# enable rewrite engine
RewriteEngine on

# block trace and track methods
RewriteCond   %{REQUEST_METHOD}                   ^(TRACE|TRACK)
RewriteRule   .*                                  -                                     [F]

# block XSS attacks (attempted to hide query string)
RewriteCond   %{THE_REQUEST}                      \?.*\?(\ |$)
RewriteRule   .*                                  -                                     [F]

# block XSS attacks (http)
RewriteCond   %{THE_REQUEST}                      (\b|%\d\d)https?(:|%3A)(/|%\d\d){2}   [NC]
RewriteRule   .*                                  -                                     [F]

# block XSS attacks (ftp)
RewriteCond   %{THE_REQUEST}                      (\b|%\d\d)ftp(:|%3A)(/|%\d\d){2}      [NC]
RewriteRule   .*                                  -                                     [F]

# block hack attempts (/etc/passwd)
RewriteCond   %{THE_REQUEST}                      (/|%2F)etc(/|%2F)passwd               [NC]
RewriteRule   .*                                  -                                     [R=404,L]

# Block out some common exploits
# If the request query string contains /proc/self/environ (by SigSiu.net)
RewriteCond   %{QUERY_STRING}                     proc/self/environ                     [OR]

# Block out any script trying to base64_encode or base64_decode data within the URL
RewriteCond   %{QUERY_STRING}                     base64_(en|de)code[^(]*\([^)]*\)      [OR]

# Block out any script that includes a <script> tag in URL
RewriteCond   %{QUERY_STRING}                     (<|%3C)([^s]*s)+cript.*(>|%3E)        [NC,OR]

# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond   %{QUERY_STRING}                     GLOBALS(=|\[|\%[0-9A-Z]{0,2})         [OR]

# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond   %{QUERY_STRING}                     _REQUEST(=|\[|\%[0-9A-Z]{0,2})

# Return 403 Forbidden header and show the content of the root homepage
RewriteRule   .*                                  -                                     [F]

# File injection protection
RewriteCond   %{REQUEST_METHOD}                   GET
RewriteCond   %{QUERY_STRING}                     [a-zA-Z0-9_]=http://                  [OR]
RewriteCond   %{QUERY_STRING}                     [a-zA-Z0-9_]=(\.\.//?)+               [OR]
RewriteCond   %{QUERY_STRING}                     [a-zA-Z0-9_]=/([a-z0-9_.]//?)+        [NC]
RewriteRule   .*                                  -                                     [F]

# Basic antispam Filter
RewriteCond   %{QUERY_STRING}                     \b(ambien|blue\spill|cialis)\b        [NC,OR]
RewriteCond   %{QUERY_STRING}                     \b(cocaine|ejaculation|erectile)\b    [NC,OR]
RewriteCond   %{QUERY_STRING}                     \b(erections|hoodia)\b                [NC,OR]
RewriteCond   %{QUERY_STRING}                     \b(huronriveracres|impotence)\b       [NC,OR]
RewriteCond   %{QUERY_STRING}                     \b(levitra|libido|lipitor)\b          [NC,OR]
RewriteCond   %{QUERY_STRING}                     \b(phentermin|pro[sz]ac|sandyauer)\b  [NC,OR]
RewriteCond   %{QUERY_STRING}                     \b(tramadol|troyhamby|ultram)\b       [NC,OR]
RewriteCond   %{QUERY_STRING}                     \b(unicauca|valium|viagra|vicodin)\b  [NC,OR]
RewriteCond   %{QUERY_STRING}                     \b(xanax|ypxaieo)\b                   [NC]
RewriteRule   .*                                  -                                     [F]

## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine your PHP version
RewriteCond   %{QUERY_STRING}                     \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]
RewriteRule   .*                                  -                                     [F]

# SQLi basic protection
RewriteCond   %{QUERY_STRING}                     concat[^\(]*\(                        [NC,OR]
RewriteCond   %{QUERY_STRING}                     union([^s]*s)+elect                   [NC,OR]
RewriteCond   %{QUERY_STRING}                     union([^a]*a)+ll([^s]*s)+elect        [NC]
RewriteRule   .*                                  -                                     [F]

# Block bad user agents
RewriteCond   %{HTTP_USER_AGENT}                  ^Google\ Desktop                      [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Baiduspider                          [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^BlackWidow                           [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Bot\ mailto:craftbot@yahoo.com       [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^ChinaClaw                            [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Custo                                [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^DISCo                                [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Download\ Demon                      [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^eCatch                               [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^EirGrabber                           [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^EmailSiphon                          [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^EmailWolf                            [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Express\ WebPictures                 [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^ExtractorPro                         [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^EyeNetIE                             [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^FlashGet                             [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^GetRight                             [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^GetWeb!                              [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Go!Zilla                             [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Go-Ahead-Got-It                      [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^GrabNet                              [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Grafula                              [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^HMView                               [OR]
RewriteCond   %{HTTP_USER_AGENT}                  HTTrack                               [NC,OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Image\ Stripper                      [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Image\ Sucker                        [OR]
RewriteCond   %{HTTP_USER_AGENT}                   Indy\ Library                        [NC,OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^InterGET                             [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Internet\ Ninja                      [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^JetCar                               [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^JOC\ Web\ Spider                     [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^larbin                               [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^LeechFTP                             [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Mass\ Downloader                     [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^MIDown\ tool                         [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Mister\ PiX                          [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Navroad                              [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^NearSite                             [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^NetAnts                              [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^NetSpider                            [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Net\ Vampire                         [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^NetZIP                               [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Octopus                              [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Offline\ Explorer                    [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Offline\ Navigator                   [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^PageGrabber                          [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Papa\ Foto                           [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^pavuk                                [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^pcBrowser                            [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^RealDownload                         [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^ReGet                                [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^SiteSnagger                          [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^SmartDownload                        [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^SuperBot                             [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^SuperHTTP                            [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Surfbot                              [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^tAkeOut                              [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Teleport\ Pro                        [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^VoidEYE                              [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Web\ Image\ Collector                [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Web\ Sucker                          [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^WebAuto                              [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^WebCopier                            [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^WebFetch                             [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^WebGo\ IS                            [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^WebLeacher                           [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^WebReaper                            [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^WebSauger                            [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Website\ eXtractor                   [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Website\ Quester                     [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^WebStripper                          [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^WebWhacker                           [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^WebZIP                               [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Widow                                [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^WWWOFFLE                             [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Xaldon\ WebSpider                    [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Typhoeus                             [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Zeus                                 [OR]
RewriteCond   %{HTTP_USER_AGENT}                  ^Mylyn/[\d\.]+\ BugzillaConnector\ Eclipse
RewriteRule   .*                                  -                                     [F]