.htaccess | Tom Oliver CV

2012 User-Agent Blacklist

Below is my reworked version of Perishable Press’ 2010 User-Agent Blacklist. I’ve also added many more bad user agents to the list. It’s compressed, optimized, syntax corrected, and alphabetized. You should notice some speed improvement over the original.

You can check out the original Perishable Press’ 2010 User-Agent Blacklist here:
http://perishablepress.com/press/2010/08/09/2010-user-agent-blacklist/
I’d like to thank them for their work, for without it, I’d probably would have not created my version.

Here’s my compressed, optimized, syntax corrected, and alphabetized version:

# Deny domain access to spammers and other scumbags
RewriteCond %{HTTP_HOST} !^(127\.0\.0\.0|localhost) [NC]
RewriteCond %{HTTP_USER_AGENT} (\$x0e|\%0[ad]|@\$x|_irc|_works|\+select\+|\+union\+|&lt;\?|1,1,1,|\!susie|0d\ 0a|0wn|3gse|4all|4anything|5\.1;\ xv6875|59\.64\.153\.|72\.171\.0\.138|85\.17\.|88\.0\.106\.|98|a_browser|a1\ site|ab(ac|ach|by|erja|ilon|on?t)|acc(ept|ess|oo)|ac(eftp|me|tive|unetix)|add?ress|ad(opt|SARobot|visor)|agent|ah-ha|aihit|aipbot|aktuelles|al(_viewer|arm|bert|ek|exa\ toolbar;\ \(r1\ 1\.5\)|ltop|ma|ot|pha)|am(erica\ online\ browser\ 1\.1|fi(bi)?|zn_assoc)|an(al|archie|dit|on|search|swer|tivirx)|Ap(acheBench|ollo|pie)|ar(ach|chive|ian|oMATIZED)|aboutoil|as(ps|SORT|ter)|at(ari|HENS|local|om|rax|rop|tach|trib)|autoh|av\ fetch|avsearch|axo[dn]|ba(boom|by|ck|id|li|rry|sichttp|tch)|beau?t|be(come|e|ij|nder)|bi(glotron|lgi|son|tacle|tly)|blaiz|blitz|blo(g(l|scope|zice)|ob|w)|bmclient|boi|bond|bord|boris|bost|bot(\.ara|je|w)|bpimage|br(and|ok|oth|owse(abit|x)|uin)|bsalsa|bsdseek|bu(ilt|lls|mble|nny|sca|si|y)|bwh3|ca(fek|fi|mel|nd|ptu|sper|tch)|ccbot|cd34|ceg|cfnetwork|cgichk|cha(0s|ng|os|r|se\ x)|check(_http|er|only)|ch(ek|erryPicker|ill)|ci(CC|pinet|sco|ta|teseer)|cla(m|ria|w)|Cloak|cl?shttp|clush|cmsworldmap|co(ast|de\.com|gent|ldfusion|ll|m(b|mentreader|mon|pan|patible-)|n(c|duc|tact|trol|type|v)|ol|p[iy]|r(al|e-project|n)|s(mos|ta)|wbot)|cr4nk|cra(ft|lwer|nk|p|wler0|zy)|cres|cs-cz|cuill|CUR(I|l|ry)|custo|cute|cyber|cz(3|x)|da(ily|lvik|S|obot|rk|rwin|ta|ten)|dcbot|dcs|dds\ explorer|de(ep|mon|ps|tect|web|x)|dia(gem|m|vol)|Di(gger|gimarc|ibot|llo|ng|s[cp]|tto)|dlc|do(co|tbot|wnloader)|dr(ag|ec|one)|ds(dl|ok)|DSurf15a|dts|duck|dumb|ea(g|rn|rthcom|sydl)|ebin|echo|edco|efp@gmx|egoto|elnsb5|em(ail|er|pas)|en(cyclo|fi|han|terprise_search|volk)|erck|erocr|ev(entax|ere|il)|ewh|ex(ac|ploit|pre|tra)|eyen|fa(ng|st|vOrg|xo)|fdse|feed(24|hub)|fetch|fi(lan|le(boo|Hound)|map|nd|rs)|fire(bat|download/1\.2pre\ firefox/3\.6|fox/(0|2))|fl(am|ash|exum|ickBot|icky|ip|uffy|y)|fo(cus|oky|rum|rv|st|to|un|xy/1;)|fr(ee|iend|ontpage)|fu(ck|er|tile)|fyber|gais|gal(axy)?bot|gbpl|gecko/200(1|2|6|9042316)|gen(er|i)|geo|get(h|left|r|Smart|w)|ggl|gigabaz|gira|gluc|gnome|go(\!?zilla|forit|ldfire|nzo|rnKer|search)|googl[^.]e|goog[^.]le|goo[^.]gle|go[^.]ogle|g[^.]oogle|google(\ wireless|-image)|got(-it|it)|gra[bf]|greg|gru[bp]|gsa-cra|gsearch|gt::www|guidebot|guruji|gyps|h4x|h4x0r|ha(ha|ilo|rv|sh|tena|x)|he(ad|lm|rit)|hgre|hhjhj@yahoo|hippo|hloader|hmse|ho(lm|ly|mePageSearch|sTalking|tbar\ 4\.4\.5\.0)|hpprint|htt(rack|pclient|pconnect|pdown|plib)|human|huron|hybrid|hyper|iaskspi|ibm\ evv|iccra|ichiro|ICS|ida|ie(/5\.0|auto|mpt|xplore\.exe)|il(ium|se|trov)|in(cyWincy|dy|eturl|fonav|kman|nerpr|spect|suran|tellig|terget)|internet(_explorer|\x|Linkagent|Seer)|intraf|ip(2|sel|tcbot)|Iri(a|lbot|vine)|is(c_sys|ilo|rccrawler|spi)|ja(dy|ka|m|va)|JBH|jenn|jet|jiro|jobo|joc|J-SRD|jupit|just|jyx|kash|kazo|kenjin|kernel|keywo|kfsw|kkma|kmc|know|kosmix|krae|krug|ksibot|ktxn|kum|KWebGet|la(bs|chesis|nshan|po|rbin)|le(ech|ts|xi|xxe)|lftp|lib(by|crawl|web|www)|light|likse|lin(c|gue|kcheck)|li[ns]t|litefeeds|live(door|journal|up)|lmq|lo(ader|cu|ndon|ne|op|rk)|lth_|LWP|lynx|ma(c_f|g-?Net|g[ip]|il\.ru|in|jest|m|na|rketwire|s[cs]|ta)|mvi|mcbot|me(cha|diapartners|mo|talogger|tauri|te)|mi(b/2\.2|crosoft(\.url|_internet_explorer)|do|ggi|ix|ndman|ner|ps|r[ae]|rror|s[st]|zz)|mj12|mlbot|mlm|mo(bilerunner|ge|je|oz|re|rfeus|sill|use)) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (mozilla/(0|1|2|3|4\.61\ \[en\]|firefox|mpf|msie\ (1|2|3|4|5|6\.0-|6\.0b|6\.0;\ Windows\ NT;\ DigExt)|7\.0a1;|7\.0b;|6xpv1|crawler)|ms(nbot-(media|products)|nptc|rbot)|mu(ieblackcat|ltithreaddb|sc)|mvac|mwm|my(_age|app|dog|eng|ie2|search|url)|na(g|me|tionaldirectory|ve?r)|near|net(ants|cach|Carta|craft|crawl|front|info|mech|prospector|Seer|sp|x|z)|neu(ral|t)|new(sbreak|sgatorinbox|srob|t)|next|ng-s|ng/2|ni(ce|kto|mb|nja|nte)|no(g|ko|mad|rb|te)|npbot|nu(se|tch|tex)|nwsp|obje|ocel|octo|odi3|oegp|off(by|line)|om(ea|g|http)|onfo|onyx|OpaL|open(f|ssl|TextSiteCrawler|u)|opera\ (2|3|4|5|6|7)|or(ac|angeBot|bit|eg)|osis|our|outf|owl|p3p_|Pa(ckRat|ge(2rss|fet)|nsci|pa|rser|tw|vu)|pb2pb|pcbrow|pe([ae]r|pe|rfect|rl|rsonaPilot|tit)|phoenix/0\.|php|phras|pi(calo|ff|g|ng|pe|rs|X)|pla(g|ne?t|tform|ystation)|pl(esk|uck|ukkie)|Po(ckey|e-com|irot|mp|st|werset)|pre(load|ss)|privoxy|pro(be|gram_shareware|tect|tocol|wl|xie|xy)|psbot|pt-BR;\ rv:1\.9\.0\.(3|18)\ Firefox/3\.0|pu(bsub|f|lse|nit|rebot|rity)|py(q|th)|que(ry|st)|qweer|ra(dian|mbler|mp|pid|w(dog|grunt))|re(ap|eder|fresh|get|levare|po|qu|se|trieve|volt)|rix|rma|roboz|rocket|rogue|rpt-http|rsscache|ruby|ruff|rufus|rv:0\.9\.7|sa(lt|mple|uger|vvy)|sb(cyds|ide|log|p)|sc(agent|an|ej_)|sch(ed|izo|long|mo)|scorp|sco[tu]t|scrawl|screenshot|se(amonkey/1\.5a|arch(17|bot|me)|eker|ga|mto|nsis|op|pt|tup\.php|zn)|Sha(i|re|rp|z)|sh(el[lo]|erl|im|opwiki)|si(lurian|mple|ph)|site(check|kiosk|scan|vigil|x)|skam|skimp|skygrid|sl(edink|eip|euth|ide|y)|sm(ag|artDownload|urf)|snake|snap(bot|shot)|sni[fp]|snoop|soc(k|sci)|so(gou|hu|lr|me|so)|sp(a[dn]|bot|eed|egla|here|icon|[iy]der|in|roose|url|utnik)|sq(lmap|ui|wid|worm)|ssm_ag|st(ack|amp|ate|eel|ilo|rateg|ress|yle)|su(bot|c[hk]|me|nos\ 5\.7|nrise|per(bot|bro|HTTP|vi)|r(f4me|fbot|vey)|si|z[au])|sweep|sy(gol|hunt|napse|nc2it|stems)|szukacz|ta(g(ger|oo|yu)|ke|lkro|mu|ndem|rantula)|tbot|tcf|tcs/1|te(amsoft|comi|esoft|le(port|soft)|mpleton|ncent|rrawiz|st|xnut)|thomas|ti(ehttp|me(bot|ly)|pp|scali|tan)|tmcrawler|tmhtload|to(crawl|dobr|ngco|olbar;\ r1|olpak|pic|pyx|rrent)|tr(ack|anslate|aveler|eeview|icus|ue)|tu(nnel|ring|rnitin|torgig)|TV33_Mercator|tw(at|eak|ice)|tygo|uchoo|UIowaCrawler|ultraseek|un(avail|f|iversal)|upg1|uptime|url(base|lib|y)|user-?agent:?|usyd|UtilMind|va(cuum|gabo|let|mp|yala)|vci|ver(i~li|if|sus)|vi(a|rtual|sibilitygap|sual)|void|voyager|vsyn|w000?0?t|w3(af|mir|search)|wa(lhello|lk|nd|ol|tch|vefire)|wbdbot|weather|web(\.ima|\.by\.mail|2mal|Auto|bot|cat|collage|cor|crawl|dat|dup|go|Hook|is|itpr|lea|min|mole|money|p|ql|robot|ster|surf|tre|vac|Washer|weasel|zip)|wells|wep_s|wget|Wha(cker|tWeb)|whiz|wi(dow|SEbot|sh|zz)|win(67|dows-rss|dows\ 3|dows\ 95|dows\ me|dows\ NT\ 6\.1;\ tr;\ rv:1\.9\.2\.6|ht|odws)|Wonder|wor(dp|io|ks|ld|th)|Wweb|WWW(-Mechanize|c|o|ster)|WUMPUS|x-Tractor|xaldon|xbot|xenu|XGET|xirq|xpymep|yacy|yahoo(-mmaudvid|yseeker|ysmcm)|yamm|yan[dg]|yo(ono|ri|tta)|yplus\ |ytunnel|zade|zagre|ze(al|bot|rx|us|W)|zhuaxia|zipcode|zixy|zmao|ZmEu) [NC]
RewriteRule .* - [G]

2-2-12 Updated to allow Firefox 10.0 through.
3-12-12 Updated. Removed ‘rip’, false positive with iPhone.

