Suggested Master .htaccess file

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Suggested Master .htaccess file

Post by leolam » Fri Sep 17, 2010 4:49 pm

Let's make one thing straight...I just post and do not take the credits for this! With loads of respect for Nicholas (Lead developer of Akeeba Backup) and the people mentioned in his file, I do post this here as gratitude for his (and the others mentioned!) efforts published on http://snipt.net/nikosdion/the-master-htaccess (posted on Sep 04, 2010 at 7:49 a.m. EDT)

Thank you Nicholas (and the wonderful people mentioned in his file!) for bringing this together for the Joomla community! It is a wonderful and graceful improvement of the security of any (!) site!

Thank you g1smd for your time to improve the file. The Joomla community appreciates your efforts on this.

The current Suggested Master .htaccess file is here:
http://docs.joomla.org/Htaccess_examples_%28security%29

Please use the .htaccess code found on the doc page. The doc page contains the current code version of the .htaccess file.

Use of any .htaccess code posted in this forum thread is at your own risk as it may be outdated or not work as intended. Use the code found on the doc page instead.

*** Before using the code on the doc page, please note the clear statement/valid disclaimer contained within the .htaccess file ***
## Some sections are too picky and may cause problems with legitimate requests.
## You are ultimately responsible for disabling them or writing exception rules
## for your requests. Most notably, the advanced server protection section will
## cause issues with several minifiers, eXtplorer, VirtueMart and other exten-
## sions which use non-standard scripts as their entry points. You must add
## exceptions for them manually.

## Some sections - depending on your server configuration - may cause your site
## to throw 500 Internal Server Error. The only way to figure out which one is
## causing it is trial and error.
Cheers

Leo 8)
Last edited by PhilD on Tue Mar 08, 2011 10:55 pm, edited 1 time in total.
Reason: Added link to doc file, removed htaccess code from post as redundant, added text pointing users to doc file
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
MrRoyce
Joomla! Ace
Joomla! Ace
Posts: 1176
Joined: Mon Oct 09, 2006 9:52 pm
Location: Tampuh Floriduh - The jewels of America's wang.
Contact:

master .htaccess file comments?

Post by MrRoyce » Fri Oct 08, 2010 3:18 pm

I'm not sure why that topic was locked. It sure seems like it would be great to discuss it??

There is at least one typo type error there that was pointed out in Nicholas' original blog. Also, the disclaimer about it being trial and error for a particular site is very important. If you copy it verbatim it will most likely bring down your site. Even if you make the trivial changes to the domain names, there is still a good possibility to bring down your site.

I went through it section by section before changing my sites, most of the sections didn't work for me and I had to modify them. I also tried to verify that they would stop the specified attacks. In some cases I wasn't able to verify that they worked as intended.

It seems like that thread would be a great learning opportunity for the community, or am I missing something?

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: suggested master .htaccess file comments?

Post by mandville » Fri Oct 08, 2010 3:22 pm

if you mean the topic entitled Suggested Master .htaccess file http://forum.joomla.org/viewtopic.php?f=432&t=549841, it was locked due to "abusive/spam/didnt work for me - fix it" posts being made. i will now unlock it and merge this post under there.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
MrRoyce
Joomla! Ace
Joomla! Ace
Posts: 1176
Joined: Mon Oct 09, 2006 9:52 pm
Location: Tampuh Floriduh - The jewels of America's wang.
Contact:

Re: Suggested Master .htaccess file

Post by MrRoyce » Fri Oct 08, 2010 4:40 pm

Thanks for clearing that up.

The above .htaccess file has an extra 'OR' in the 'Disallow PHP Easter Eggs' section. Remove the last 'OR'.

Also, on my sites, the R=404 directive consistently failed. it appears mod_rewrite doesn't support 404 as a status code for the R= flag. I had to change 'R=404' to 'F' which means forbidden. Thats not as elegant a solution but its much better than a 500 internal server error for every access ;-)

User avatar
C0nw0nk
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 248
Joined: Tue Jun 15, 2010 1:12 am
Location: United Kingdom, London
Contact:

Re: Suggested Master .htaccess file

Post by C0nw0nk » Fri Oct 08, 2010 5:28 pm

So to fix these error's you simply change the

Code: Select all

RewriteRule ^(.*)$ - [R=404,L]
To

Code: Select all

RewriteRule ^(.*)$ - [F,L]

User avatar
IberoMedia
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 126
Joined: Mon Apr 12, 2010 3:25 am
Contact:

Re: Suggested Master .htaccess file

Post by IberoMedia » Tue Oct 26, 2010 4:25 pm

I heard from a Joomla instructor that changing the htaccess file, removing the hashes to the following lines, was an added security measure for my Joomla website:

## Deny access to extension xml files (un-comment out to activate)
#<Files ~ "\.xml$">
#Order allow,deny
#Deny from all
#Satisfy all
#</Files>

## End of deny access to extension xml files

But un-commenting these lines would cause flash extensions not to work. What can I do to implement the security measure, and yet, let a given flash based extension work?

