Uploads Anti-Exploit Guard whitelist domain or website

Home Forums BulletProof Security Pro Uploads Anti-Exploit Guard whitelist domain or website

This topic contains 11 replies, has 3 voices, and was last updated by  AITpro Admin 3 years, 8 months ago.

Viewing 12 posts - 1 through 12 (of 12 total)
  • Author
    Posts
  • #4442

    AITpro Admin
    Keymaster

    Email Question:

    I can’t seem to get it any versions of files from the uploads + other folders to work.

    I have removed js/htm/html/swf

    I put an allow on the cdn for longtailvideo’s swf file with the allow on the domain

    # FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY
    <FilesMatch "\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htx|idc|ini|ins|isp|jar|jav|java|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$">
    Order Deny,Allow
    Deny from all
    Allow from p.jwpcdn.com
    #4443

    AITpro Admin
    Keymaster

    Update:  A new Uploads Anti-Exploit Guard (UAEG) Read Me First Sticky Topic has been created in the link below.

    http://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/

    The Uploads Anti-Exploit Guard (UAEG) htaccess file works differently than the Plugin Firewall .htaccess file and adding Allow from example.com will not work in the UAEG .htaccess file.  By default it looks at the IP address and not the Referer.  To whitelist a Referer / domain name/website name use this method below.

    SetEnvIf Referer "^http://www.example.com/" whitelist
    # FORBID ALL image files by file extension from being viewed from any other domain except mine
    <FilesMatch "\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htx|idc|ini|ins|isp|jar|jav|java|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$">
    Order Deny,Allow
    Allow from env=whitelist
    Deny from all
    
    

    Or you may need to add an addtional FilesMatch block of code instead of adding a whitelist rule in the existing FilesMatch block of code above in the UAEG .htaccess file.

    SetEnvIf Referer "^http://www.example.com/" whitelist
    # FORBID ALL image files by file extension from being viewed from any other domain except mine
    <FilesMatch "\.(swf|mp4)$">
    Order Deny,Allow
    Allow from env=whitelist
    Deny from all
    
    
    #4476

    AITpro Admin
    Keymaster

    Also if the way the file is being called simulates a hacking attempt then it will be blocked.  Please post the URL or the 403 error in your Security Log so I can see if it simulates a hacking attempt.

    #4478

    AITpro Admin
    Keymaster

    Since Long Tail Video is the same as the JW Player plugin then actually what is probably happening is the Plugin Firewall is blocking the plugin script.  You will see errors in your Security Log file for this.  I believe the JW Player plugin has 1 or 2 plugin scripts that need to be whitelisted in the Plugin Firewall.

    #4480

    J Garner
    Participant

    So I have put this code in (and checked it is OK at /wp-content/uploads/)

    SetEnvIf Referer "^http: //p.jwpcdn.com/" whitelist
    SetEnvIf Referer "^http: //sub.my_domain_name.com/" whitelist
    # FORBID ALL image files by file extension from being viewed from any other domain except mine
    Order Deny,Allow
    Allow from env=whitelist
    Deny from all

    And I’m getting these 403 errors:

    If I type http: //sub.my_domain_name.com/wp-content/uploads/2013/03/filename.mp4 then I get a 403 error :

    HTTP_REFERER: http: //p.jwpcdn.com/6/2/jwplayer.flash.swf
    REQUEST_URI: /wp-content/uploads/2013/03/filename.mp4
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0

    and If I type http: //sub.my_domain_name.com/wp-content/uploads/foldername/filename.zip then I get a 403 error :

    REQUEST_URI: /wp-content/uploads/foldername/filename.zip
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0

    The JWplayer is whitelisted by the following (wasn’t sure if folders below were covered so did each):