3-12-12 Added a more reorganized version by grouping.
If you use this version and you’re on Apach 2.2 or higher, I recommend using non-capturing groups. Done using ‘?:’

# Deny domain access to spammers and other scumbags
RewriteCond %{HTTP_HOST} !^(127\.0\.0\.0|localhost) [NC]
RewriteCond %{HTTP_USER_AGENT} (\$x0e|\%0[ad]|@\$x|_irc|_works|\+select\+|\+union\+|&lt;\?|1,1,1,|\!susie|0d\ 0a|0wn|3gse|4all|4anything|5\.1;\ xv6875|59\.64\.153\.|72\.171\.0\.138|85\.17\.|88\.0\.106\.|98) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (a_browser|a1\ site|ab(ac|ach|by|erja|ilon|on?t)|acc(ept|ess|oo)|ac(eftp|me|tive|unetix)|add?ress|ad(opt|SARobot|visor)|agent|ah-ha|aihit|aipbot|aktuelles|al(_viewer|arm|bert|ek|exa\ toolbar;\ \(r1\ 1\.5\)|ltop|ma|ot|pha)|am(erica\ online\ browser\ 1\.1|fi(bi)?|zn_assoc)|an(al|archie|dit|on|search|swer|tivirx)|Ap(acheBench|ollo|pie)|ar(ach|chive|ian|oMATIZED)|aboutoil|as(ps|SORT|ter)|at(ari|HENS|local|om|rax|rop|tach|trib)|autoh|av\ fetch|avsearch|axo[dn]) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (ba(boom|by|ck|id|li|rry|sichttp|tch)|beau?t|be(come|e|ij|nder)|bi(glotron|lgi|son|tacle|tly)|blaiz|blitz|blo(g(l|scope|zice)|ob|w)|bmclient|boi|bond|bord|boris|bost|bot(\.ara|je|w)|bpimage|br(and|ok|oth|owse(abit|x)|uin)|bsalsa|bsdseek|bu(ilt|lls|mble|nny|sca|y)|bwh3) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (ca(fek|fi|mel|nd|ptu|sper|tch)|ccbot|cd34|ceg|cfnetwork|cgichk|cha(0s|ng|os|r|se\ x)|check(_http|er|only)|ch(ek|erryPicker|ill)|ci(CC|pinet|sco|ta|teseer)|cla(m|ria|w)|Cloak|cl?shttp|clush|cmsworldmap|co(ast|de\.com|gent|ldfusion|ll|m(b|mentreader|mon|pan|patible-)|n(c|duc|tact|trol|type|v)|ol|p[iy]|r(al|e-project|n)|s(mos|ta)|wbot)|cr4nk|cra(ft|lwer|nk|p|wler0|zy)|cres|cs-cz|cuill|CUR(I|l|ry)|custo|cute|cyber|cz(3|x)) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (da(ily|lvik|S|obot|rk|rwin|ta|ten)|dcbot|dcs|dds\ explorer|de(ep|mon|ps|tect|web|x)|dia(gem|m|vol)|Di(gger|gimarc|ibot|llo|ng|s[cp]|tto)|dlc|do(co|tbot|wnloader)|dr(ag|ec|one)|ds(dl|ok)|DSurf15a|dts|duck|dumb) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (ea(g|rn|rthcom|sydl)|ebin|echo|edco|efp@gmx|egoto|elnsb5|em(ail|er|pas)|en(cyclo|fi|han|terprise_search|volk)|erck|erocr|ev(entax|ere|il)|ewh|ex(ac|ploit|pre|tra)|eyen) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (fa(ng|st|vOrg|xo)|fdse|feed(24|hub)|fetch|fi(lan|le(boo|Hound)|map|nd|rs)|fire(bat|download/1\.2pre\ firefox/3\.6|fox/(0|1\.|2))|fl(am|ash|exum|ickBot|icky|ip|uffy|y)|fo(cus|oky|rum|rv|st|to|un|xy/1;)|fr(ee|iend|ontpage)|fu(ck|er|tile)|fyber) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (gais|gal(axy)?bot|gbpl|gecko/200(1|2|6|9042316)|gen(er|i)|geo|get(h|left|r|Smart|w)|ggl|gigabaz|gira|gluc|gnome|go(\!?zilla|forit|ldfire|nzo|rnKer|search)|googl[^.]e|goog[^.]le|goo[^.]gle|go[^.]ogle|g[^.]oogle|google(\ wireless|-image)|got(-it|it)|gra[bf]|greg|gru[bp]|gsa-cra|gsearch|gt::www|guidebot|guruji|gyps) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (h4x|h4x0r|ha(ha|ilo|rv|sh|tena|x)|he(ad|lm|rit)|hgre|hhjhj@yahoo|hippo|hloader|hmse|ho(lm|ly|mePageSearch|sTalking|tbar\ 4\.4\.5\.0)|hpprint|htt(rack|pclient|pconnect|pdown|plib)|human|huron|hybrid|hyper) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (iaskspi|ibm\ evv|iccra|ichiro|ICS|ida|ie(/5\.0|auto|mpt|xplore\.exe)|il(ium|se|trov)|in(cyWincy|dy|eturl|fonav|kman|nerpr|spect|suran|tellig|terget)|internet(_explorer|\x|Linkagent|Seer)|intraf|ip(2|sel|tcbot)|Iri(a|lbot|vine)|is(c_sys|ilo|rccrawler|spi) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (ja(dy|ka|m|va)|JBH|jenn|jet|jiro|jobo|jo(c|rgee)|J-SRD|jupit|just|jyx|kash|kazo|kenjin|kernel|keywo|kfsw|kkma|kmc|know|kosmix|krae|krug|ksibot|ktxn|kum|KWebGet|la(bs|chesis|nshan|po|rbin)|le(ech|ts|xi|xxe)|lftp|lib(by|crawl|web|www)|light|likse|lin(c|gue|kcheck)|li[ns]t|litefeeds|live(door|journal|up)|lmq|lo(ader|cu|ndon|ne|op|rk)|lth_|LWP|lynx) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (ma(c_f|g-?Net|g[ip]|il\.ru|in|jest|m|na|rketwire|s[cs]|ta)|mvi|mcbot|me(cha|diapartners|mo|talogger|tauri|te)|mi(b/2\.2|crosoft(\.url|_internet_explorer)|do|ggi|ix|ndman|ner|ps|r[ae]|rror|s[st]|zz)|mj12|mlbot|mlm|mo(bilerunner|ge|je|oz|re|rfeus|sill|use)|mozilla/(0|1|2|3|4\.61\ \[en\]|firefox|mpf|msie\ (1|2|3|4|5|6\.0-|6\.0b|6\.0;\ Windows\ NT;\ DigExt)|7\.0a1;|7\.0b;|6xpv1|crawler)|mra|ms(nbot-(media|products)|nptc|rbot)|mu(ieblackcat|ltithreaddb|sc)|mvac|mwm|my(_age|app|dog|eng|ie2|search|url) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (na(g|me|tionaldirectory|ve?r)|near|net(ants|cach|Carta|craft|crawl|front|info|mech|prospector|Seer|sp|x|z)|neu(ral|t)|new(sbreak|sgatorinbox|srob|t)|next|ng-s|ng/2|ni(ce|kto|mb|nja|nte)|no(g|ko|mad|rb|te)|npbot|nu(se|tch|tex)|nwsp|obje|ocel|octo|odi3|oegp|off(by|line)|om(ea|g|http)|onfo|onyx|OpaL|open(f|ssl|TextSiteCrawler|u)|opera\ (2|3|4|5|6|7)|or(ac|angeBot|bit|eg)|osis|our|outf|owl) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (p3p_|Pa(ckRat|ge(2rss|fet)|nsci|pa|rser|tw|vu)|pb2pb|pcbrow|pe([ae]r|pe|rfect|rl|rsonaPilot|tit)|phoenix/0\.|php|phras|pi(calo|ff|g|ng|pe|rs|X)|pla(g|ne?t|tform|ystation)|pl(esk|uck|ukkie)|Po(ckey|e-com|irot|mp|st|werset)|pre(load|ss)|privoxy|pro(be|gram_shareware|tect|tocol|wl|xie|xy)|psbot|pt-BR;\ rv:1\.9\.0\.(3|18)\ Firefox/3\.0|pu(bsub|f|lse|nit|rebot|rity)|py(q|th)|que(ry|st)|qweer|ra(dian|mbler|mp|pid|w(dog|grunt))|re(ap|eder|fresh|get|levare|po|qu|se|trieve|volt)|rix|rma|roboz|rocket|rogue|rpt-http|rsscache|ruby|ruff|rufus|rv:0\.9\.7) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (sa(lt|mple|uger|vvy)|sb(cyds|ide|log|p)|sc(agent|an|ej_)|sch(ed|izo|long|mo)|scorp|sco[tu]t|scrawl|screenshot|se(amonkey/1\.5a|arch(17|bot|me)|eker|ga|mrush|mto|nsis|op|pt|tup\.php|zn)|Sha(i|re|rp|z)|sh(el[lo]|erl|im|opwiki)|si(lurian|mple|ph)|site(check|kiosk|scan|vigil|x)|skam|skimp|skygrid|sl(edink|eip|euth|ide|y)|sm(ag|artDownload|urf)|snake|snap(bot|shot)|sni[fp]|snoop|soc(k|sci)|so(gou|hu|lr|me|so)|sp(a[dn]|bot|eed|egla|here|icon|[iy]der|in|roose|url|utnik)|sq(lmap|ui|wid|worm)|ssm_ag|st(ack|amp|ate|eel|ilo|rateg|ress|yle)|su(bot|c[hk]|me|nos\ 5\.7|nrise|per(bot|bro|HTTP|vi)|r(f4me|fbot|vey)|si|z[au])|swe(bot|ep)|sy(gol|hunt|napse|nc2it|stems)|szukacz) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (ta(g(ger|oo|yu)|ke|lkro|mu|ndem|rantula)|tbot|tcf|tcs/1|te(amsoft|comi|esoft|le(port|soft)|mpleton|ncent|rrawiz|st|xnut)|thomas|ti(ehttp|me(bot|ly)|pp|scali|tan)|tmcrawler|tmhtload|to(crawl|dobr|ngco|olbar;\ r1|olpak|pic|pyx|rrent)|tr(ack|anslate|aveler|eeview|icus|ue)|tu(nnel|ring|rnitin|torgig)|TV33_Mercator|tw(at|eak|ice)|tygo) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (uchoo|UIowaCrawler|ultraseek|un(avail|f|iversal)|upg1|uptime|url(base|lib|y)|user-?agent:?|usyd|UtilMind|va(cuum|gabo|let|mp|yala)|vci|ver(i~li|if|sus)|vi(a|rtual|sibilitygap|sual)|void|voyager|vsyn) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (w000?0?t|w3(af|mir|search)|wa(lhello|lk|nd|ol|tch|vefire)|wbdbot|weather|web(\.ima|\.by\.mail|2mal|Auto|bot|cat|collage|cor|crawl|dat|dup|go|Hook|is|itpr|lea|min|mole|money|p|ql|robot|ster|surf|tre|vac|Washer|weasel|zip)|wells|wep_s|wget|Wha(cker|tWeb)|whiz|wi(dow|SEbot|sh|zz)|win(67|dows-rss|dows\ (3|9[58]|me|NT\ 6\.1;\ tr;\ rv:1\.9\.2\.6)|ht|odws)|Wonder|wor(dp|io|ks|ld|th)|Wweb|WWW(-Mechanize|c|o|ster)|WUMPUS) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (x-Tractor|xaldon|xbot|xenu|XGET|xirq|xpymep|yacy|yahoo(-mmaudvid|yseeker|ysmcm)|yamm|yan[dg]|yo(ono|ri|tta)|yplus\ |ytunnel|zade|zagre|ze(al|bot|rx|us|W)|zhuaxia|zipcode|zixy|zmao|ZmEu) [NC]

RewriteRule .* - [G]

Reorganized version with non-capturing groups (use of ?:) Apache 2.x and up only!