User avatar
SallyR
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 118
Joined: Wed Nov 12, 2008 1:35 am
Location: Florida, USA
Contact:

Re: Suggested Master .htaccess file

Post by SallyR » Wed Nov 03, 2010 12:10 pm

Ok...I am not getting it. Should .htaccess code be used to replace my .htaccess file???

leolam wrote:Let's make one thing straight...I just post and do not take the credits for this! With loads of respect for Nicholas (Lead developer of Akeeba Backup) and the people mentioned in his file, I do post this here as gratitude for his (and the others mentioned!) efforts published on http://snipt.net/nikosdion/the-master-htaccess (posted on Sep 04, 2010 at 7:49 a.m. EDT)

Thank you Nicholas (and the wonderful people mentioned in his file!) for bringing this together for the Joomla community! It is a wonderful and graceful improvement of the security of any (!) site!
###############################################################################
## The Master .htaccess
## ----------
## This file is designed to be the template .htaccess file to put on your new
## sites, increasing your site's security and performance. It is not meant to
## be just dropped in your site, though. You should go through all of its
## sections and modify it to match your site. Most notably, all instances of
## domain.com and domain\.com should be replaced with your real domain name.
##
## Some sections are too picky and may cause problems with legitimate requests.
## You are ultimately responsible for disabling them or writing exception rules
## for your requests. Most notably, the advanced server protection section will
## cause issues with several minifiers, eXtplorer, VirtueMart and other exten-
## sions which use non-standard scripts as their entry points. You must add
## exceptions for them manually.
##
## Some sections - depending on your server configuration - may cause your site
## to throw 500 Internal Server Error. The only way to figure out which one is
## causing it is trial and error.
##
## Big thank you's to Brian Teeman, Ken Crowder, Radek Suski and Fotis
## Evangelou for sharing their .htaccess rules with the world and inspiring
## the creation of this file.
##
## Have fun, stay safe.
##
## Nicholas K. Dionysopoulos
## Lead Developer, AkeebaBackup.com
###############################################################################

########## Begin - File exection order, by Komra.de
DirectoryIndex index.php index.html
########## End - File exection order

########## Begin - No directory listings
IndexIgnore *
Options +FollowSymLinks All -Indexes
########## End - No directory listings

########## Begin - Optimal default expiration time
ExpiresDefault "now plus 1 hour"
########## End - Optimal expiration time

########## Begin - RewriteEngine enabled
RewriteEngine On
########## End - RewriteEngine enabled

########## Begin - Google Apps redirection, by Komra.de
Redirect 301 /mail http://mail.google.com/a/domain.com
########## End - Google Apps redirection

########## Begin - Redirect index.php to /, by Komra.de
RewriteCond %{THE_REQUEST} ^[A-Z]+\ /index\.php(/[^\ ]*)?\ HTTP/
RewriteRule ^index\.php(/(.*))?$ /$2 [R=301,L]
########## End - Redirect index.php to /

########## Begin - Redirect non-www to www
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
########## End - Redirect non-www to www

########## Begin - Redirect www to non-www
## WARNING: Comment out the non-www to www rule if you choose to use this
#RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
#RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
########## End - Redirect non-www to www

########## Begin - Redirect olddomain.com to http://www.domain.com
RewriteCond %{HTTP_HOST} ^olddomain.net [NC]
RewriteRule ^(.*)$ http://www.domain.com/$1 [L,R=301]
########## End - Redirect olddomain.com to http://www.domain.com

########## Begin - Force HTTPS for certain pages
# Force the page foobar.html to run in HTTPS mode, no matter what Joomla! says.
RewriteCond %{HTTPS} ^off$ [NC]
RewriteRule ^foobar\.html$ https://www.domain.com/foobar.html [L,R=301]
########## End - Force HTTPS for certain pages

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
# If the request contains /proc/self/environ (by SigSiu.net)
RewriteCond %{QUERY_STRING} proc\/self\/environ [OR]
# Legacy configuration variable injection
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode stuff to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script trying to base64_decode stuff to send via URL
RewriteCond %{QUERY_STRING} base64_decode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Instead of using 403, we'd better use 404 (Not Found) to confuse hackers
RewriteRule ^(.*)$ index.php [R=404,L]
#
########## End - Rewrite rules to block out some common exploits

