Secure Your Website/Forum using .htaccess Directives! [updated]

Ananthavas

According to most webmasters, security is one of the major things that always create head aches..
Because there are so many bad guys out there, who'll try to intrude into your website & can take advantage of several application-level vulnerabilities of your scripts..They may also pass certain dangerous attacks such as SQL Injection, Cross-Site scripting, Local File Inclusion etc, which simply executes with the help of HTTP requests..
Inorder to Mitigate such attacks, we can make use of the simple, but poweful mechanism on Apache servers, which is nothing but the .htaccess file.
If ur server has mod_rewrite enabled, u can use the following directives in the .htaccess file.
CAUTION!:
*Be careful. Any mistakes in any line can result in a "500 Internal Server error". If such error happens, simply undo the latest changes u made in .htaccess or opt-out lines by removing '#'
* Click 'copy the code' option for copying. Don't use default 'select & copy' ing method!
All these codes are randomly collected from several online sources & are tested by me for ensuring it's compatibility with Discuz!
.
Before getting started, enable rewriting & symbolic links using the following codes:

1. # enable basic rewriting
   
2. RewriteEngine on
   
3. # enable symbolic links
   
4. Options +FollowSymLinks
   
5. 
   

Copy the Code

.
* Deny Access to .htaccess:

1. # locked htaccess file
   
2. < Files .htaccess>
   
3. order allow,deny
   
4. deny from all
   
5. < /Files>
   

Copy the Code

.
*Disable Directory Browsing:
Prevent visitors from viewing ur web directories

1. # deny directory browsing
   
2. Options All -Indexes
   

Copy the Code

.
* Following codes are some rules, initially posted on 0x000000.com (a white hacker website)
These codes are effective in Mitigating SQL Injection & similar attacks. [Reference]
[If ur site is integrated with payment gateways, such as paypal, remove or opt-out the rule in 12th line]

1. # Prevent use of specified methods in HTTP Request
   
2. RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
   
3. # Block out use of illegal or unsafe characters in the HTTP Request
   
4. RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).* [NC,OR]
   
5. # Block out use of illegal or unsafe characters in the Referer Variable of the HTTP Request
   
6. RewriteCond %{HTTP_REFERER} ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
   
7. # Block out use of illegal or unsafe characters in any cookie associated with the HTTP Request
   
8. RewriteCond %{HTTP_COOKIE} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
   
9. # Block out use of illegal characters in URI or use of malformed URI
   
10. RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR]
    
11. # Block out  use of empty User Agent Strings
    
12. # NOTE - disable this rule if your site is integrated with Payment Gateways such as PayPal
    
13. RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
    
14. # Block out  use of illegal or unsafe characters in the User Agent variable
    
15. RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
    
16. # Measures to block out  SQL injection attacks
    
17. RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
    
18. # Block out  reference to localhost/loopback/127.0.0.1 in the Query String
    
19. RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
    
20. # Block out  use of illegal or unsafe characters in the Query String variable
    
21. RewriteCond %{QUERY_STRING} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC]
    

Copy the Code

.
* Over 70% of websites are vulnerable to Local File Inclusion, by which the attacker can inject maliciously coded shells to the server.
Following are some exclusively provided codes by sigsiu.net for preventing LFI attacks!

1. ########## Begin - File injection protection, by SigSiu.net
   
2. RewriteCond %{REQUEST_METHOD} GET
   
3. RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
   
4. RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
   
5. RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
   
6. RewriteRule .* - [F]
   
7. ########## End - File injection protection
   

Copy the Code

.

In addition to the above one, add the following to prevent URL encoding based LFI

1. RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http%3A%2F%2F [OR]
   

Copy the Code

.
* The following rule will resolve PHP-CGI Remote Code Execution vulnerability.

1. # PHP-CGI Vulnerability
   
2. RewriteCond %{QUERY_STRING} ^(%2d|\-)[^=]+$ [NC]
   
3. RewriteRule (.*) - [F,L]
   

Copy the Code

.
* Following codes can mitigate MySQL injections, Remote File Inclusion (RFI), base64 attacks etc

1. # Block MySQL injections, RFI, base64, etc.
   
