|
Inserting all of the code you presented in your example won't secure your website, but it will almost certainly disable it. Bad commands or syntax in a root .htaccess file can cause fatal server errors and make your website go dark!
I see that you have included Perl scripting in your presentation. Perl script does not go into an htaccess file! It goes into a .pl or .cgi script, usually placed in a cgi-bin directory. It's correct operation depends on absolutely correct paths to Perl and Sendmail. The commands in the .htaccess file must be tailored to your own server environment, as dictated by your host's server configuration files. These are not universally accepted settings and vary among web hosting companies. It is even possible that you will not be permitted to use any of the commands that are listed in the RewriteRules section, if your host forbids Mod Rewrite overrides. Furthermore, the broken vertical pipes displayed in these posts are incorrect code and will usually cause a server to give fatal server errors, and possibly deny access to everyone.
I also see that you quoted the first line of what is often a two line command to use Rewrite Rules: RewriteEngine On. The other command that is often required is Options +FollowSymLinks. It all depends on how your web host has configured his Apache Directives for his customers and security concerns.
There are rules in the various examples presented over the course of this thread that were specific threats being dealt with on personal levels, many of which do not automatically apply to everybody else. Some User Agents that are blocked in these examples by one person are allowed by others. Others are not serious enough problems to justify blocking access without a thorough investigation of the circumstances of the visit in question (such as the FrontPage Extensions references...they mean nothing if you don't have a FrontPage enabled site).
It is better to read you web logs on a daily basis and see what IP addresses are looking for pages that are unusual, or that trigger red flags in the general security community. If you see what looks like a suspicious User Agent, check these forums by searching for that UA in the site search engine listed at the top of every Forum page on WebmasterWorld. I would also urge you to read the entire thread that started this discussion, at [webmasterworld.com...] .
On the other hand, any User Agent that contains the words Email, Siphon, Extractor, or other names that imply email extraction, are definitely unwanted hostile agents and should be banned. This assumes that you have email addresses listed on your website that you want to protect from harvesters.
I ban only the most obvious hostile User Agents and read my logs every day. If I see a log record that reveals hostile intent I will deny access to that IP address. Since IP addresses can be dynamic, and innocent surfers can obtain the same IP used by a Phisher, I often have to remove IP bans after a period of inactivity from that address. On the other hand, since many harvesters come from certain countries and fall within a block of IPs, I sometimes block an entire country or ISP, if their members regularly harass my server. This is a judgement call on my part. If you do business with people in APNIC or RIPE network countries these country blocks are definitely not for you!
I hope this helps.
Wiz
I will make sure to review this topic more thoroughly so that I get a better grasp on how .htaccess files work. Another thing I'll have to look into is what exactly my web host does and does not support.
Was looking over htaccess things back in February this year. 9 months and so many pages later (not to mention all the side branches) and we're almost looking at a different animal.
Quick question - where do error pages now fit into the htaccess scheme of things?
I'm putting in the finishing touches to a project - as in building on one of these CMS things. Thus far their htaccess file consists of the following lines:
|
From all of the foregoing I should know where to put in most of the code. What I would like to find out, should the above lines appear at the beginning or be used at the end?
|
On the other hand, Rewrite Conditions and their associated RewriteRules should be placed in descending order based on their priority, so that the worst offenders can be blocked, or redirected as fast as possible, without having to parse the entire file to match a User Agent, Referer, or IP address. I accomplish this by placing all of my fixed IP deny from rules before the RewriteCond rules. The next section contains the Rewrite conditions, with the most serious threats dealt with at the top of the list, and the broad IP ranges and search query restrictions at the bottom of that group.
Wiz
thanks for the follow up. Was thinking the same thing. Had it that way before but noticing that the "landscape" had changed some what and this wasn't mentioned or made obvious, ended up wondering what people were doing now.
Put the said file into action and it was doing its work right away. Will leave it serving up 403's for awhile to get a feel for what is happening out there before making changes and going the next step - as in putting in traps and the like. Thanks again.
In case you haven't been welcomed yet, welcome to WebmasterWorld!
I'm happy to hear that our collective advise is helping you fight off the Borg.
Your logs will help you to formulate the placement order of the rules. It is possible to have multiple RewriteRules, each ending in [L]. This means that if the condition matches that the rule is applied and processing halts there. That's why we try to move the worst offenders to the top of the list, or create special case rules for the likes of the FormMail spammers.
Another thing to watch is how many 403s you are serving. If the number becomes very high, and the custom 403 page is 2 or 3 kb, you might want to consider writing a smaller (100 -200 bytes) main 403 file that just says "Access Denied" and provide a link in it to another 403(b) page that offers explanations about your policies and restrictions. I have two 403 pages like that. Sometimes I end up 403-ing visitors who have inherited a dirty IP, and I offer an explanation to them as to why they were denied access.
Wiz
Here is what seems to be a new one for the books. Well, a variation on a theme at least. Got this on my log today:
|
Needless to say this a frontpage thing. Have never used it and don't intend to. The web host provides fp extensions and I have left them in - to assess their merits and the "unwanted attention" they may receive.
The question that begs here is - if I put in that fp mod rewrite, will this stop this particular type of intrusion?
As an aside, didn't find anything here on fp30reg.dll. However, a search throws up reems on security exploits relating to the use of this particular file.
The entry you quoted does not contain the needed 259+ byte data string to overflow the buffer. I guess the S.K. is first testing for the presence of FrontPage 2000, then, if it exists, he will test for a return value of the .dll file to see if it is the unpatched version (unlikely), and then send a 259 byte attack to try to bring down the stupidly unpatched server. oWww Yourwebmasterresources R Your Webmaster Resources Webmaster Szh Boards Dac Asp Your Webmaster Resources A Close to perfect .htaccess ban list - Part 3 Apache Web Server forum at WebmasterWorld m Your Webmaster Resources Your Webmaster Resources Resources Resources rWww Yourwebmasterresources R Your Webmaster Resources Webmaster Szh Boards Dac Asp Your Webmaster Resources A Close to perfect .htaccess ban list - Part 3 Apache Web Server forum at WebmasterWorld l t Your Webmaster Resources