########## Begin - File injection protection, by SigSiu.net
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]\=http:\/\/(.*)
RewriteRule ^(.*)$ - [R=404,L]
########## End - File injection protection

# Uncomment following line if your webserver's URL
# is not directly related to physical file paths.
# Update Your Joomla! Directory (just / for root)

# RewriteBase /

########## Begin - Advanced server protection rules exceptions ####
##
## These are sample exceptions to the Advanced Server Protection 2.0
## rule set further down this file.
##
## Allow UddeIM CAPTCHA
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^(components/com_uddeim/captcha15\.php)$ $1 [L]

## Allow Phil Taylor's Turbo Gears
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^(plugins/system/GoogleGears/gears-manifest\.php) $1 [L]

## Allow Agora attachments, but not PHP files in that directory!
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} !(\.php)$
RewriteRule ^(components/com_agora/img/members/.*) $1 [L]

## Allow JoomlaWorks AllVideos
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^(plugins/content/jw_allvideos/includes/jw_allvideos_scripts\.php) $1 [L]

## Uncomment to allow full access to the cache directory (strongly not recommended!)
#RewriteRule ^(cache/.*)$ $1 [L]

## Uncomment to allow full access to the tmp directory (strongly not recommended!)
#RewriteRule ^(tmp/.*)$ $1 [L]

## Add your own exceptions here...

########## End - Advanced server protection rules exceptions ####

########## Begin - Advanced server protection
# Advanced server protection, version 2.0 - August 2010
# by Nicholas K. Dionysopoulos

## Referrer filtering for common media files. Replace with your own domain.
## This blocks most common fingerprinting attacks ;)
RewriteRule ^(images/stories/*\.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|htm[l]?))$ $1 [L]
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?domain\.com [NC]
RewriteRule \.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|htm[l]?)$ - [R=404,L]

## Disallow visual fingerprinting of Joomla! sites (module position dump)
## Initial idea by Brian Teeman and Ken Crowder, see:
## http://www.slideshare.net/brianteeman/h ... la-secrets
## Improved by @nikosdion to work more efficientyl and handle template
## and tmpl query parameters
RewriteCond %{QUERY_STRING} (&|%3F){1,1}tp= [OR]
RewriteCond %{QUERY_STRING} (&|%3F){1,1}template= [OR]
RewriteCond %{QUERY_STRING} (&|%3F){1,1}tmpl= [NC]
RewriteRule ^(.*)$ - [R=404,L]

## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine
## your PHP version). See http://www.0php.com/php_easter_egg.php and
## http://osvdb.org/12184 for more information
RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [OR]
RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F34-D428-11d2-A769-00AA001ACF42 [OR]
RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F35-D428-11d2-A769-00AA001ACF42 [OR]
RewriteCond %{QUERY_STRING} ^%3F=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 [OR]
RewriteRule ^(.*)$ - [R=404,L]

## Back-end protection
## This also blocks fingerprinting attacks browsing for XML and INI files
RewriteRule ^(administrator[/]?)$ administrator/index.php [L]
RewriteRule ^(administrator/index.htm[l]?)$ $1 [L]
RewriteRule ^(administrator/index.php)$ $1 [L]
RewriteRule ^(administrator/index[2,3].php)$ $1 [L]
RewriteRule ^(administrator/(components|modules|templates|images|plugins)/.*\.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|htm[l]?))$ $1 [L]
RewriteRule ^administrator/(.*)$ - [R=404,L]

## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ directory
RewriteRule ^(xmlrpc/index\.php)$ $1 [L]
RewriteRule ^xmlrpc/(.*)$ - [R=404,L]

## Disallow front-end access for certain Joomla! system directories
RewriteRule ^(includes/js/.*)$ $1 [L]
RewriteRule ^(cache|includes|language|libraries|logs|tmp)/.*$ - [R=404,L]

## Allow limited access for certain Joomla! system directories with client-accessible content
RewriteRule ^((components|modules|plugins|templates)/.*\.(jp[g,2,eg]?|png|gif|bmp|css|js|swf|htm[l]?))$ $1 [L]
RewriteRule ^((components|modules|plugins|templates)/.*index\.php(.*))$ $1 [L]
RewriteRule ^(templates/.*\.php)$ $1 [L]
RewriteRule ^(components|modules|plugins|templates)/.*$ - [R=404,L]

## Disallow access to htaccess.txt and configuration.php-dist
RewriteRule ^(htaccess\.txt|configuration\.php-dist)$ - [R=404,L]

## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @
## http://www.sigsiu.net/presentations/for ... bsite.html
## May cause problems on legitimate requests
RewriteCond %{QUERY_STRING} concat.*\( [NC,OR]
RewriteCond %{QUERY_STRING} union.*select.*\( [NC,OR]
RewriteCond %{QUERY_STRING} union.*all.*select.* [NC]
RewriteRule ^(.*)$ - [R=404,L]

########## End - Advanced server protection

########## Begin - Basic antispam Filter, by SigSiu.net
## I removed some common words, tweak to your liking
RewriteCond %{query_string} \bviagra\b [NC,OR]
RewriteCond %{query_string} \bambien\b [NC,OR]
RewriteCond %{query_string} \bblue\spill\b [NC,OR]
RewriteCond %{query_string} \bcialis\b [NC,OR]
RewriteCond %{query_string} \bcocaine\b [NC,OR]
RewriteCond %{query_string} \bejaculation\b [NC,OR]
RewriteCond %{query_string} \berectile\b [NC,OR]
RewriteCond %{query_string} \berections\b [NC,OR]
RewriteCond %{query_string} \bhoodia\b [NC,OR]
RewriteCond %{query_string} \bhuronriveracres\b [NC,OR]
RewriteCond %{query_string} \bimpotence\b [NC,OR]
RewriteCond %{query_string} \blevitra\b [NC,OR]
RewriteCond %{query_string} \blibido\b [NC,OR]
RewriteCond %{query_string} \blipitor\b [NC,OR]
RewriteCond %{query_string} \bphentermin\b [NC,OR]
RewriteCond %{query_string} \bprosac\b [NC,OR]
RewriteCond %{query_string} \bsandyauer\b [NC,OR]
RewriteCond %{query_string} \btramadol\b [NC,OR]
RewriteCond %{query_string} \btroyhamby\b [NC,OR]
RewriteCond %{query_string} \bultram\b [NC,OR]
RewriteCond %{query_string} \bunicauca\b [NC,OR]
RewriteCond %{query_string} \bvalium\b [NC,OR]
RewriteCond %{query_string} \bviagra\b [NC,OR]
RewriteCond %{query_string} \bvicodin\b [NC,OR]
RewriteCond %{query_string} \bxanax\b [NC,OR]
RewriteCond %{query_string} \bypxaieo\b [NC]
RewriteRule ^(.*)$ - [R=404,L]
########## End - Basic antispam Filter, by SigSiu.net

########## Begin - Joomla! core SEF Section
#
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/index.php
RewriteCond %{REQUEST_URI} (/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|/[^.]*)$ [NC]
RewriteRule (.*) index.php
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
#
########## End - Joomla! core SEF Section

########## Begin - Common hacking tools and bandwidth hoggers block
## By SigSiu.net and @nikosdion.
## WARNING: This will also block old versions of JoomlaPack Remote
## and will disallow running CRON jobs using wget.
# The following rules are for common hacking tools:
SetEnvIf user-agent "Indy Library" stayout=1
SetEnvIf user-agent "libwww-perl" stayout=1
SetEnvIf user-agent "Wget" stayout=1
# The following rules are for bandwidth-hogging download tools
SetEnvIf user-agent "Download Demon" stayout=1
SetEnvIf user-agent "GetRight" stayout=1
SetEnvIf user-agent "GetWeb!" stayout=1
SetEnvIf user-agent "Go!Zilla" stayout=1
SetEnvIf user-agent "Go-Ahead-Got-It" stayout=1
SetEnvIf user-agent "GrabNet" stayout=1
SetEnvIf user-agent "TurnitinBot" stayout=1
# This line denies access to all of the above tools
deny from env=stayout
########## End - Common hacking tools and bandwidth higgers block

########## Begin - Automatic compression of resources
# Compress text, html, javascript, css, xml, kudos to Komra.de
# May kill access to your site for old versions of Internet Explorer
AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript
########## End - Automatic compression of resources
Please note the clear statement/valid disclaimer:
## Some sections are too picky and may cause problems with legitimate requests.
## You are ultimately responsible for disabling them or writing exception rules
## for your requests. Most notably, the advanced server protection section will
## cause issues with several minifiers, eXtplorer, VirtueMart and other exten-
## sions which use non-standard scripts as their entry points. You must add
## exceptions for them manually.