2. 
   
3. RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
   
4. 
   
5. RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
   
6. 
   
7. RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
   
8. 
   
9. RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
   
10. 
    
11. RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
    
12. 
    
13. RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    
14. 
    
15. RewriteCond %{QUERY_STRING} http\: [NC,OR]
    
16. 
    
17. RewriteCond %{QUERY_STRING} https\: [NC,OR]
    
18. 
    
19. RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    
20. 
    
21. RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    
22. 
    
23. RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
    
24. 
    
25. RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    
26. 
    
27. RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    
28. 
    
29. RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    
30. 
    
31. RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
    
32. 
    
33. RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    
34. 
    
35. RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    
36. 
    
37. RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    
38. 
    
39. RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    
40. 
    
41. RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
    
42. 
    
43. RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    
44. 
    
45. RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
    
46. 
    
47. RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    
48. 
    
49. RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    
50. 
    
51. RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    
52. 
    
53. RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    
54. 
    
55. RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    
56. 
    
57. RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    
58. 
    
59. RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    
60. 
    
61. RewriteRule ^(.*)$ - [F,L]

Copy the Code

.

* Use the following codes to block suspicious user agents and requests (May Cause some problems)

1. # Block suspicious user agents and requests
   
2. 
   
3. RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
   
4. 
   
5. RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
   
6. 
   
7. RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
   
8. 
   
9. RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
   
10. 
    
11. RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    
12. 
    
13. RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    
14. 
    
15. RewriteCond %{THE_REQUEST} (%0A|%0D) [NC]
    
16. RewriteRule ^(.*)$ - [F,L]
    

Copy the Code

.
You can use all these codes together in a single .htaccess file..
or simply download this .htaccess file(inside the archive).
It is already made with all these rules(except the last set)..
upload it to the root of your website directories..


Keep securing your website!

vot

Warning: the latest code block is not finished!
It must be ending with "RewriteRule ....."

Ananthavas

vot 2013-12-2 22:03
Warning: the latest code block is not finished!
It must be ending with "RewriteRule ....."

But I think it's finished.
I reffered many sites about that particular code.. (by googling that codes) but none of them recommends rewrite rule to be written at the end..
& it's working on my site too..
[Reference]

vot

You can think what you want,
but the last code block is incorrect and so does not work any case.

Ananthavas

vot 2013-12-2 22:39
You can think what you want,
but the last code block is incorrect and so does not work any case.

if so, do u know the appropriate rewrite rule for that?

ravipratap95

How about uploading an .htaccess file ready with the content for ease of access to rookie users.many will face problem like that

vot

Ananthavas 2013-12-3 05:07
if so, do u know the appropriate rewrite rule for that?

Because of the block goal is to DISABLE malicious requests,
so the last rule must be the next:
RewriteRule ^(.*)$ - [F,L]

Ananthavas

vot 2013-12-3 09:04
Because of the block goal is to DISABLE malicious requests,
so the last rule must be the next:
Rew ...

Thanks a lot for correcting me
The rewrite rule added in that block..

~Edited:~
Unfortunately,  that rule results in 500 Internal server error

Ananthavas

ravipratap95 2013-12-3 08:03
How about uploading an .htaccess file ready with the content for ease of access to rookie users.many ...

Added a zipped file to main post.. Download it..
I excluded the last set of rules, since it is giving some errors..
~Edited~
Last rule also added

vot

Thanks a lot for correcting me
The rewrite rule added in that block..
~Edited:~
Unfortunately,  that rule results in 500 Internal server error

It is because of you did not think, but simple copy/pasted the code
Replace the latest two lines with this two:

1. RewriteCond %{THE_REQUEST} (%0A|%0D) [NC]
   
2. RewriteRule ^(.*)$ - [F,L]

Copy the Code