Webmaster s Asp : Your 5search6 KnoxNetWhere 5
|
Inserting all of the code you presented in your example won't secure your website, but it will almost certainly disable it. Bad commands or syntax in a root .htaccess file can cause fatal server errors and make your website go dark!
I see that you have included Perl scripting in your presentation. Perl script does not go into an htaccess file! It goes into a .pl or .cgi script, usually placed in a cgi-bin directory. It's correct operation depends on absolutely correct paths to Perl and Sendmail. The commands in the .htaccess file must be tailored to your own server environment, as dictated by your host's server configuration files. These are not universally accepted settings and vary among web hosting companies. It is even possible that you will not be permitted to use any of the commands that are listed in the RewriteRules section, if your host forbids Mod Rewrite overrides. Furthermore, the broken vertical pipes displayed in these posts are incorrect code and will usually cause a server to give fatal server errors, and possibly deny access to everyone.
I also see that you quoted the first line of what is often a two line command to use Rewrite Rules: RewriteEngine On. The other command that is often required is Options +FollowSymLinks. It all depends on how your web host has configured his Apache Directives for his customers and security concerns.
There are rules in the various examples presented over the course of this thread that were specific threats being dealt with on personal levels, many of which do not automatically apply to everybody else. Some User Agents that are blocked in these examples by one person are allowed by others. Others are not serious enough problems to justify blocking access without a thorough investigation of the circumstances of the visit in question (such as the FrontPage Extensions references...they mean nothing if you don't have a FrontPage enabled site).
It is better to read you web logs on a daily basis and see what IP addresses are looking for pages that are unusual, or that trigger red flags in the general security community. If you see what looks like a suspicious User Agent, check these forums by searching for that UA in the site search engine listed at the top of every Forum page on WebmasterWorld. I would also urge you to read the entire thread that started this discussion, at [webmasterworld.com...] .
On the other hand, any User Agent that contains the words Email, Siphon, Extractor, or other names that imply email extraction, are definitely unwanted hostile agents and should be banned. This assumes that you have email addresses listed on your website that you want to protect from harvesters.
I ban only the most obvious hostile User Agents and read my logs every day. If I see a log record that reveals hostile intent I will deny access to that IP address. Since IP addresses can be dynamic, and innocent surfers can obtain the same IP used by a Phisher, I often have to remove IP bans after a period of inactivity from that address. On the other hand, since many harvesters come from certain countries and fall within a block of IPs, I sometimes block an entire country or ISP, if their members regularly harass my server. This is a judgement call on my part. If you do business with people in APNIC or RIPE network countries these country blocks are definitely not for you!
I hope this helps.
Wiz
I will make sure to review this topic more thoroughly so that I get a better grasp on how .htaccess files work. Another thing I'll have to look into is what exactly my web host does and does not support.
Was looking over htaccess things back in February this year. 9 months and so many pages later (not to mention all the side branches) and we're almost looking at a different animal.
Quick question - where do error pages now fit into the htaccess scheme of things?
I'm putting in the finishing touches to a project - as in building on one of these CMS things. Thus far their htaccess file consists of the following lines:
|
From all of the foregoing I should know where to put in most of the code. What I would like to find out, should the above lines appear at the beginning or be used at the end?
|