## Some sections - depending on your server configuration - may cause your site
## to throw 500 Internal Server Error. The only way to figure out which one is
## causing it is trial and error.
Cheers

Leo 8)

User avatar
MrRoyce
Joomla! Ace
Joomla! Ace
Posts: 1176
Joined: Mon Oct 09, 2006 9:52 pm
Location: Tampuh Floriduh - The jewels of America's wang.
Contact:

Re: Suggested Master .htaccess file

Post by MrRoyce » Wed Nov 03, 2010 12:18 pm

SallyR wrote:Ok...I am not getting it. Should .htaccess code be used to replace my .htaccess file???
Yes, that is the idea, however, I would strongly suggest testing it on a test site before using it on your production site. All sites are different. Chances are good that if you use it as is, it will crash your site.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Suggested Master .htaccess file

Post by leolam » Wed Nov 03, 2010 2:39 pm

MrRoyce wrote: if you use it as is, it will crash your site.
I have to contradict that remark. First of all it is clearly stated that you will need to check the options and they depend on how each site is build. That is fact and correct...The only issue what has screwed any site is this part
########## Begin - Redirect index.php to /, by Komra.de
RewriteCond %{THE_REQUEST} ^[A-Z]+\ /index\.php(/[^\ ]*)?\ HTTP/
RewriteRule ^index\.php(/(.*))?$ /$2 [R=301,L]
########## End - Redirect index.php to /
so we leave that out and it works like a charm on every site we have installed including our own sites.......We have added some more directives to it to protect from certain bots and I will post this but stating as done before that nothing works etc is purely not fact...Again...All works without the mentioned part for us on each Joomla install...

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
MrRoyce
Joomla! Ace
Joomla! Ace
Posts: 1176
Joined: Mon Oct 09, 2006 9:52 pm
Location: Tampuh Floriduh - The jewels of America's wang.
Contact:

Re: Suggested Master .htaccess file

Post by MrRoyce » Wed Nov 03, 2010 2:52 pm

I never said 'nothing works'. I said that to use it as is will crash your site, which you confirmed.
For everyone else, here is a repost of the text at the beginning of the file. Ignore it at your peril:

## This file is designed to be the template .htaccess file to put on your new
## sites, increasing your site's security and performance. It is not meant to
## be just dropped in your site, though. You should go through all of its
## sections and modify it to match your site. Most notably, all instances of
## domain.com and domain\.com should be replaced with your real domain name.
##
## Some sections are too picky and may cause problems with legitimate requests.
## You are ultimately responsible for disabling them or writing exception rules
## for your requests. Most notably, the advanced server protection section will
## cause issues with several minifiers, eXtplorer, VirtueMart and other exten-
## sions which use non-standard scripts as their entry points. You must add
## exceptions for them manually.
##
## Some sections - depending on your server configuration - may cause your site
## to throw 500 Internal Server Error. The only way to figure out which one is
## causing it is trial and error.

User avatar
SallyR
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 118
Joined: Wed Nov 12, 2008 1:35 am
Location: Florida, USA
Contact:

Re: Suggested Master .htaccess file

Post by SallyR » Thu Nov 04, 2010 3:33 am

I know of the developer of Akeeba backup and use the back up tool known by its former name joomlapack and think very highly of the product and its developer. But I have to ask the question, if this code is what is needed and recommended by joomla community, why is it not in the latest version of joomla - or is it? I am in version 1.5.21.

I am just a bit leary since all of these hackers sneaking into sites adding code that is not part of the latest joomla version. Very annoying and pretty creepy these hackers.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Suggested Master .htaccess file

Post by leolam » Thu Nov 04, 2010 5:28 am

@ Mr. Royce:
MrRoyce wrote:I never said 'nothing works'. I said that to use it as is will crash your site, which you confirmed.
I did not confirm ;-) I said it screwed aka threw an error.
most of the sections didn't work for me
which is something I do not recognize.

@ SallyR: Joomla is a continuing evolution and hackers are getting increasingly more sophisticated so we need to add continuously new features for protection....The above suggested (!) master file is a good example how many sniplets from many coders have contributed to this very helpful piece!

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

Thetjo
Joomla! Explorer
Joomla! Explorer
Posts: 499
Joined: Fri Nov 13, 2009 1:33 pm
Contact:

Re: Suggested Master .htaccess file

Post by Thetjo » Thu Nov 04, 2010 3:35 pm

Some feedback on this great file:

- The only way to figure out which one is causing it is trial and error.
You can often use you apache error log (error.log) to help you resolve your issue

- Since most people using this will copy/paste the file over their current .htaccess, I would suggest commenting out some rare rules, leaving them to be 'activated' by users who know what they are doing. I would suggest commenting by default:

########## Begin - Google Apps redirection, by Komra.de
Redirect 301 /mail http://mail.google.com/a/domain.com
########## End - Google Apps redirection

