evil_host_trap_init.conf

#By Josef Meile <jmeile@hotmail.com> @ June, 2019

#This bot trap will catch all bots accessing the folder:
#/_private_
#This is a hidden url, so, in order to make this work, you need
#to add the following to your robots.txt file:
#User-agent: *
#Disallow: /_private_

#I'm also blocking typical vulnerability exploids like trying to access
#protected operating system files or folders, ie: /etc/ or passwd

#Make sure to include this file after your CustomLog directive; otherwise the
#request of the blocked host won't be registered into the apache's log file

#In order to use this, you have to include the file evil_host_trap_env.conf
#either in your global apache .conf file or put it in the configuration files
#folder, ie:
#/etc/apache2/conf-enabled -> In devian/ubuntu like distros
#/etc/httpd/conf.d	   -> In RedHad/CentOS like distros

#I opted to linking it into the configuration folder, ie:
#cd /etc/apache2/conf-enabled
#ln -s /usr/local/ApacheHostTrap/evil_host_trap_env.conf .

#This file sets an environment variable: EVIL_HOST_PATH, which will be used to
#indicate the location of the evil host trap configuration files. This variable
#will be used in the Include directives (continue reading).

#Then add the following includes in your VirtualHost:
#This file - initializes the RewriteMap and blocksalready logged hosts)
#Include ${EVIL_HOST_PATH}/evil_host_trap_init.conf 

#Either include:
#Blocking rules wp folders in non-wp sites
#Include ${EVIL_HOST_PATH}/evil_host_trap_no_wp.conf

#or
#Blocking rules to common wp vulnerabilities
#Include ${EVIL_HOST_PATH}/evil_host_trap_wp.conf
#
# Do not include both. Afterwards, include:
#Registers the catched bad hosts
#Include ${EVIL_HOST_PATH}/evil_host_trap_register.conf
#
# See VirtualHost_sample.conf for an example

#Finaly open the file: check_banned_host and setup this two variables according
#to your needs:
#* BANNED_HOSTS_PATH: Where the text file containing the whitelisted and banned
#  hosts is located
#* UNBAN_TIME: Time in seconds to ban the ip

#Only for debugging
#Old apache 2.2
#RewriteLogLevel 9
#RewriteLog "/var/log/httpd/rewrite_log"
#New apache 2.4
#LogLevel alert rewrite:trace3

#This directive will setup a script to check if a host accessing your site was
#whitelisted or banned into the blacklisted hosts text file. 
RewriteMap check_banned_host "prg:${EVIL_HOST_PATH}/check_banned_host"

#This is a dummy RewriteRule to setup the environment variable: allow, which
#will be either: 0=the host was banned, 1=the host hasn't been banned yet or
#the ban time already expired, or 2=the host was whitelisted
RewriteRule .* - [E=allow:${check_banned_host:%{REMOTE_ADDR}}]

#If the host was banned (allow=0), then deny the access
RewriteCond %{ENV:allow} 0
RewriteRule ^ - [L,F]

#If it is not whitelisted (allow=1) it should continue the checks; otherwise 
#(allow=2) it will exit here and continue with the web request
RewriteCond %{ENV:allow} 1

#Conditions for all websites
#Note: the last [OR] is needed to concatenate this conditions with the
#ones in the other files

#The requested resource contains the hidden file: _private_, so, it is a bad
#bot
RewriteCond %{REQUEST_URI} ^(.*)/_private_(.*)$ [NC,OR]

#The host is trying to access the linux /etc folder
RewriteCond %{REQUEST_URI} ^(.*)/etc/(.*)$ [NC,OR]
#or the passwd file
RewriteCond %{REQUEST_URI} ^(.*)/passwd(.*)$ [NC,OR]

#Multiple scannings in some cms/web services I don't use
#If you use some of them, ie: joomla, phpmyadmin, etc., then you will need to
#delete them from here
RewriteCond %{REQUEST_URI} ^(.*)jenkins(.*)$ [NC,OR]
RewriteCond %{REQUEST_URI} ^(.*)jmx-console(.*)$ [NC,OR]
RewriteCond %{REQUEST_URI} ^(.*)joomla(.*)$ [NC,OR]
RewriteCond %{REQUEST_URI} ^(.*)dumper(.*)$ [NC,OR]
RewriteCond %{REQUEST_URI} ^(.*)myadmin(.*)$ [NC,OR]
RewriteCond %{REQUEST_URI} ^(.*)xampp(.*)$ [NC,OR]
RewriteCond %{REQUEST_URI} ^(.*)typo3(.*)$ [NC,OR]
RewriteCond %{REQUEST_URI} ^(.*)webadmin(.*)$ [NC,OR]
RewriteCond %{REQUEST_URI} ^(.*)sqlite(.*)$ [NC,OR]
RewriteCond %{REQUEST_URI} ^(.*)msd(.*)$ [NC,OR]