# Deny domain access to spammers and other scumbags
RewriteCond %{HTTP_HOST} !^(?:127\.0\.0\.0|localhost) [NC]
RewriteCond %{HTTP_USER_AGENT} (?:\$x0e|\%0[ad]|@\$x|_irc|_works|\+select\+|\+union\+|&lt;\?|1,1,1,|\!susie|0d\ 0a|0wn|3gse|4all|4anything|5\.1;\ xv6875|59\.64\.153\.|72\.171\.0\.138|85\.17\.|88\.0\.106\.|98) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (?:a_browser|a1\ site|ab(?:ac|ach|by|erja|ilon|on?t)|acc(?:ept|ess|oo)|ac(?:eftp|me|tive|unetix)|add?ress|ad(?:opt|SARobot|visor)|agent|ah-ha|aihit|aipbot|aktuelles|al(?:_viewer|arm|bert|ek|exa\ toolbar;\ \(?:r1\ 1\.5\)|ltop|ma|ot|pha)|am(?:erica\ online\ browser\ 1\.1|fi(?:bi)?|zn_assoc)|an(?:al|archie|dit|on|search|swer|tivirx)|Ap(?:acheBench|ollo|pie)|ar(?:ach|chive|ian|oMATIZED)|aboutoil|as(?:ps|SORT|ter)|at(?:ari|HENS|local|om|rax|rop|tach|trib)|autoh|av\ fetch|avsearch|axo[dn]) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (?:ba(?:boom|by|ck|id|li|rry|sichttp|tch)|beau?t|be(?:come|e|ij|nder)|bi(?:glotron|lgi|son|tacle|tly)|blaiz|blitz|blo(?:g(?:l|scope|zice)|ob|w)|bmclient|boi|bond|bord|boris|bost|bot(?:\.ara|je|w)|bpimage|br(?:and|ok|oth|owse(?:abit|x)|uin)|bsalsa|bsdseek|bu(?:ilt|lls|mble|nny|sca|y)|bwh3) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (?:ca(?:fek|fi|mel|nd|ptu|sper|tch)|ccbot|cd34|ceg|cfnetwork|cgichk|cha(?:0s|ng|os|r|se\ x)|check(?:_http|er|only)|ch(?:ek|erryPicker|ill)|ci(?:CC|pinet|sco|ta|teseer)|cla(?:m|ria|w)|Cloak|cl?shttp|clush|cmsworldmap|co(?:ast|de\.com|gent|ldfusion|ll|m(?:b|mentreader|mon|pan|patible-)|n(?:c|duc|tact|trol|type|v)|ol|p[iy]|r(?:al|e-project|n)|s(?:mos|ta)|wbot)|cr4nk|cra(?:ft|lwer|nk|p|wler0|zy)|cres|cs-cz|cuill|CUR(?:I|l|ry)|custo|cute|cyber|cz(?:3|x)) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (?:da(?:ily|lvik|S|obot|rk|rwin|ta|ten)|dcbot|dcs|dds\ explorer|de(?:ep|mon|ps|tect|web|x)|dia(?:gem|m|vol)|Di(?:gger|gimarc|ibot|llo|ng|s[cp]|tto)|dlc|do(?:co|tbot|wnloader)|dr(?:ag|ec|one)|ds(?:dl|ok)|DSurf15a|dts|duck|dumb) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (?:ea(?:g|rn|rthcom|sydl)|ebin|echo|edco|efp@gmx|egoto|elnsb5|em(?:ail|er|pas)|en(?:cyclo|fi|han|terprise_search|volk)|erck|erocr|ev(?:entax|ere|il)|ewh|ex(?:ac|ploit|pre|tra)|eyen) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (?:fa(?:ng|st|vOrg|xo)|fdse|feed(?:24|hub)|fetch|fi(?:lan|le(?:boo|Hound)|map|nd|rs)|fire(?:bat|download/1\.2pre\ firefox/3\.6|fox/(?:0|1\.|2))|fl(?:am|ash|exum|ickBot|icky|ip|uffy|y)|fo(?:cus|oky|rum|rv|st|to|un|xy/1;)|fr(?:ee|iend|ontpage)|fu(?:ck|er|tile)|fyber) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (?:gais|gal(?:axy)?bot|gbpl|gecko/200(?:1|2|6|9042316)|gen(?:er|i)|geo|get(?:h|left|r|Smart|w)|ggl|gigabaz|gira|gluc|gnome|go(?:\!?zilla|forit|ldfire|nzo|rnKer|search)|googl[^.]e|goog[^.]le|goo[^.]gle|go[^.]ogle|g[^.]oogle|google(?:\ wireless|-image)|got(-?:it|it)|gra[bf]|greg|gru[bp]|gsa-cra|gsearch|gt::www|guidebot|guruji|gyps) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (?:h4x|h4x0r|ha(?:ha|ilo|rv|sh|tena|x)|he(?:ad|lm|rit)|hgre|hhjhj@yahoo|hippo|hloader|hmse|ho(?:lm|ly|mePageSearch|sTalking|tbar\ 4\.4\.5\.0)|hpprint|htt(?:rack|pclient|pconnect|pdown|plib)|human|huron|hybrid|hyper) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (?:iaskspi|ibm\ evv|iccra|ichiro|ICS|ida|ie(?:/5\.0|auto|mpt|xplore\.exe)|il(?:ium|se|trov)|in(?:cyWincy|dy|eturl|fonav|kman|nerpr|spect|suran|tellig|terget)|internet(?:_explorer|\x|Linkagent|Seer)|intraf|ip(?:2|sel|tcbot)|Iri(?:a|lbot|vine)|is(?:c_sys|ilo|rccrawler|spi) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (?:ja(?:dy|ka|m|va)|JBH|jenn|jet|jiro|jobo|jo(?:c|rgee)|J-SRD|jupit|just|jyx|kash|kazo|kenjin|kernel|keywo|kfsw|kkma|kmc|know|kosmix|krae|krug|ksibot|ktxn|kum|KWebGet|la(?:bs|chesis|nshan|po|rbin)|le(?:ech|ts|xi|xxe)|lftp|lib(?:by|crawl|web|www)|light|likse|lin(?:c|gue|kcheck)|li[ns]t|litefeeds|live(?:door|journal|up)|lmq|lo(?:ader|cu|ndon|ne|op|rk)|lth_|LWP|lynx) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (?:ma(?:c_f|g-?Net|g[ip]|il\.ru|in|jest|m|na|rketwire|s[cs]|ta)|mvi|mcbot|me(?:cha|diapartners|mo|talogger|tauri|te)|mi(?:b/2\.2|crosoft(?:\.url|_internet_explorer)|do|ggi|ix|ndman|ner|ps|r[ae]|rror|s[st]|zz)|mj12|mlbot|mlm|mo(?:bilerunner|ge|je|oz|re|rfeus|sill|use)|mozilla/(?:0|1|2|3|4\.61\ \[en\]|firefox|mpf|msie\ (?:1|2|3|4|5|6\.0-|6\.0b|6\.0;\ Windows\ NT;\ DigExt)|7\.0a1;|7\.0b;|6xpv1|crawler)|mra|ms(?:nbot-(?:media|products)|nptc|rbot)|mu(?:ieblackcat|ltithreaddb|sc)|mvac|mwm|my(?:_age|app|dog|eng|ie2|search|url) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (?:na(?:g|me|tionaldirectory|ve?r)|near|net(?:ants|cach|Carta|craft|crawl|front|info|mech|prospector|Seer|sp|x|z)|neu(?:ral|t)|new(?:sbreak|sgatorinbox|srob|t)|next|ng-s|ng/2|ni(?:ce|kto|mb|nja|nte)|no(?:g|ko|mad|rb|te)|npbot|nu(?:se|tch|tex)|nwsp|obje|ocel|octo|odi3|oegp|off(?:by|line)|om(?:ea|g|http)|onfo|onyx|OpaL|open(?:f|ssl|TextSiteCrawler|u)|opera\ (?:2|3|4|5|6|7)|or(?:ac|angeBot|bit|eg)|osis|our|outf|owl) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (?:p3p_|Pa(?:ckRat|ge(?:2rss|fet)|nsci|pa|rser|tw|vu)|pb2pb|pcbrow|pe(?:[ae]r|pe|rfect|rl|rsonaPilot|tit)|phoenix/0\.|php|phras|pi(?:calo|ff|g|ng|pe|rs|X)|pla(?:g|ne?t|tform|ystation)|pl(?:esk|uck|ukkie)|Po(?:ckey|e-com|irot|mp|st|werset)|pre(?:load|ss)|privoxy|pro(?:be|gram_shareware|tect|tocol|wl|xie|xy)|psbot|pt-BR;\ rv:1\.9\.0\.(?:3|18)\ Firefox/3\.0|pu(?:bsub|f|lse|nit|rebot|rity)|py(?:q|th)|que(?:ry|st)|qweer|ra(?:dian|mbler|mp|pid|w(?:dog|grunt))|re(?:ap|eder|fresh|get|levare|po|qu|se|trieve|volt)|rix|rma|roboz|rocket|rogue|rpt-http|rsscache|ruby|ruff|rufus|rv:0\.9\.7) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (?:sa(?:lt|mple|uger|vvy)|sb(?:cyds|ide|log|p)|sc(?:agent|an|ej_)|sch(?:ed|izo|long|mo)|scorp|sco[tu]t|scrawl|screenshot|se(?:amonkey/1\.5a|arch(?:17|bot|me)|eker|ga|mrush|mto|nsis|op|pt|tup\.php|zn)|Sha(?:i|re|rp|z)|sh(?:el[lo]|erl|im|opwiki)|si(?:lurian|mple|ph)|site(?:check|kiosk|scan|vigil|x)|skam|skimp|skygrid|sl(?:edink|eip|euth|ide|y)|sm(?:ag|artDownload|urf)|snake|snap(?:bot|shot)|sni[fp]|snoop|soc(?:k|sci)|so(?:gou|hu|lr|me|so)|sp(?:a[dn]|bot|eed|egla|here|icon|[iy]der|in|roose|url|utnik)|sq(?:lmap|ui|wid|worm)|ssm_ag|st(?:ack|amp|ate|eel|ilo|rateg|ress|yle)|su(?:bot|c[hk]|me|nos\ 5\.7|nrise|per(?:bot|bro|HTTP|vi)|r(?:f4me|fbot|vey)|si|z[au])|swe(?:bot|ep)|sy(?:gol|hunt|napse|nc2it|stems)|szukacz) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (?:ta(?:g(?:ger|oo|yu)|ke|lkro|mu|ndem|rantula)|tbot|tcf|tcs/1|te(?:amsoft|comi|esoft|le(?:port|soft)|mpleton|ncent|rrawiz|st|xnut)|thomas|ti(?:ehttp|me(?:bot|ly)|pp|scali|tan)|tmcrawler|tmhtload|to(?:crawl|dobr|ngco|olbar;\ r1|olpak|pic|pyx|rrent)|tr(?:ack|anslate|aveler|eeview|icus|ue)|tu(?:nnel|ring|rnitin|torgig)|TV33_Mercator|tw(?:at|eak|ice)|tygo) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (?:uchoo|UIowaCrawler|ultraseek|un(?:avail|f|iversal)|upg1|uptime|url(?:base|lib|y)|user-?agent:?|usyd|UtilMind|va(?:cuum|gabo|let|mp|yala)|vci|ver(?:i~li|if|sus)|vi(?:a|rtual|sibilitygap|sual)|void|voyager|vsyn) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (?:w000?0?t|w3(?:af|mir|search)|wa(?:lhello|lk|nd|ol|tch|vefire)|wbdbot|weather|web(?:\.ima|\.by\.mail|2mal|Auto|bot|cat|collage|cor|crawl|dat|dup|go|Hook|is|itpr|lea|min|mole|money|p|ql|robot|ster|surf|tre|vac|Washer|weasel|zip)|wells|wep_s|wget|Wha(?:cker|tWeb)|whiz|wi(?:dow|SEbot|sh|zz)|win(?:67|dows-rss|dows\ (?:3|9[58]|me|NT\ 6\.1;\ tr;\ rv:1\.9\.2\.6)|ht|odws)|Wonder|wor(?:dp|io|ks|ld|th)|Wweb|WWW(?:-Mechanize|c|o|ster)|WUMPUS) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (?:x-Tractor|xaldon|xbot|xenu|XGET|xirq|xpymep|yacy|yahoo(?:-mmaudvid|yseeker|ysmcm)|yamm|yan[dg]|yo(?:ono|ri|tta)|yplus\ |ytunnel|zade|zagre|ze(?:al|bot|rx|us|W)|zhuaxia|zipcode|zixy|zmao|ZmEu) [NC]

RewriteRule .* - [G]

Published in:

.htaccess

on October 16, 2011 at 10:59 am Leave a Comment

Protect Your Uploads Folder with .htaccess

If you’re like me you may have sites that allow users to upload images. This could easily be a potential backdoor for hackers. I came up with these sets of rules that have worked for me. I will continue to update these rules as I discover other vulnerabilities and methods of attack. For those copy and paste junkies, the code is directly below. For those more interested in what the rules actually do, continuing reading below the first box of code.

For you copy and paste junkies here is the entire code (copy and paste into notepad, save as .htaccess, and place it in your uploads folder):

[There is an updated version of this that is lighter and more secure at my self hosted website: http://thomasoliver.info/protect-your-uploads-folder-with-htaccess/ ]

# Don't list directory contents
IndexIgnore *
# Disable script execution
AddHandler cgi-script .php .php2 .php3 .php4 .php5 .php6 .php7 .php8 .pl .py .js .jsp .asp .htm .html .shtml .sh .cgi
Options -ExecCGI -Indexes

# Only allow access to this directory if they are coming from your domain; excluding you, your server, Google and any other IPs
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^(xxx\.xxx\.xxx\.xxx|xxx\.xxx\xxx\.xxx|66\.249\.)
RewriteCond %{HTTP_HOST} !^(127\.0\.0\.0|localhost) [NC]
RewriteCond %{HTTP_REFERER} !^https?://(.+\.)?yourdomain\.com/ [NC]
RewriteRule .* http://yourdomain.com/ [L]

# Secure php.ini and .htaccess
RewriteRule ^(php\.ini|\.htaccess) - [NC,F]

# Block shell uploaders, htshells, and other baddies
RewriteCond %{REQUEST_URI} ((php|my|bypass)?shell|remview.*|phpremoteview.*|sshphp.*|pcom|nstview.*|c99|c100|r57|webadmin.*|phpget.*|phpwriter.*|fileditor.*|locus7.*|storm7.*)\.(p?s?x?htm?l?|txt|aspx?|cfml?|cgi|pl|php[3-9]{0,1}|jsp?|sql|xml) [NC,OR]
RewriteCond %{REQUEST_URI} (\.exe|\.php\?act=|\.tar|_vti|afilter=|algeria\.php|chbd|chmod|cmd|command|db_query|download_file|echo|edit_file|eval|evil_root|exploit|find_text|fopen|fsbuff|fwrite|friends_links\.|ftp|gofile|grab|grep|htshell|\ -dump|logname|lynx|mail_file|md5|mkdir|mkfile|mkmode|MSOffice|muieblackcat|mysql|owssvr\.dll|passthru|popen|proc_open|processes|pwd|rmdir|root|safe0ver|search_text|selfremove|setup\.php|shell|ShellAdresi\.TXT|spicon|sql|ssh|system|telnet|trojan|typo3|uname|unzip|w00tw00t|whoami|xampp) [NC,OR]
RewriteCond %{QUERY_STRING} (\.exe|\.tar|act=|afilter=|alter|benchmark|chbd|chmod|cmd|command|cast|char|concat|convert|create|db_query|declare|delete|download_file|drop|edit_file|encode|environ|eval|exec|exploit|find_text|fsbuff|ftp|friends_links\.|globals|gofile|grab|insert|localhost|logname|loopback|mail_file|md5|meta|mkdir|mkfile|mkmode|mosconfig|muieblackcat|mysql|order|passthru|popen|proc_open|processes|pwd|request|rmdir|root|scanner|script|search_text|select|selfremove|set|shell|sql|sp_executesql|spicon|ssh|system|telnet|trojan|truncate|uname|union|unzip|whoami) [NC]
RewriteRule .* - [F]

# Disable hotlinking of images
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} \.(jpe?g?|png|gif|ico|pdf|flv|swf|gz)$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?yourdomain\. [NC]
RewriteRule \.(jpe?g?|png|gif|ico|pdf|flv|swf|gz)$ - [NC,F]

# Only the following file extensions are allowed
Order Allow,Deny
Deny from all
<FilesMatch "\.([Jj][Pp][Ee]?[Gg]?|[Pp][Nn][Gg]|[Gg][Ii][Ff]|[Gg][Zz]|[Pp][Dd][Ff])$">
Allow from all
</FilesMatch>

# Block double extensions from being uploaded or accessed, including htshells
<FilesMatch ".*\.([^.]+)\.([^.]+)$">
Order Deny,Allow
Deny from all
</FilesMatch>

# Only allow GET and POST HTTP methods
<LimitExcept GET POST>
Deny from all
</LimitExcept>

__________________________________________________________

The first part of the rules:

# Don't list directory contents
IndexIgnore *
# Disable script execution
AddHandler cgi-script .php .php2 .php3 .php4 .php5 .php6 .php7 .php8 .pl .py .js .jsp .asp .htm .html .shtml .sh .cgi
Options -ExecCGI -Indexes

Index Ignore *
Options -Indexes

They first disable directory viewing, listing, etc.

AddHandler cgi-script .php .php2 .php3 .php4 .php5 .php6 .php7 .php8 .pl .py .js .jsp .asp .htm .html .shtml .sh .cgi
Options -ExecCGI

The AddHandler directive sets all the files ending in those extensions to be handled as cgi-script.

