Internet, Web Site, Security with .htaccess

October 27, 2012

The surest control over security is with /etc/httpd/conf/httpd.conf when you have the entire server, or in .htaccess files otherwise – if you are on shared hosting. Read the post “Unix-Apache .htaccess” for basic information first, if you are not familiar with this.

It will be best if you have your site duplicated on your home pc, where you can test out any changes to your httpd.conf or .htaccess file before committing them to your server.


Web Site Security

One possibility is to CHMOD your files.
chmod .php files 600 chmod files that you really don’t want people to see as 400.
NEVER chmod 777, if something requires write access, make Apache the owner, or as a last resort, use 666 only directories need 7’s or 5’s and they should be 755. even php’s only need 644 or less. (600?)

A config.ini file that contains sensitive password information should not be served to the web. One should create an .htaccess file to tell Apache NOT to serve this (or any) .ini file. (or any include file [*.inc] ) or any log file, any .txt file (?)

The .htaccess file (or better yet, httpd.conf) should contain:

<FilesMatch "\.(ini|inc|log|txt)$">
Deny from all
# Allow from env=REDIRECT_STATUS
</FilesMatch>


<FilesMatch robots.txt>
Allow from all
</FilesMatch>

Generally, /robots.txt is the only .txt file that has to be readable by visitors = Google, Yahoo, etc., if you have one.

some have added the statement to specifically allow [internal] requests that have the REDIRECT_STATUS environment variable set, to access .ini and .inc files, however, on my 2 web sites it is not needed, and commented out. I display it here in case you need it in some other situation.
When a visitor requests /index.php, Apache or whatever server you are using does a subrequest/internal request to the php interpreter to include the ini’s and then the index.php requests the .inc’s, and for internal requests like that it adds some special environment variables that are normal variables prefixed with a REDIRECT_.

restrict or deny access to folders

A typical example would be an “includes/” folder (or cache/, or libraries/ or components/). Your site’s pages can call these included scripts all they like, but you don’t want users accessing these files directly, over the web. In that case you would add an .htaccess file in the includes folder with content something like this..

# no one gets direct access here!
Deny from All
AllowOverride None

Which denies ALL direct access to ANY files in that folder and all folders under it. The 2nd line prevents another htaccess file under it from overriding this directive.

Often, an /admin/ folder has an index.php and others that must be available to an administrator. Limiting access to a particular IP address is a good way to handle that.

# allow direct access to this folder only from these 2 ip addresses:
order deny,allow
deny from all
allow from 123.123.1.10 123.123.255.88

Don’t use the example numbers, use your IP and someone elses (?) – someone who helps you on your site. See “Control Access” below.

of course, the htaccess file itself, universally, has this directive in every httpd.conf:
< Files .htaccess>
order allow,deny
deny from all
< /Files>
If you want to confirm that it is as it should be, open up a tab in your browser and enter http://www.YourWebSite.com/.htaccess and, even if you don’t have an .htaccess file, Apache will give you a “forbidden” error message.

Control access …

by IP address

If you are the only person logging in to admin and you have a permanent IP from you home internet connection provider, put an .htaccess, in your admin folder to block anyone from getting into admin, even if they have your correct id and password. This will stop any cross scripting, any remote attempts to access anything, real or imagined in you admin folders.

If a person’s site is still being hacked, till you can find a better way to keep them out, you should be the only one going in.

To keep everyone but you out of admin, make sure no one but you knows your FTP password. Change it before you do this and again afterwards. Several ftp id’s and pw’s can be created by a hacker once he is in. Go to your cPanel (?) and make sure that there are none created that you do not know about – probably none. period. If a hacker can get in with ftp, they can shoot down your htaccess file also.


order deny, allow
deny from all
allow from 123.123.1.10

Where 123.123.1.10 is your IP.
or
Allow from 123.123.1.10 123.123.1.205
or
Allow from 123.123.1.10
Allow from 123.123.1.205
if you have 2 ip’s you want allowed.

To allow a specific IP range:
Allow from 123.123.1
to allow all IP’s starting with 123.123.1

Allow from 123.123.1.1-123.123.1.20
to allow all 123.123.1 IP’s ending with 1 through 20
(123.123.1.1 … 123.123.1.20)

If you think you have identified the hacker’s IP address, one site where you can look it up to get more information about it is http://whois.domaintools.com/ or do a google search “who is 123.123.1.205”, for example.

If it comes back looking like a hacker, block them totally. However, keep in mind that they may have a collection of ip addresses they use. Better yet, the robot program they use may be known and blockable. Best yet, if you can block direct access to (nearly?) everything but the index page, all your pages, that are there for the public, that might be the best protection.

Total, complete, protection

This involves 2 .htaccess files, one at the root of your blog; the other in your admin folder -and any other folder with programs that are for your eyes only.

