example.com will not work in the UAEG .htaccess file. By default it looks at the IP address and not the Referer. To whitelist a Referer / domain name/website name use this method below.
SetEnvIf Referer "^http://www.example.com/" whitelist # FORBID ALL image files by file extension from being viewed from any other domain except mine <FilesMatch "\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htx|idc|ini|ins|isp|jar|jav|java|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$"> Order Deny,Allow Allow from env=whitelist Deny from all
Or you may need to add an addtional FilesMatch block of code instead of adding a whitelist rule in the existing FilesMatch block of code above in the UAEG .htaccess file.
SetEnvIf Referer "^http://www.example.com/" whitelist # FORBID ALL image files by file extension from being viewed from any other domain except mine <FilesMatch "\.(swf|mp4)$"> Order Deny,Allow Allow from env=whitelist Deny from all
AITpro AdminKeymasterAlso if the way the file is being called simulates a hacking attempt then it will be blocked. Please post the URL or the 403 error in your Security Log so I can see if it simulates a hacking attempt.
AITpro AdminKeymasterSince Long Tail Video is the same as the JW Player plugin then actually what is probably happening is the Plugin Firewall is blocking the plugin script. You will see errors in your Security Log file for this. I believe the JW Player plugin has 1 or 2 plugin scripts that need to be whitelisted in the Plugin Firewall.
J GarnerParticipantSo I have put this code in (and checked it is OK at /wp-content/uploads/)
SetEnvIf Referer "^http: //p.jwpcdn.com/" whitelist SetEnvIf Referer "^http: //sub.my_domain_name.com/" whitelist # FORBID ALL image files by file extension from being viewed from any other domain except mine Order Deny,Allow Allow from env=whitelist Deny from all
And I’m getting these 403 errors:
If I type http: //sub.my_domain_name.com/wp-content/uploads/2013/03/filename.mp4 then I get a 403 error :
HTTP_REFERER: http: //p.jwpcdn.com/6/2/jwplayer.flash.swf REQUEST_URI: /wp-content/uploads/2013/03/filename.mp4 QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
and If I type http: //sub.my_domain_name.com/wp-content/uploads/foldername/filename.zip then I get a 403 error :
REQUEST_URI: /wp-content/uploads/foldername/filename.zip QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
The JWplayer is whitelisted by the following (wasn’t sure if folders below were covered so did each):
SetEnvIf Request_URI "/jw-player-plugin-for-wordpress/jwp6/(.*).js$" whitelist SetEnvIf Request_URI "/jw-player-plugin-for-wordpress/jwp6/js/(.*).js$" whitelist SetEnvIf Request_URI "/jw-player-plugin-for-wordpress/js/(.*).js$" whitelist SetEnvIf Request_URI "/jw-player-plugin-for-wordpress/media/js/(.*).js$" whitelist SetEnvIf Request_URI "/jw-player-plugin-for-wordpress/media/msdropdown/js/(.*).js$" whitelist
AITpro AdminKeymasterOk if you are getting errors trying to open these files with the direct URL to the file and you have removed the file extension from the filter then something is not right. You should be able to open the files. At this point I need to log into this site to see what is wrong. I will be sending you an email in a minute,
Kouichi SugawaraParticipantHi AIPpro
Uploads Anti-Exploit Guard
I understand UAEG will protects WordPress uploads folder from being exploited with an .htaccess file.
Is UAEG also protects some one access to the Post/Page with server based such as Feed Attackers.
It is great, My Security Log have 403 Forbidde on some cases.AITpro AdminKeymasterThe Uploads Anti-Exploit Guard (UAEG) protects the WordPress uploads folder from being exploited with an .htaccess file that blocks remote access or execution of file types in your uploads folder that could be used to hack your website. It would depend on the file type. All file types that should NOT be allowed to be opened, accessed, processed or executed in your /uploads folder are protected by default. You can of course whitelist individual files or file types.
http://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/
Kouichi SugawaraParticipant[Topic moved to this relevant topic]
I understand UAEG will protects WordPress uploads folder from being exploited with an .htaccess file.
It is great, My Security Log have 403 Forbidde on some cases. Is UAEG also protects some one access to the Post/Page with server based such as Feed Attackers ?AITpro AdminKeymaster“UAEG also protects some one access to the Post/Page with server based such as Feed Attackers”
Please describe in detail what this means. I do not understand the question.
Kouichi SugawaraParticipantHi AITpro
It is greate that “UAEG also protects some one access to the Post/Page with server based such as Feed Attackers”.
I would like to confirm only this protections.Reason is follows:
It is protected by root .htaccess IP blocking until Oct 30/2014.
On this case Apache logging is 403 Forbidden for above IPs.
Root .htaccess IP blocking is cleared soon by attackers every times.
After Activate BPS PRO, Apache loggings are HTTP 500 during two days.
It seems to be HTTP 500 on UAEG protections.
Is this right ?
On this Morning, No Apache Loggins are shown as HTTP 500. Fine, Maybe stopped attacks.
It was continued almost three months.
During these perod, I have got Folloing attacks/UK Attacker.
1. Comment SPAM.
2. Server Based Mailform Access Evely Days/http 301 – Maybe Attackers Main Purpose
3. Malware with WP Super Cache, wp-config.php was modified.
・Maybe overrides .httaccess by cache.
4. RSS Feed Attack by Own Server IP/Maybe own DoS.
5. Apache Logs many of xmlrpc.php attacks.
6. Apache Logs Attacks on phpMyAdmin/it seems to be Brute Force Attack
・No Damege on Database because of BPS PRO was Activated soon.By the way, I have 200 rows of Attackers IP, IP adrress is up to 235,000 counts dynamic address.
Most of IPs are China and ukraine, by Japanese Laguage Spam and Feed Attack with server based.
How do you think, these IP Adress to be written on Secure.htaccess by Costom Code to protect HTTP attackings ?
What % of protections will be estimated. About Value 1% ?AITpro AdminKeymaster500 HTTP Status Response Code is an error or problem. 403 HTTP Status Response Code means blocked/forbidden.
We get on average 500,000 blocked and logged attacks per month
-
AuthorPosts
- You must be logged in to reply to this topic.