The next line uses the Options directive to disable cgi-script completely.

This is special so that they fall under the jurisdiction of the -ExecCGI command, which also means -FollowSymLinks

**NOTE** In some instances you may see the rules combined as in Options -ExecCGI -Indexes. I did this to make the rules more efficient.

__________________________________________________________

RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^(xxx\.xxx\.xxx\.xxx|xxx\.xxx\xxx\.xxx|66\.249\.)
RewriteCond %{HTTP_HOST} !^(127\.0\.0\.0|localhost) [NC]
RewriteCond %{HTTP_REFERER} !^https?://(.+\.)?yourdomain\.com/ [NC]
RewriteRule .* http://yourdomain.com/ [L]

These set of rules declare that if anyone but the indicated IPs or hosts try to directly access this directory, they will be sent back to the home page.

You could put your server IP, your static IP, and any others like Google if you would like to allow them access.

__________________________________________________________

RewriteRule ^(php\.ini|\.htaccess) - [NC,F]

These rules denies access to php.ini and .htaccess. In my opinion, Rewrite seems the best way to deny access to these files.

**NOTE** There is no $ intentionally.

__________________________________________________________

RewriteCond %{REQUEST_URI} ((php|my|bypass)?shell|remview.*|phpremoteview.*|sshphp.*|pcom|nstview.*|c99|c100|r57|webadmin.*|phpget.*|phpwriter.*|fileditor.*|locus7.*|storm7.*)\.(p?s?x?htm?l?|txt|aspx?|cfml?|cgi|pl|php[3-9]{0,1}|jsp?|sql|xml) [NC,OR]
RewriteCond %{REQUEST_URI} (\.exe|\.php\?act=|\.tar|_vti|afilter=|algeria\.php|chbd|chmod|cmd|command|db_query|download_file|echo|edit_file|eval|evil_root|exploit|find_text|fopen|fsbuff|fwrite|friends_links\.|ftp|gofile|grab|grep|htshell|\ -dump|logname|lynx|mail_file|md5|mkdir|mkfile|mkmode|MSOffice|muieblackcat|mysql|owssvr\.dll|passthru|popen|proc_open|processes|pwd|rmdir|root|safe0ver|search_text|selfremove|setup\.php|shell|ShellAdresi\.TXT|spicon|sql|ssh|system|telnet|trojan|typo3|uname|unzip|w00tw00t|whoami|xampp) [NC,OR]
RewriteCond %{QUERY_STRING} (\.exe|\.tar|act=|afilter=|alter|benchmark|chbd|chmod|cmd|command|cast|char|concat|convert|create|db_query|declare|delete|download_file|drop|edit_file|encode|environ|eval|exec|exploit|find_text|fsbuff|ftp|friends_links\.|globals|gofile|grab|insert|localhost|logname|loopback|mail_file|md5|meta|mkdir|mkfile|mkmode|mosconfig|muieblackcat|mysql|order|passthru|popen|proc_open|processes|pwd|request|rmdir|root|scanner|script|search_text|select|selfremove|set|shell|sql|sp_executesql|spicon|ssh|system|telnet|trojan|truncate|uname|union|unzip|whoami) [NC]
RewriteRule .* - [F]

These are a work in progress and will definitely be updated as I encounter and discover other attacks directed towards this directory.

But for the meantime, this will block many shell uploads and other attacks.

__________________________________________________________

# Disable hotlinking of images
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} \.(jpe?g?|png|gif|ico|pdf|flv|swf|gz)$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?yourdomain\. [NC]
RewriteRule \.(jpe?g?|png|gif|ico|pdf|flv|swf|gz)$ - [NC,F]

These disable hotlinking of all images/files from this directory. You may already have this in your root .htaccess. If so and it works fine for you there, they you’ll not need it here. But test to find out for yourself.

You can test if you’re hotlinking is disabled via the following sites:
http://altlab.com/htaccess_tutorial.html
http://techgyo.com/HTML-Editor.htm

__________________________________________________________

Order Allow,Deny
Deny from all
<FilesMatch "\.([Jj][Pp][Ee]?[Gg]?|[Pp][Nn][Gg]|[Gg][Ii][Ff]|[Gg][Zz]|[Pp][Dd][Ff])$">
Allow from all
</FilesMatch>

The next rules only allow certain file extensions, case insensitivity included.

__________________________________________________________

<FilesMatch ".*\.([^.]+)\.([^.]+)$">
Order Deny,Allow
Deny from all
</FilesMatch>

These last set of rules get interesting. Suppose someone does actually get a double extension uploaded? Even if you have php to assign an additional character to the end of the first extension, an attacker may be able to acknowledge that they were successful at uploading the file by adding that character when trying to execute it.

Example: I believe WordPress adds an underscore to the end of the second extension. So an attacker uploads a script.php.jpg. WordPress converts it to script.php_.jpg. If an attacker knows this, they may be able to account for it and still execute the attack.

What this does is block any extensions with character(s) represented by a ‘[^.]’ that are 1 or more characters in length with a double extension ‘\.’

This is because the characters could be anything besides a letter or number and if the attacker knew that you appended an underscore ‘_’ or any other character, they could continue with the attack. You can always change the number 10 to fit your needs. You could also change the second ‘.’ to this [a-zA-Z0-9] but it seems to be more efficient to just use ‘[^.]’.

**NOTE** I’ve had sites where I had to change the second ‘[^.]’ to [a-zA-Z0-9] to allow users to still upload files.

# Block double extensions from being uploaded or accessed
<FilesMatch ".*\.([^.]+)\.([a-zA-Z0-9]+)$">
Order Deny,Allow
Deny from all
</FilesMatch>

This last set of rules only allows the GET and POST HTTP methods.

</FilesMatch>
<LimitExcept GET POST>
Deny from all
</LimitExcept>

Back to Top

Published in:

on July 24, 2011 at 2:04 pm Comments (2)

Tom Oliver CV

Tom Oliver's Curriculum Vitae

2012 User-Agent Blacklist

Protect Your Uploads Folder with .htaccess