This does not stop bandwidth stealing (or spam), but it does stop hackers. It does stop any direct access attempt of everything except images, style-sheets, and javascripts. (add any image extensions which you have and I left out. If you have a file or folder of files you let people download, add it to the exceptions below) Everything else, no one, but you, should be accessing directly. Your programs access them, not visitors, outsiders, hackers. Any plug-in, extension, whatever, that is blocked by this can either be replaced with one that does not break security rules, or perhaps, if one contains only 1 program, file, that needs to be called, accessed, by visitors directly, that one file can be added to this .htaccess file – only if you can trust it (go a google search on it?).

here is an example for wordpress:

RewriteCond %{REQUEST_FILENAME} !^.*\.(css|jpg|jpeg|gif|png|ico|mp4|swf|js)$
RewriteCond %{REQUEST_FILENAME} !/403.php
RewriteCond %{REQUEST_FILENAME} !wp-admin/$
RewriteCond %{REQUEST_FILENAME} !wp-login.php$
RewriteCond %{REQUEST_FILENAME} !wp-comments-post.php
RewriteCond %{REQUEST_FILENAME} !index.php$
RewriteCond %{REQUEST_FILENAME} !robots.txt
RewriteRule . /403.php [R=301,L]

Now, for the admin folder (example: wp-admin), and any other folder you have that is only for your use (add the exception in the code above, otherwise even you cannot get in), put this .htaccess file in it, allowing your IP address (not 123…):

Order deny,allow
Deny from all
Allow from 123.123.123.123
Allow from 127.0.0.1

The last line, “Allow from 127.0.0.1” is optional. You may only need it if you have a copy on your own pc where you develop and test, or keep a backup.


Fail2ban
A program for monitoring who is trying to access your computer.
fail2ban should be in your list of available software (System -> Administration -> “add/remove software”(or whatever it is called) )
fail2ban can be configured to monitor any service that writes login attempts to a log file
(for example: SSH server, the Proftpd server, login attempts to .htaccess/.htpasswd protected web sites, to Courier POP3 and Courier IMAP, and to SASL (for sending emails)).

also see “denyhosts” as another software option.


Neither the best passwords, nor .htaccess, nor php.ini files, nor a super-helpful hosting co., will protect your web site if your pc is infected with a key-stroke-logger sending crooks your every id and password – every time you use and or change one of them!
There are many types of software threats: viruses, spyware, Trojan horses, worms, bots, and rootkits – all running on Microsoft Windows. Attackers know the common broadband and dial-up IP address ranges, and scan them regularly. Numerous worms are circulating on the Internet continuously scanning for new (Windows) computers to exploit, identities to steal, as well as new web sites. As a result, the average time-to-exploitation … for an unprotected (Windows) computer [connected to the internet] is measured in minutes. This is especially true in the address ranges used by cable modem, DSL, and dial-up providers. Use caution when opening email attachments, visiting unfamiliar web sites, downloading “Free” stuff (it may cost you dearly!) or when using peer-to-peer file sharing. (If you share files on your home network, require user authentication and set hard-to-crack passwords) Never click on email attachments from untrusted sources (you know your friend, but do you know where they got the attachment?) however tempting and attractive such attachments may seem [especially the “tempting and attractive” ones!]. Similarly, never click on links in email to unknown sites. [especially if you don’t download your email!(deleting it off the server when downloaded) See example Gmail threat below.] Keep email deleted off the email server – especially containing jeopardizing information!

More complete information is at
http://www.encinojon.com/comintsec/ : COMPUTER INTERNET SECURITY Class and Website, L.A., Calif.
http://www.us-cert.gov/reading_room/before_you_plug_in.html : US-CERT Tips (United States Computer Emergency Readiness Team, National Cyber Alert System, Carnegie Mellon University)
http://www.pcmag.com/article2/0,2817,2311934,00.asp : P.C.Magazine
http://www.techsupportalert.com/how-to-secure-your-pc.php : Gizmo’s tech support alert
http://www.firewallguide.com/overview.htm : an extensive list of sites/articles including these, above.

Very Scary:
“On December 24th, 2007 there was, a Google security infection that can affect every Gmail user on the planet?” see WARNING: Google’s Gmail security failure leaves my business sabotaged

Feb. 4, 2010
(CNET) Google is finalizing an agreement with the National Security Agency to help the search giant ward off cyberattacks, according to the Washington Post. The NSA is to help analyze a cyberattack on Google that the company said originated in China and defend it from future attacks. …

July 10, 2009; By Michael Horowitz

Just that morning, I had installed a new router on my LAN so I checked the activity log in my new router After only 1 day of operation, my router had blocked five unsolicited inbound connection attempts, from three different IP addresses, and they were all in China!

A router protects a computer from just these types of attacks. Everyone should do their computing behind a router. You can test how well the firewall in your router is protecting you with Steve Gibson’s Shields Up!: [https://www.grc.com/x/ne.dll?bh0bkyd2]

see Michael’s full article “Help! Chinese Hackers are Attacking my PC” at
http://itmanagement.earthweb.com/secu/article.php/3829211/

April 18, 2010; Greg

I went to www.grc.com, above, again, and found that my home router is still doing a great job operating in stealth mode. I have left Windows permanently, and use Linux now. However, I have 2 web sites, www.pwsdb.com, and www.fuel-efficient-vehicles.org

I had learned how to suppress comment spam on my sites some months ago with and without a “captcha” question, and, also read how to lock-out spammers and hackers with some programming and use of the htaccess file. I bookmarked the information then, and recently, began implementing it. The end result is above.

The first thing that happened was, I discovered that attempts were being made to hack this (and every) web site – and most were from China! (read up on Indy Library) The above information is what you need to stay safe.

One Response to Internet, Web Site, Security with .htaccess

  1. rob on August 16, 2013 at 4:29 pm

    Thx for article.

    http://www.ddnss.de

We try to post all comments within 1 business day