########## Begin - Redirect olddomain.com to http://www.domain.com
RewriteCond %{HTTP_HOST} ^olddomain.net [NC]
RewriteRule ^(.*)$ http://www.domain.com/$1 [L,R=301]
########## End - Redirect olddomain.com to http://www.domain.com

########## Begin - Force HTTPS for certain pages
# Force the page foobar.html to run in HTTPS mode, no matter what Joomla! says.
RewriteCond %{HTTPS} ^off$ [NC]
RewriteRule ^foobar\.html$ https://www.domain.com/foobar.html [L,R=301]
########## End - Force HTTPS for certain pages

- Improve the comment about RewriteBase to:

# Uncomment the following line if your Joomla!
# installation is outside your root folder.
# Set to /example if your Joomla is located in
# a folder named 'example'. Set to / for root folder.

- Change the rewriterule for common media file to include fonts and favicons

RewriteRule \.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|htm[l]|woff|ttf|eot|ico?)$ - [R=404,L]
RewriteRule ^(administrator/(components|modules|templates|images|plugins)/.*\.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|htm[l]|woff|ttf|eot|ico?))$ $1 [L]
RewriteRule ^((components|modules|plugins|templates)/.*\.(jp[g,2,eg]?|png|gif|bmp|css|js|swf|htm[l]|woff|ttf|eot|ico?))$ $1 [L]
http://www.conversionreview.com/ - Start improving your conversion rate with an expert review

User avatar
SallyR
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 118
Joined: Wed Nov 12, 2008 1:35 am
Location: Florida, USA
Contact:

Re: suggested master .htaccess file comments?

Post by SallyR » Sun Nov 07, 2010 6:00 pm

mandville wrote:if you mean the topic entitled Suggested Master .htaccess file http://forum.joomla.org/viewtopic.php?f=432&t=549841, it was locked due to "abusive/spam/didnt work for me - fix it" posts being made. i will now unlock it and merge this post under there.
For a joomla website where a hacker got in and generated duplicate URLs from the legit joomla site with their hacker URL embedded in the middle, will this master .htaccess file remove these duplicate URLs? The URLs can be blocked in robots.txt from search engines but they are still alive.

Will this master .htaccess file kill the hacker URLs? And in what part of the code would block and remove the hacker URLs?

Here is an example of hacker URL -
"http://www.legitjoomlasite.com/index.ph ... com/hacker[/b]"

Is this the code below?

########## Begin - Redirect olddomain.com to http://www.domain.com
RewriteCond %{HTTP_HOST} ^olddomain.net [NC]
RewriteRule ^(.*)$ http://www.domain.com/$1 [L,R=301]
########## End - Redirect olddomain.com to http://www.domain.com

User avatar
Umbungo
Joomla! Apprentice
Joomla! Apprentice
Posts: 47
Joined: Fri Apr 11, 2008 8:11 am

Re: Suggested Master .htaccess file

Post by Umbungo » Tue Nov 09, 2010 8:52 am

Here is the most recent monster security audit
Remember to edit the path strings where I have commented.

[Mod Note: Removed insulting comment]

Now lastly, relax and go put your feet up 8).
Last edited by ooffick on Tue Nov 09, 2010 10:53 am, edited 3 times in total.
Reason: Mod Note: removed insulting comment. Keep all commentary civil, and be courteous at all times. Constructive criticism is welcome, but insults directed towards other users or the site admins will not be tolerated.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Suggested Master .htaccess file

Post by leolam » Tue Nov 09, 2010 9:48 am

I rather suggest to post possible improvements so we can add those to the "masterfile suggestion instead of posting such file which btw I cannot advise anybody to use for multiple reasons:

1) Servers should have many directives already included in their compiling. Some of your directives will break the site and will throw 500-errors
2) Ip-disallow makes no sense since it is totally incomplete (see for instance http://smart-ip.net/en/articles/dangerous-ip-ranges) or do a search in Google on "dangerous IP-range"

Putting your feet up? Never be ready with site/server protection!

I strongly suggest that users are very, very careful using this so called self proclaimed "monster security audit" on their website. One might find some very unexpected and strange behaviors. A better version and slightly modified "Optional Master htaccess can be found http://forum.joomla.org/viewtopic.php?p ... 8#p2286238 (ssnobben)

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
Umbungo
Joomla! Apprentice
Joomla! Apprentice
Posts: 47
Joined: Fri Apr 11, 2008 8:11 am

Re: Suggested Master .htaccess file

Post by Umbungo » Tue Nov 09, 2010 9:52 am

Rubbish, for these reasons:

1) Your file will throw 500 errors but unlike mine and joomlas it has no comments to show users where to edit the file.

