Tutorial

Security Hardening thoughts, ideas, and suggestions for users who have shared hosting:

Block "libwww" bots and "remote file includes"

These lines in your home directories .htaccess will block ANY thing with the user agent "libwww" or "Wget".. they are both bad guys most of the time.

These lines will block any remote file from being included in a local file.


Example:
yoursite.com/.htaccess

code:(must be in the rewrite statement)

RewriteEngine on
RewriteCond %{QUERY_STRING} ^http   [OR]
RewriteCond %{QUERY_STRING} ^.+www\.  [OR]
RewriteCond %{QUERY_STRING} ^.+https  [OR]
RewriteCond %{QUERY_STRING} ^.+\.txt  [OR]
RewriteCond %{QUERY_STRING} ^.+ftp
RewriteRule .* - [L,F]
RewriteCond %{HTTP_USER_AGENT} ^libwww [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget
RewriteRule .* - [F]

**The Rest of Dolphin .htaccess code would be here**

Note: There has been mention that the above code causes the ajax pop-up member login to stop working. If this happens to be the case with your site remove the first part of the code and use only the second part like this instead:

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^libwww [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget
RewriteRule .* - [F]

**The Rest of Dolphin .htaccess code would be here**

This will still block the majority of rfi's that come from libwww.


Block others from viewing your .htaccess files in a web browser:
yoursite.com/.htaccess (near the bottom add)

Code:

<Files .htaccess>
deny from all
</Files>




Put appropriate .htaccess files in the 777 dirs.

.htaccess files are recursive meaning that if you put one in a directory all the subdirectories are effected. So in my media directory I block ALL scripts like this:

That "limitexcept" blocks all "put" and "post" requests too. You CAN'T use this in a directory that has .php files inside it.. or any of the sub-dirs. But it SHOULD be inside ALL the /files directories for each ray widget, and the /media directory.

Sample locations:
yoursite.com/media/.htaccess
yoursite.com/ray/modules/movie/files/.htaccess
yoursite.com/ray/modules/mp3/files/.htaccess
yoursite.com/ray/modules/music/files/.htaccess

Code:

<LimitExcept GET>
Order deny,allow
deny from all
</LimitExcept>

<FilesMatch "\.(cgi|pl|py|bak|txt|htaccess|htpasswd|log|zip|asp|sh|shtml|js.*|gz|tgz|tar|php.*|htm.*)$">
Deny from all
</FilesMatch>



Deny access to your site by ip addresses:

yoursite.com/.htacesss(deny ips)

If you use the blocklists from www.wizcrafts.net which are very good and updated often, you want to make sure you put 1 ip per line with deny from. See the samples below:


<Files *>
order deny,allow
deny from 191.0.0.0
deny from 195.0.0.0
</Files>

yoursite.com/.htaccess(deny ranges)
<Files *>
deny from 124.187.
deny from 58.0.0.0/8
allow from 58.121.39.45
</Files>


Explanation:
deny from 124.187.
will deny all ip's from 124.187.0.0-124.187.255.255

deny from 124.187.0.0/16
will deny all ip's from 124.187.0.0-124.187.255.255 in CIDR format

Another:
deny from 58.0.0.0/8
will deny all ip's from 58.0.0.0-58.255.255.255
allow from 58.121.39.45
the above ip's are still blocked but this will let only 58.121.39.45 through to your site.


Where to get a good blocklist to include in your main .htaccess:
http://www.wizcrafts.net

.htaccess blocklists:
http://www.wizcrafts.net/htaccess-blocklists.html

http://www.wizcrafts.net/chinese-blocklist.html
http://www.wizcrafts.net/exploited-servers-blocklist.html
http://www.wizcrafts.net/nigerian-blocklist.html
http://www.wizcrafts.net/russian-blocklist.html


iptables blocklists:
http://www.wizcrafts.net/iptables-blocklists.html

http://www.wizcrafts.net/chinese-iptables-blocklist.txt
http://www.wizcrafts.net/exploited-servers-iptables-blocklist.txt
http://www.wizcrafts.net/nigerian-iptables-blocklist.txt
http://www.wizcrafts.net/russian-iptables-blocklist.txt




LOCK down the admin directory

Let's make it so even if a hacker gets his credentials in your database he STILL can't get in the admin... put this inside the .htaccess that is in your /admin directory:

order deny,allow
deny from all
allow from 55.242.132.133
allow from 141.111.42.41

-Where 55.242.132.133 is your home ip address
-And 141.111.42.41 is your work ip address etc.

This way even if someone gets YOUR password and login they STILL can't get inside the admin area.
*If your ip changes than this probably isn't the best solution. You will still be able to access ftp regardless of your ip address. This just blocks web access to your admin folder other than the 2 ip's specified. So even if your ip did change you can just ftp into your admin directory and update the ip's with your new ip addresses to allow.



You should also verify that register_globals is off!!
For those of you with dolphin 6.1x a phpinfo file is now provided in your admin folder. To access this first login to your admin panel. Then enter yoursite.com/phpinfo.php into the address bar of your web browser.

Scroll down the page until you see register_globals. Ideally this should say off in both columns as pictured.

Register Globals

You may be able to turn it off for your site in the local column if it says on by modifying your .htaccess or php.ini file.

But I would consider finding a host that has register_globals turned off to begin with.

 

Update: 9-11-08

I just added another article that could also be classified as Security related. It's how to prevent direct access/viewing of the contents of /periodic/periodic.file which contains your crons, but also displays your actual hosting account name in most cases. Please see this article for additional reading:
Prevent Direct Access to Periodic File

There is no way to guarantee any of this will stop a hacker or attempt. But the more you can do to prevent it from happening is certainly worth the time and effort.

Part of this information comes from my friend mscott.
You can checkout his page at Boonex unity here:
mscott at Boonex Unity:
http://www.boonex.com/unity/mscott

 
Written By
Tutorial by: Jeremy LeSarge (AKA Ray)

I am the owner and administrator of DialMe.com. I write Tutorials for Boonex Dolphin as well as tips and resources surrounding website programming and development. I enjoy working with WordPress, SEO, and Web Hosting / Servers. I also maintain a WordPress Blog here on this site where you will find a variety of technology and webmaster resources.

Actions
Sponsored Links
Recommend