One of often overlooked security (and not only) resource for any Joomla site is under your fingertips! With each Joomla install (even from the old Mambo days) you have a file named htaccess.txt in your site's root directory. In most cases is never touched, and left as is - most weekend webmasters don't even know what is for. A few are using it to help Joomla or the specialized SEF URL builders to make those pretty SEF URL's for their site. And that's pretty easy - in most cases it's enough to rename it to .htaccess, and you are set. But there is much more power hidden there...

A .htaccess (hypertext access) file is a directory-level configuration file supported by several web servers, that allows for decentralized management of web server configuration.
The original purpose of .htaccess - reflected in its name - was to allow per-directory access control, by for example requiring a password to access the content. Nowadays however, the .htaccess files can override many other configuration settings including content type and character set, CGI handlers, etc.
These files are placed inside the web tree, and are able to override a subset of the server's global configuration for that directory, and all sub-directories.

Common usage

Authorization, authentication
.htaccess files are often used to specify the security restrictions for the particular directory, hence the filename "access". The .htaccess file is often accompanied by a .htpasswd file which stores valid usernames and their passwords.[5]

Rewriting URLs
Servers often use .htaccess to rewrite long, overly comprehensive URLs to shorter and more memorable ones.

Blocking
Use allow/deny to block users by IP address or domain. Also, use to block bad bots, rippers and referrers. Often used to restrict access by Search Engine spiders

SSI
Enable server-side includes.

Directory listing
Control how the server will react when no specific web page is specified.

Customized error responses
Changing the page that is shown when a server-side error occurs, for example HTTP 404 Not Found.

MIME types
Instruct the server how to treat different varying file types.

Cache Control
.htaccess files allow a server to control caching by web browsers and proxies to reduce bandwidth usage, server load, and perceived lag.

As you can see, it's a powerful resource. Can be - and should be - used for strengthening your site too. And here begins the fun! Let's see a couple of useful tricks.

First of all, a general rule: Each "RewriteCond" command must be on hos own line, and ending with the [OR] command, to add the next rule to the command chain. The only exception from the rule is the LAST "RewriteCond" , followed by the action to be taken by the webserver - in our case issuing a 403- Forbidden error if one of conditions is meet. Check the .htaccess Guide for more details.

Block bad user agents

 To block bad user agents you need to insert for each user agent you want to lock out lines like this:

 RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:This email address is being protected from spambots. You need JavaScript enabled to view it. [OR]
 RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
 RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR] 
 RewriteCond %{HTTP_USER_AGENT} ^Zeus
 RewriteRule .* - [F]
Note: The final RewriteCond must NOT use the [OR] flag.

This block of rules will return a 403 Forbidden error on each visit which matches one of above rules.

It is unwise to rely on this as your ONLY security mechanism. You can find a list of user agents to use on many "security" mailing lists or on a forum such as http://www.webmasterworld.com/search_engine_spiders/. These list will always be incomplete and probably you need to update it as often as you can, but if you find scary entries on your server's access logs, it's wise to add at least these entries to your .htaccess file.

Block MySQL injects

 RewriteCond %{QUERY_STRING} (;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark) [NC,OR] 
# Note: The final RewriteCond must NOT use the [OR] flag. 
# Return 403 Forbidden error. 
RewriteRule .* index.php [F]

Block LFI Attacks

 RewriteCond %{QUERY_STRING} \.\./\.\. [OR]
# Note: The final RewriteCond must NOT use the [OR] flag. 
# Return 403 Forbidden error. 
RewriteRule .* index.php [F]

Other useful settings

 ServerSignature Off
 RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
 RewriteCond %{THE_REQUEST} (\\r|\\n|%0A|%0D) [NC,OR]
 
 RewriteCond %{HTTP_REFERER} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
 RewriteCond %{HTTP_COOKIE} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
 RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|”>|”<|/|\\\.\.\\).{0,9999} [NC,OR]
 
 RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
 RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget) [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} (winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} (libwww-perl|curl|wget|python|nikto|scan) [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
 
 
 RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
 RewriteCond %{QUERY_STRING} \.[a-z0-9] [NC,OR]
 RewriteCond %{QUERY_STRING} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC]
 
# Note: The final RewriteCond must NOT use the [OR] flag. RewriteRule .* index.php [F]

More tips like this, with up-to date examples you can find on Joomla Docs site

0
0
0
s2sdefault
Category: Secure Joomla