7G Firewall¶
The 7G Firewall is a powerful, well-optimized set of LiteSpeed-compatible rewrite rules. Add these rules to your root .htaccess
for performance-friendly server-level protection. 7G Firewall works by verifying all URI requests against a set of carefully constructed .htaccess
directives without the need to invoke PHP or MySQL.
Install¶
- Download the ZIP file from Perishable Press
- Copy the contents of
7G_Firewall.txt
into your site's document root.htaccess
- Restart OpenLiteSpeed:
systemctl restart lsws
Verify it's Working¶
Visit ?fullclick
or 0day.php
on your domain (for example, https://example.com/?fullclick
). The server should return a 403 Permission Denied error.
Log Blocked Requests¶
7G Firewall includes built-in logging directives. Once logging is enabled, mod_rewrite will send request data to the 7G_log.php
script. The logging script then parses the data and writes it to the 7G_log.txt
file. The result is a log file that looks very similar to Apache defaults.
- Download the ZIP file from Perishable Press
- Copy
7G_log.txt
to your site's document root, ortouch
a file with that name there - Copy
7G_log.php
to your site's document root - Update the rewrite rules in
.htaccess
so that it performs 7G logging, as described in Modify .htaccess below - Restart OpenLiteSpeed:
systemctl restart lsws
Modify .htaccess¶
You should see this line in several places in .htaccess
:
RewriteRule .* - [F,L]
Directly under that line will be commented-out rules similar to this one:
# RewriteRule .* /7G_log.php?log [END,NE,E=7G_QUERY_STRING:%1___%2___%3]
In order to initiate logging, comment out the first rule, and uncomment the second, like so:
# RewriteRule .* - [F,L]
RewriteRule .* /7G_log.php?log [END,NE,E=7G_QUERY_STRING:%1___%2___%3]
Additionally, all of the newly enabled rules will need to be modified in order to work with OpenLiteSpeed.
This is because OLS passes [REDIRECT_QUERY_STRING] => fullclick
instead of [REDIRECT_QUERY_STRING] => log
, so the return ($check === 'log') ? true : false;
in 7G_log.php
will return false, and exit the script.
To avoid this, modify all of the logging rewrite rules so that they assign the variable to the rewrite. Add E=REDIRECT_QUERY_STRING:log
to each of these rules, before the ending ]
, like so:
RewriteRule .* /7G_log.php?log [END,NE,E=7G_QUERY_STRING:%1___%2___%3,E=REDIRECT_QUERY_STRING:log]
Note
Even though the 7G variable name changes in each of these logging rewrite rules, you should always add the same OLS variable (E=REDIRECT_QUERY_STRING
) to the rule.
Verify it's Working¶
Visit ?fullclick
or 0day.php
on your domain (for example, https://example.com/?fullclick
). The server should return a 403 Permission Denied error, and you should see a corresponding entry in 7G_log.txt
. Like so:
1.2.3.4 - 2021/10/08 01:06:38 - GET - HTTP/1.1 - / - fullclick - - - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36