    SetEnvIf Request_URI "/jw-player-plugin-for-wordpress/jwp6/(.*).js$" whitelist
    SetEnvIf Request_URI "/jw-player-plugin-for-wordpress/jwp6/js/(.*).js$" whitelist
    SetEnvIf Request_URI "/jw-player-plugin-for-wordpress/js/(.*).js$" whitelist
    SetEnvIf Request_URI "/jw-player-plugin-for-wordpress/media/js/(.*).js$" whitelist
    SetEnvIf Request_URI "/jw-player-plugin-for-wordpress/media/msdropdown/js/(.*).js$" whitelist
    #4484

    AITpro Admin
    Keymaster

    Ok if you are getting errors trying to open these files with the direct URL to the file and you have removed the file extension from the filter then something is not right.  You should be able to open the files.  At this point I need to log into this site to see what is wrong.  I will be sending you an email in a minute,

    #18827

    Kouichi Sugawara
    Participant

    Hi AIPpro

    Uploads Anti-Exploit Guard

    I understand UAEG will protects WordPress uploads folder from being exploited with an .htaccess file.
    Is UAEG also protects some one access to the Post/Page with server based such as Feed Attackers.
    It is great, My Security Log have 403 Forbidde on some cases.

    #18828

    AITpro Admin
    Keymaster

    The Uploads Anti-Exploit Guard (UAEG) protects the WordPress uploads folder from being exploited with an .htaccess file that blocks remote access or execution of file types in your uploads folder that could be used to hack your website.  It would depend on the file type.  All file types that should NOT be allowed to be opened, accessed, processed or executed in your /uploads folder are protected by default.  You can of course whitelist individual files or file types.

    http://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/

    #18831

    Kouichi Sugawara
    Participant

    [Topic moved to this relevant topic]

    I understand UAEG will protects WordPress uploads folder from being exploited with an .htaccess file.
    It is great, My Security Log have 403 Forbidde on some cases. Is UAEG also protects some one access to the Post/Page with server based such as Feed Attackers ?

    #18837

    AITpro Admin
    Keymaster

    “UAEG also protects some one access to the Post/Page with server based such as Feed Attackers”

    Please describe in detail what this means. I do not understand the question.

    #18844

    Kouichi Sugawara
    Participant

    Hi AITpro

    It is greate that “UAEG also protects some one access to the Post/Page with server based such as Feed Attackers”.
    I would like to confirm only this protections.

    Reason is follows:
    It is protected by root .htaccess IP blocking until Oct 30/2014.
    On this case Apache logging is 403 Forbidden for above IPs.
    Root .htaccess IP blocking is cleared soon by attackers every times.
    After Activate BPS PRO,  Apache loggings are HTTP 500 during two days.
    It seems to be  HTTP 500 on UAEG protections.
    Is this right ?
    On this Morning, No Apache Loggins are shown as HTTP 500. Fine, Maybe stopped attacks.
    It was continued almost three months.
    During these perod, I have got Folloing attacks/UK Attacker.
    1. Comment SPAM.
    2. Server Based Mailform Access Evely Days/http 301 – Maybe Attackers Main Purpose
    3.  Malware with WP Super Cache, wp-config.php was modified.
    ・Maybe overrides .httaccess by cache.
    4. RSS Feed Attack by Own Server IP/Maybe own DoS.
    5. Apache Logs many of xmlrpc.php attacks.
    6. Apache Logs Attacks on phpMyAdmin/it seems to be Brute Force Attack
    ・No Damege on Database because of BPS PRO was Activated soon.

    By the way, I have 200 rows of Attackers IP, IP adrress is up to 235,000 counts dynamic address.
    Most of IPs are China and ukraine, by Japanese Laguage Spam and Feed Attack with server based.
    How do you think, these IP Adress to be written on Secure.htaccess  by Costom Code to protect HTTP attackings ?
    What % of protections will be estimated. About Value 1% ?

    #18845

    AITpro Admin
    Keymaster

    500 HTTP Status Response Code is an error or problem.  403 HTTP Status Response Code means blocked/forbidden.

    We get on average 500,000 blocked and logged attacks per month

Viewing 12 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic.