1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 4:49 am May 2, 2026

Forum Moderators: phranque

Message Too Old, No Replies

.htacess common security practices help

         

soloscott2

2:59 am on Nov 28, 2010 (gmt 0)

10+ Year Member



Hello WebmasterWorld.com!

I'm a new and happy member here to this wonderful website, and have found tons and tons of great readings from previous threads and posts from fellow members, and the admin staff. I think I've already doubled my own knowledge base in the last few hours, that I've been sifting through different articles here on the website.

However I do have some questions for all members here on the site, and hopefully you guys/gals can steer me in the right direction. I run 5 different phpbb3 forum boards, all of which are non-profit, no advertising, and as least spam as possible, etc, etc. I've managed over the last 2-3 years to teach myself enough to install these on some different shared web hosts I've run across. And of course like any other admin are always looking for ways to improve the sites, to one keep users coming back, and of course try to stay one step ahead of some of the bad guys out there trying to do harm.

Recently one of my hosting accounts was somehow compromised. Of course it's somewhat difficult for me to know 100% whether the possibilities of it was due to improperly managed/secured webhost, and or my lack of knowledge in setting up my own proper defenses. But neither here nor there the account was compromised, and of course the webhost informed me that it was 100% my fault, and that they were removing my account, and I was to find a new provider. So I've recently moved my five phpbb3 forum boards to a new web host provider.

I've been extremely happy with their service, features, and customer service. However I still do not want to completely rely on them securing my websites. So I've been trying to educate myself be researching all the different articles, how-to's, readmes, etc, in order to do the best that I can to prevent things myself.

So with all this I've come to this great place with all of your wonderful minds to possible assist me in accomplishing this goal of mine. What I will post down below is a common .htaccess file that I share across my different forum boards. Then I will list what things I have found from articles and such, in hoping that they will help in the aid of securing my websites. Please note I am far from anything I would even called an experienced admin, so please don't be to ruff with things being incorrect or out of order, as I am still learning :) But thank all of you who reply for your time and help! It is greatly appreciated!

Scott

My default .htaccess files across my sites 

<Files *>
order deny,allow

# Block Address Country 1**
deny from omitted
# Block Address Country 2**
deny from omitted
# Block Address Country 3**
deny from omitted
# Block Address Country 4**
deny from omitted
# Block Address Country 5**
deny from omitted
# Block Address Country 6**
deny from omitted
# Block Address Country 7**
deny from omitted
# Block Address Country 8**
deny from omitted
# Block Address Country 9**
deny from omitted
# Block Address Country 10**
deny from omitted
# Block Address Country 11**
deny from omitted
# Block Address Country 12**
deny from omitted
# Block Address Country 13**
deny from omitted
# End blocklist

</Files>

# Deny viewing of .htaccess directives:
<Files .htaccess>
deny from all
</Files>

DirectoryIndex portal.php index.php index.html index.htm

# Lines That should already be in your .htacess
#
# Uncomment the statement below if you want to make use of
# HTTP authentication and it does not already work.
# This could be required if you are for example using PHP via Apache CGI.
#
#<IfModule mod_rewrite.c>
#RewriteEngine on
#RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
#</IfModule>

<Files "config.php">
Order Allow,Deny
Deny from All
</Files>
<Files "common.php">
Order Allow,Deny
Deny from All
</Files>

# You may need to un-comment the following lines
# Options +FollowSymlinks
# To make sure that rewritten dir or file (/|.html) will not load dir.php in case it exist
# Options -MultiViews
# REMEBER YOU ONLY NEED TO STARD MOD REWRITE ONCE
RewriteEngine On
# Uncomment the statement below if you want to make use of
# HTTP authentication and it does not already work.
# This could be required if you are for example using PHP via Apache CGI.
# RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
# REWRITE BASE
RewriteBase /
# HERE IS A GOOD PLACE TO FORCE CANONICAL DOMAIN
#RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC]
#RewriteRule ^(.*)$ http://www.example.com/$1 [QSA,L,R=301]

# DO NOT GO FURTHER IF THE REQUESTED FILE / DIR DOES EXISTS
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule . - [L]
#####################################################
# PHPBB SEO REWRITE RULES ALL MODES
#####################################################
# FORUMS PAGES
###############
# FORUM INDEX REWRITERULE WOULD STAND HERE IF USED. "forum" REQUIRES TO BE SET AS FORUM INDEX
RewriteRule ^forum\.html$ index.php [QSA,L,NC]
# FORUM ALL MODES
RewriteRule ^(forum|[a-z0-9_-]*-f)([0-9]+)/?(page([0-9]+)\.html)?$ viewforum.php?f=$2&start=$4 [QSA,L,NC]
# TOPIC WITH VIRTUAL FOLDER ALL MODES
RewriteRule ^(forum|[a-z0-9_-]*-f)([0-9]+)/(topic|[a-z0-9_-]*-t)([0-9]+)(-([0-9]+))?\.html$ viewtopic.php?f=$2&t=$4&start=$6 [QSA,L,NC]
# GLOBAL ANNOUNCES WITH VIRTUAL FOLDER ALL MODES
RewriteRule ^announces/(topic|[a-z0-9_-]*-t)([0-9]+)(-([0-9]+))?\.html$ viewtopic.php?t=$2&start=$4 [QSA,L,NC]
# TOPIC WITHOUT FORUM ID & DELIM ALL MODES
RewriteRule ^([a-z0-9_-]*)/?(topic|[a-z0-9_-]*-t)([0-9]+)(-([0-9]+))?\.html$ viewtopic.php?forum_uri=$1&t=$3&start=$5 [QSA,L,NC]
# PHPBB FILES ALL MODES
RewriteRule ^resources/[a-z0-9_-]+/(thumb/)?([0-9]+)$ download/file.php?id=$2&t=$1 [QSA,L,NC]
# PROFILES ALL MODES WITH ID
#RewriteRule ^(member|[a-z0-9_-]*-u)([0-9]+)/$ memberlist.php?mode=viewprofile&u=$2 [QSA,L,NC]
RewriteRule ^member/([^/]+)/?$ /memberlist.php?mode=viewprofile&un=$1 [QSA,L,NC]
# USER MESSAGES ALL MODES WITH ID
RewriteRule ^(member|[a-z0-9_-]*-u)([0-9]+)/(topics|posts)/?(page([0-9]+)\.html)?$ search.php?author_id=$2&sr=$3&start=$5 [QSA,L,NC]
# GROUPS ALL MODES
RewriteRule ^(group|[a-z0-9_-]*-g)([0-9]+)(-([0-9]+))?\.html$ memberlist.php?mode=group&g=$2&start=$4 [QSA,L,NC]
# POST
RewriteRule ^post([0-9]+)\.html$ viewtopic.php?p=$1 [QSA,L,NC]
# ACTIVE TOPICS
RewriteRule ^active-topics(-([0-9]+))?\.html$ search.php?search_id=active_topics&start=$2&sr=topics [QSA,L,NC]
# UNANSWERED TOPICS
RewriteRule ^unanswered(-([0-9]+))?\.html$ search.php?search_id=unanswered&start=$2&sr=topics [QSA,L,NC]
# NEW POSTS
RewriteRule ^newposts(-([0-9]+))?\.html$ search.php?search_id=newposts&start=$2&sr=topics [QSA,L,NC]
# THE TEAM
RewriteRule ^the-team\.html$ memberlist.php?mode=leaders [QSA,L,NC]
# HERE IS A GOOD PLACE TO ADD OTHER PHPBB RELATED REWRITERULES

#####################################################
# GYM Sitemaps & RSS
# Global channels
RewriteRule ^rss(/(news)+)?(/(digest)+)?(/(short|long)+)?/?$ /gymrss.php?channels&$2&$4&$6 [QSA,L,NC]
# HTML Global news & maps
RewriteRule ^(news|maps)/?(page([0-9]+)\.html)?$ /map.php?$1&start=$3 [QSA,L,NC]
# END GYM Sitemaps & RSS
#####################################################
# FORUM WITHOUT ID & DELIM ALL MODES (SAME DELIM)
# THESE THREE LINES MUST BE LOCATED AT THE END OF YOUR HTACCESS TO WORK PROPERLY
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([a-z0-9_-]+)/?(page([0-9]+)\.html)?$ viewforum.php?forum_uri=$1&start=$3 [QSA,L,NC]
# FIX RELATIVE PATHS : FILES
RewriteRule ^.+/(style\.php|ucp\.php|mcp\.php|faq\.php|download/file.php)$ $1 [QSA,L,NC,R=301]
# FIX RELATIVE PATHS : IMAGES
RewriteRule ^.+/(styles/.*|images/.*)/$ $1 [QSA,L,NC,R=301]
# END PHPBB PAGES
#####################################################