2) The IP disallow will run fine on a server that can run Joomla 1.5, so it's not me you should be quoting that to.

3) I'm assuming you made the same advise about using Joomlas .htaccess for the very same reason ?.

I moved the origional htaccess to this post because you have been trolling my other posts drawing attention to your viral marketing .htaccess file.

Yes the file you have there has nice formatting and I'm sure you'll get a gold star because appearence is everything, but your file also will cause 500 errors on as many, if not more server configurations than my own and there is unessasary code in there, ill give just one example further down...

If you want the most secure .htaccess then use mine, it uses more advanced wildcards that means the code is reduced, it also blocks more hackers and spammers, just be sure to change the appropriate paths that I have commented on the file.

Leolam why did you do this:

Code: Select all

RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]\=http:\/\/(.*)
RewriteRule ^(.*)$ - [R=404,L]
why didn't you just do this:

Code: Select all

RewriteCond %{QUERY_STRING} ^(.*)=http: [NC]
RewriteRule ^(.*)$ - [F,L]
Like I did in my so called BAD .htaccess file ?

Here is an example of a well written .htaccess file that is far superior to the one leolam is trying to get viral marketing off of:

Code: Select all

#CUSTOM START
CONTENT REMOVED BY USER: Copyright 
I'm sorry this advanced .htaccess file with years of bot and hacker trapping has been removed due to forum trolling allowed in this topic, unfortunatly I thought contributing what people normally pay for within this topic would be easy, but due to the fact I removed my trolled post here I got many forum warnings and a huge drama happened making sharing my code and experience in this forum way to much hassle.
#CUSTOM STOP
And finally, to stop web robots spamming you or revealing sensative information in there cache, use this for your robots.txt file allowing only web robot access from..
Jeeves, Yahoo, Bing (msn), and Google:

Code: Select all

CONTENT REMOVED BY USER: Copyright 
I'm sorry this advanced robots.txt file has been removed due to forum trolling allowed in this topic, unfortunatly I thought contributing what people normally pay for within this topic would be easy, but due to the fact I removed my trolled post here I got many forum warnings and a huge drama happened making sharing my code and experience in this forum way to much hassle.
Note to moderator: there was nothing insulting in my comment, only comedy from the harsh yet hypercritical backlash of another forum troller which has been allowed to troll my posts, so I moved my origional post below his and added that comedy post containing no insults that you banned above.
Last edited by Umbungo on Tue Nov 09, 2010 11:55 am, edited 8 times in total.

User avatar
pe7er
Joomla! Master
Joomla! Master
Posts: 24926
Joined: Thu Aug 18, 2005 8:55 pm
Location: Nijmegen, Netherlands
Contact:

Re: Suggested Master .htaccess file

Post by pe7er » Tue Nov 09, 2010 10:47 am

Umbungo wrote:2) The IP disallow will run fine on a server that can run Joomla 1.5, so it's not me you should be quoting that to.
Leolam did not write that IP-disallow does not work on a server that can run Joomla 1.5.
(BTW .htaccess only works on Apache servers).

He meant that the principle of banning IPs in general does not work.
I agree with that, because:
1. IP addresses are not always permanent, so innocent people might get assigned to a banned IP address and won't have access to the sites using the .htaccess with IP-disallow.
2. Hackers and spammers are familiar with proxy servers, which they use to circumvent IP bans.
Kind Regards,
Peter Martin, Global Moderator
Company website: https://db8.nl/en/ - Joomla specialist, Nijmegen, Netherlands
The best website: https://the-best-website.com

User avatar
Umbungo
Joomla! Apprentice
Joomla! Apprentice
Posts: 47
Joined: Fri Apr 11, 2008 8:11 am

Re: Suggested Master .htaccess file

Post by Umbungo » Tue Nov 09, 2010 10:59 am

Hi pe7er

The Ip ranges that are banned are from known bad spam and hacker networks, these adresses will not change, there are only a few single IP adresses of bad web robots that are permanent so you can be sure that the deny section has been well thought out for the long run.

Ofcorse there are alternatives around like project honeypot for stopping spammers and hackers via IP adresses, and this follows up to date listings, but you will find the same old netranges being used all the time, and because hackers & spammers drop there IP adress after a while, they will get throu on there reassigned address from there spamming and hacking netrange.

So a few years of trapping was done to compile that list of IP denys and to identify bad ranges.

