16 Feb Adding Extra Security with the .htaccess file
Here are some tips to keep your website more secure using the .htaccess file. The .htaccess file is used on Apache servers to help secure your site and customise the behaviors of server requests. Some of the more common uses of the .htaccess file are for URL redirects, URL re-writing and controlling file and folder access. Most hosting companies allow you to override your server configuration. If they don’t, then you really should find a better host.
Tip #1 – Block malicious users IP address
This is only really useful if you find that the same IP address is harrassing you. Most of the time, people are hiding behind a proxy.
1 2 3 4 5 | Order Allow,Deny Allow from all Deny from BAD IP ADDRESS Deny from BAD WEBSITE |
Tip #2 – Block malicious query requests
This can be very valuable to your website. This helps weed out a lot of sql injection attempts. Of course, real security is data validation within your actual code.
1 2 3 4 5 6 7 8 9 10 11 | RewriteEngine On RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127.0.0.1).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*('|"|%0A|%20|%0D|%22|%B7|%29|%D8|%27|%3C|%3E|%00).* [NC,OR] RewriteCond %{QUERY_STRING} proc/self/environ [NC,OR] RewriteCond %{QUERY_STRING} ^.*(md5|benchmark|union|echo|select|insert|substring|cast|set|declare|drop|update).* [NC] RewriteRule ^(.*)$ - [F,L] |
Tip #3 -Block malicious user agents
When you go through your security logs, you will see an evolution of dirty user agents. It’s almost like a bad flu that spreads. I’ve recently encountered trouble with the HAVIJ tool, which allows for sql injection ‘testing’. Most of the time, hackers use these tools to find vulnerable websites. If your site is sending back a 403 response, then they most likely won’t come back.
1 2 3 4 5 6 7 | RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|scan).* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR] RewriteRule ^(.*)$ - [F,L] |
Tip #4 -Disable directory listing
This will block a users attempt at browsing a directory and it’s files. I find this to be very useful instead of inserting a blank index.html page.
1 2 | # Make sure that directory listings are disabled #Options -Indexes |
Tip #5 – Whitelist your IP address
Put an .htaccess file in the directory that has access to your admin panel. Note that this will only be useful if you have a static IP address that doesn’t change, otherwise you will effectively block yourself.
1 2 3 | Order Deny,Allow Deny from all Allow from YOUR IP ADDRESS |
Sorry, the comment form is closed at this time.