#####################################################
# BEGIN PORTALXL
RewriteRule ^portal\.html$ /portal.php [QSA,L,NC]
RewriteRule ^portal-([0-9]+)\.html$ /portal.php?start=$1 [QSA,L,NC]
RewriteRule ^calendar\.html$ /calendar.php [QSA,L,NC]
RewriteRule ^downloads\.html$ /downloads.php [QSA,L,NC]
RewriteRule ^arcade\.html$ /arcade.php [QSA,L,NC]
# END PORTALXL
#####################################################

#####################################################
# BEGIN USER BLOG MOD
RewriteRule ^blog/(.+)/(.+)\.html$ /blog/view/blog.php?page=$1&mode=$2 [QSA,L,NC]
RewriteRule ^blog/(.+)/$ /blog/view/blog.php?page=$1 [QSA,L,NC]
RewriteRule ^blog/$ /blog/blog.php [QSA,L,NC]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^blog/(.+)/(.+)$ /blog/view/blog.php?page=$1&mode=$2 [QSA,L,NC]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^blog/(.+)$ /blog/blog.php?page=$1 [QSA,L,NC]

# USER BLOG MOD ATTACHMENTS/PROFILE AVATAR FIX
RewriteRule ^blog/(.+)/(.+)_id-([0-9]+)\.html/(.+)$ /blog/view/blog.php?page=$1&mode=$2&id=$3/$4 [QSA,L,NC]
RewriteRule ^blog/images/avatars/no_avatar\.png$ /images/avatars/no_avatar.png [QSA,L,NC]
RewriteRule ^blog/(.+)/images/avatars/no_avatar\.png$ /images/avatars/no_avatar.png [QSA,L,NC]
# END USER BLOG MOD
#####################################################

#####################################################
# PHPBB GALLERY REWRITE RULES
# ALBUM INDEX
#RewriteRule ^gallery/$ /gallery/index.php [QSA,L,NC]
RewriteRule ^gallery/album\.html$ /gallery/index.php [QSA,L,NC]
# ALBUM
RewriteRule ^gallery/[a-z0-9_-]*-a([0-9]+)/?(page([0-9]+)\.html)?$ /gallery/album.php?album_id=$1&start=$3 [QSA,L,NC]
# PERSONAL ALBUMS
RewriteRule ^gallery/user-albums/?(page([0-9]+)\.html)?$ /gallery/index.php?mode=personal&start=$2 [QSA,L,NC]
# PIC PAGE
RewriteRule ^gallery/[a-z0-9_-]*(-a([0-9]+)/)?[a-z0-9_-]*-p([0-9]+)(-([0-9]+))?\.html$ /gallery/image_page.php?album_id=$2&image_id=$3&start=$5 [QSA,L,NC]
# JGP
RewriteRule ^gallery/[a-z0-9_-]*(-a([0-9]+)/)?[a-z0-9_-]*-i([0-9]+)\.jpg$ /gallery/image.php?album_id=$2&image_id=$3 [QSA,L,NC]
# JGP THUMBNAILS
RewriteRule ^gallery/[a-z0-9_-]*(-a([0-9]+)/)?[a-z0-9_-]*-t([0-9]+)\.jpg$ /gallery/image.php?mode=thumbnail&album_id=$2&image_id=$3 [QSA,L,NC]
# JGP MEDIUM
RewriteRule ^gallery/[a-z0-9_-]*(-a([0-9]+)/)?[a-z0-9_-]*-m([0-9]+)\.jpg$ /gallery/image.php?mode=medium&album_id=$2&image_id=$3 [QSA,L,NC]
# END PHPBB GALLERY
#####################################################
#####################################################
# GYM Sitemaps & RSS
# HTML Module additional modes
RewriteRule ^(news|maps)/([a-z0-9_-]+)(/([a-z0-9_-]+))?/?(page([0-9]+)\.html)?$ /map.php?$2=$4&$1&start=$6 [QSA,L,NC]
# Main feeds & channels
RewriteRule ^rss(/(news)+)?(/(digest)+)?(/(short|long)+)?(/([a-z0-9_-]+))?/([a-z0-9_]+)\.xml(\.gz)?$ /gymrss.php?$9=$8&$2&$4&$6&gzip=$10 [QSA,L,NC]
# Module feeds
RewriteRule ^[a-z0-9_-]*-[a-z]{1,2}([0-9]+)(/(news)+)?(/(digest)+)?(/(short|long)+)?/([a-z0-9_]+)\.xml(\.gz)?$ /gymrss.php?$8=$1&$3&$5&$7&gzip=$9 [QSA,L,NC]
# Module feeds without ids
RewriteRule ^([a-z0-9_-]+)(/(news)+)?(/(digest)+)?(/(short|long)+)?/([a-z0-9_]+)\.xml(\.gz)?$ /gymrss.php?nametoid=$1&$3&$5&$7&modulename=$8&gzip=$9 [QSA,L,NC]
# Google SitemapIndex
RewriteRule ^sitemapindex\.xml(\.gz)?$ /sitemap.php?gzip=$1 [QSA,L,NC]
# Module cat sitemaps
RewriteRule ^[a-z0-9_-]+-([a-z]{1,2})([0-9]+)\.xml(\.gz)?$ /sitemap.php?module_sep=$1&module_sub=$2&gzip=$3 [QSA,L,NC]
# Module sitemaps
RewriteRule ^([a-z0-9_]+)-([a-z0-9_-]+)\.xml(\.gz)?$ /sitemap.php?$1=$2&gzip=$3 [QSA,L,NC]
# END GYM Sitemaps & RSS
#####################################################


Looking to possibly merge in these entries to my .htaccess to improve security. 

#### Begin Security Section #########
RewriteRule setup\.php$ - [F] 
# block pre-fetch requests with X-moz headers
RewriteCond %{ENV:no_access} yes
RewriteRule .* - [F,L] 
#REQUEST METHOD
RewriteCond %{REQUEST_METHOD} ^(delete|head|trace|track) [NC]
RewriteRule ^(.*)$ - [F,L] 
RewriteCond %{HTTP_COOKIE} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC]
RewriteRule ^(.*)$ - [F,L] 
RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).* [NC]
RewriteRule ^(.*)$ - [F,L] 
# proc/self/environ? no way! 
RewriteCond %{QUERY_STRING} proc/self/environ [OR] 
# Block out any script trying to set a mosConfig value through the URL 
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL 
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR] 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL 
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] 
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL 
RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL 
RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) 
# Send all blocked request to homepage with 403 Forbidden error! 
RewriteRule ^(.*)$ index.php [F,L]
# phpMyAdmin
RewriteRule ^/phpMyAdmin.*$ /index.php
# 
SetEnvIfNoCase user-Agent "windows 95" ban
SetEnvIfNoCase user-Agent "windows 98" ban
SetEnvIfNoCase user-Agent "windows NT" ban
SetEnvIfNoCase Referer "\.cn" ban
SetEnvIfNoCase Referer "\.ro" ban
SetEnvIfNoCase Referer "\.ru" ban
SetEnvIfNoCase Referer "\.es" ban
SetEnvIfNoCase Referer "\.id" ban
SetEnvIfNoCase Referer "\.in" ban
SetEnvIf Request_URI "\.php" ban
SetEnvIf Request_URI "(robots\.txt)$" pass
SetEnvIfNoCase X-forwarded-for .+ proxy=yes
SetEnvIfNoCase X-moz prefetch no_access=yes
SetEnvIfNoCase user-Agent libwww-perl bad_bots
order deny,allow
deny from env=bad_bots 
#
<FilesMatch "\.(cgi|pl|py|txt)">
Deny from all
</FilesMatch> 
########### End Security Section!########################

tangor

7:09 am on Nov 28, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



When using SetEnvIfNoCase make sure your env is properly labeled... ie.

SetEnvIfNoCase user-Agent "windows 95" ban
Deny from env=ban

...will catch all the "ban" but will not catch "bad_bots" or "yes"

Above script submitted is perhaps overkill... Do understand I'm not all that good with .htaccess, but can say mine is shorter! JDMorgan is your go to fellow... but even he will agree that the above is a mess and beyond the scope of this forum. You'll have to identify things that are NOT working to get answers. Meanwhile... Here's mine (sans multiple entries, only one of each for example purposes) Entire file is less than 100 lines and, for the most part, has secured my hobby site very nicely. As for my clients... you do what they ask unless they ask for something really stupid. :)

I also do not do PHPBBS, use a Perl forum...


AddType text/html .shtml
AddHandler server-parsed .htm .html .shtml

Header append X-robots-tag "noarchive"

#Needed on mine, most use FollowSymLinks
Options SymLinksIfOwnerMatch Includes

#Each below is example, no more than a dozen each type
SetEnvIfNoCase User-Agent "^$" ban
SetEnvIfNoCase Referer "translate" ban
SetEnvIf Request_URI "\.php" ban
#Pipe Include custom 404 in next line if you use one
SetEnvIf Request_URI "(robots\.txt)$" pass

Order Deny,Allow

<FilesMatch "\.(htaccess|htpasswd)$">
Deny from all
</FilesMatch>

<LimitExcept GET POST>
Deny from all
</LimitExcept>

<Limit GET POST>
Deny from 173.192.0.0/15
Deny from env=ban
Allow from env=pass
</Limit>

redirectPermanent /example/folder/file.html http://www.example.com/folder/otherfile.html


edited to add disclaimer I don't do PHP...

soloscott2

2:05 pm on Nov 28, 2010 (gmt 0)

10+ Year Member



Yes the biggest thing I was looking some assistance in is the security section that I posted at the bottom of the huge long post I made.... As I really haven't ever done any of them before, and not really sure how to 100% test against them. But It seems that they are not working, as I have gone and downloaded the user agent tool for firefox, and it doesn't seem to be blocking me when I switch to Win95,98, or NT.

So Step one of what I would like to get working is the user agents. From your reply I see some of the Env functions, and think below is some of the changes i need to make?


# Start of Blocking User-Agents/Referers
SetEnvIfNoCase user-Agent "windows 95" ban
SetEnvIfNoCase user-Agent "windows 98" ban
SetEnvIfNoCase user-Agent "windows NT" ban
# Not sure about the libwww-perl but?
SetEnvIfNoCase user-Agent libwww-perl ban
SetEnvIfNoCase Referer "\.cn" ban
SetEnvIfNoCase Referer "\.ro" ban
SetEnvIfNoCase Referer "\.ru" ban
SetEnvIfNoCase Referer "\.es" ban
SetEnvIfNoCase Referer "\.id" ban
SetEnvIfNoCase Referer "\.in" ban
# I think the below statement blocks .php requests? not correct
SetEnvIf Request_URI "\.php" ban
# Not sure if the lines below are actually blocking proxy connections
SetEnvIfNoCase X-forwarded-for .+ proxy=yes
SetEnvIfNoCase X-moz prefetch no_access=yes
# Allow robots.txt
SetEnvIf Request_URI "(robots\.txt)$" pass

order deny,allow
<Limit GET POST>
Deny from env=ban
Allow from env=pass
</Limit>

soloscott2

4:12 pm on Nov 28, 2010 (gmt 0)

10+ Year Member



Well with some messing around I've seem to to get a few things working. Currently I at least have the user agent blocking working. Here is my current rules.


SetEnvIfNoCase user-Agent "windows 95" ban
SetEnvIfNoCase user-Agent "windows95" ban
SetEnvIfNoCase user-Agent "win95" ban
SetEnvIfNoCase user-Agent "win 95" ban
SetEnvIfNoCase user-Agent "windows 98" ban
SetEnvIfNoCase user-Agent "windows98" ban
SetEnvIfNoCase user-Agent "win 98" ban
SetEnvIfNoCase user-Agent "win98" ban
SetEnvIfNoCase user-Agent "windows 3.11" ban
SetEnvIfNoCase user-Agent "windows 3.1" ban
SetEnvIfNoCase user-Agent "windows 3.0" ban
SetEnvIfNoCase user-Agent "windows me" ban
SetEnvIfNoCase user-Agent "windows NT 5.0" ban
SetEnvIfNoCase Referer "\.cn" ban
SetEnvIfNoCase Referer "\.ro" ban
SetEnvIfNoCase Referer "\.ru" ban
SetEnvIfNoCase Referer "\.es" ban
SetEnvIfNoCase Referer "\.id" ban
SetEnvIfNoCase Referer "\.in" ban
SetEnvIfNoCase user-Agent "libwww-perl" ban
SetEnvIf Request_URI "(robots\.txt)$" pass
<FilesMatch "(.*)">
order deny,allow
deny from env=ban
allow from pass
</FilesMatch>

tangor

9:37 pm on Nov 28, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Change allow from pass to
allow from env=pass

soloscott2

10:00 pm on Nov 28, 2010 (gmt 0)

10+ Year Member



Thanks! Good catch! :)

soloscott2

3:07 am on Nov 29, 2010 (gmt 0)

10+ Year Member



I'm not quite sure this is the proper place to ask about this, being as this is about Apache in specific. However I stumbled across a website that helps fight against spammers and other things like script kiddy attacks. Was wondering if anybody has ever used these scripts, and have had any success with them. They claim to work with the forum board software that I am using. But was looking to get a possible second opinion about them.

[spambotsecurity.com ]

tangor

6:41 am on Nov 29, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Can't speak to this specific, but can say there is no substitute to wrapping brain about the problem and doing all the study and research yourself. Two reasons: You learn how it works, second you can see when things go south and need to be fixed. Forum wise I run Perl so can't answer re: PHP... but there are basic attacks common to either. Learning how to recognize those assaults is key to the health of your website.

There are no short cuts, no magic bullets, and even what you can learn here at Webmasterworld is continually evolving as new hacks, bots, exploits appear.

Just realize that if there was a shortcut, a hardened solution, that every website in the world would be running it and there would be no scrapers, spammers, or script kiddies. That hasn't happened.

jdMorgan

12:03 am on Dec 2, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Also as an indicator of how useful basic knowledge can be, consider that with a bit of regular-expressions knowledge, eight lines can be reduced to one: 

SetEnvIfNoCase user-Agent "win(dows)?(\ )?9[58]" ban

Be sure you are understanding the difference between the HTTP Referer and HTTP Remote-Host.

Denying the former means that your site cannot be accessed by people clicking on links on sites hosted in unwanted countries.

Denying the latter means that your site cannot be accessed by users or servers in those unwanted countries.

Also, in the latter case, your server must be configured to support Reverse-DNS lookups for it to work.

The existing Referer-denial code itself could do with some added robustness, as you will likely get occasional "mysterious denials" the way it's coded now due to the "country-codes" appearing in parts of the referrer strings beyond the actual referring domain names (for example, in a filetype or in a query string). I'd suggest: 

SetEnvIfNoCase Referer "^https?://[^/]+\.(cn|ro|ru|es|id|in)" ban

so that only "country codes" appearing in the referring domain name (before a third slash is found) will match the pattern. And note the combined country-codes as well.

Jim

tangor

12:30 am on Dec 2, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



@Jim: Hope your holiday was grand... we missed you and your brilliance in regular expressions! Meanwhile, your sticky box is full.

@soloscott2: let us know your results.

wilderness

1:51 am on Dec 2, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Please disregard.

zero or one of the preceding element

SteveWh

4:57 am on Dec 4, 2010 (gmt 0)

10+ Year Member



It looks like you've assembled a hodge-podge of potentially very useful code from various sources that might not be working well when all mingled together. In addition, there are some errors, and just a single error or typo can make the whole thing not work.

This is an ambitious and admirable effort at real security, but the key to making it work for your site will be in understanding what every line and section does (lots of study), and testing it against the real requests your site receives, to make sure the rules ban malicious requests but don't ban legitimate ones.

I'd first simplify it by adding only one section at a time and testing that before moving onto the next section. Maybe test the different sections independently before trying to comingle them.

Denying by IP address isn't as useful as the other things, unless an IP range is swamping your server with requests that you can't block any other way.

----

The ways to test the code are:

1) Load your access logs into a MySQL database. Study each .htaccess rule to see what it does. Do a MySQL SELECT query to view requests matching that rule. Ensure that the rule will only block malicious requests.

2) After installing your modified .htaccess, watch your cPanel Latest Visitors (in real time) and your logs (after the fact) very closely to ensure malicious vs. legitimate requests are being classified and handled appropriately.

wilderness

5:34 am on Dec 4, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Denying by IP address isn't as useful as the other things, unless an IP range is swamping your server with requests that you can't block any other way.


I'm sure you'll find varied opinions of the the effectiveness of denying by IP.

Most malicious bots/harvesters (or whatever else you choose to call them today) will make an innocent single test of your site, prior to any massive crawlings.
If your able to identify them (via IP) at that time?
Than denying their IP range or their hosts (server farm or backbone) after this initial test, will likely prevent their entry on the return-harvesting visit.

BTW, his IP denial activity is intended to restrict specific world regions from access to his website (s).
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 4:49 am May 2, 2026