As for proxy redirects, I left several options for disallowing access via a proxy, and I set the default to the most relaxed:

Code: Select all

#CODE REMOVED BY USER Copyright
Ofcorse I could have sold those Netranges as a security consultant, but I chose to share them with the Joomla community because I belive in the communities ability to work together to improve Joomlas security 8)

Infact because of the moderator warnings recieved for nothing other than pointing out my posts have been trolled and then moving my posts, I dont think I'll be adding anymore free scripts or help within this topic, if trolling and viral marketing is allowed then ill go back to work and get paid by more curtious audience :D

So sorry to anyone who wanted a really good .htaccess file with years of bot trapping involved, I have decided to remove it because of the reasons stated above which make adding to this topic a negative experience, I will be giving the script away to my customers from work, a place where I don't get insulted or warned for my contributions, and a place I can hang the phone up on trolls.
Last edited by Umbungo on Tue Nov 09, 2010 11:54 am, edited 2 times in total.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Suggested Master .htaccess file

Post by leolam » Tue Nov 09, 2010 11:37 am

First time in 7 years on the forums that I have been called "trolling" :laugh:
Yes the file you have there has nice formatting and I'm sure you'll get a gold star because appearance is everything, but your file also will cause 500 errors on as many, if not more server configurations than my own and there is unessasary code in there
With all respect my dear Umbungo: This (the proposed .htaccess-file) is a file created by some of the brightest minds in the Joomlasphere as outlined by Nicholas within the file....Honors to those who deserve honors.....I do not request any kudo's for the splendid "proposed master htaccess".....I posted it for the benefit of this community and I do thank all those wonderful people who are mentioned by Nicholas (Lead developer of Akeebabackup) in the specific file with their wonderful contribution to this community.

I am happy you present yourself as a security consultant and I do urge you to contact Nicholas at Akeeba and the others mentioned to discuss your specialized views and solutions. I am sure your knowledge will be most appreciated to increase security in our beloved Joomla. The post you refer to "me trolling" was btw a request for support since you were facing problems with your site(s) constantly being hacked: http://forum.joomla.org/viewtopic.php?f=432&t=366444

Cheers

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
darb
Joomla! Hero
Joomla! Hero
Posts: 2038
Joined: Thu Jul 06, 2006 12:57 pm
Location: Stockholm Sweden

Re: Suggested Master .htaccess file

Post by darb » Tue Nov 09, 2010 11:42 am

I think this is a very important discussion and improvements for Joomla and I hope/suggest that one or a group of Joomla core devs would be responsible for updating this certified "Joomla master .htaccess" file continuously when needed.

Its so important for securing Joomla and should be part of all old and new Joomla installations.

So how can this be organized to be developed/controlled further with help of a group of skilled security (Joomla)experts that also test and add those extra features for a master .htaccess Joomla file?

Any suggestions Joomla core devs and community people?

rgsd

User avatar
Umbungo
Joomla! Apprentice
Joomla! Apprentice
Posts: 47
Joined: Fri Apr 11, 2008 8:11 am

Re: Suggested Master .htaccess file

Post by Umbungo » Tue Nov 09, 2010 11:53 am

Unfortunatly due to leolams trolling efforts however, I have removed my security .htaccess which was far superior to his in every respect, I say that ofcorse because not only is it true, but leolam trolled my comments here and on other posts claiming my files would cause errors when infact, his would cause errors.

He then reported my posts to every moderator in the forum.

Having examined his file I found alot of useless code that could be cut down, however I saw some good principles, I have been considering someone would troll like that and can only assume viral marketing.

My comments have nothing to do with any named coder in his file that will cause 500 errors, as he claimed mine would, this is true of most unconfigured .htaccess files.

I'm sure ill see some of my Copyright code in his .htaccess on future updates when he thinks I am no longer watching.

User avatar
pe7er
Joomla! Master
Joomla! Master
Posts: 24926
Joined: Thu Aug 18, 2005 8:55 pm
Location: Nijmegen, Netherlands
Contact:

Re: Suggested Master .htaccess file

Post by pe7er » Tue Nov 09, 2010 12:06 pm

MOD note: please stay on topic, which is "Suggested Master .htaccess file"
Umbungo wrote:

Code: Select all

#CUSTOM START
CONTENT REMOVED BY USER:
I'm sorry this advanced .htaccess file with years of bot and hacker trapping has been removed due to forum trolling allowed in this topic, unfortunatly I thought contributing what people normally pay for within this topic would be easy, but due to the fact I removed my trolled post here I got many forum warnings and a huge drama happened making sharing my code and experience in this forum way to much hassle.
#CUSTOM STOP
Sorry that I have to correct you in public:
We did not give you a forum warning because you removed any of your "trolled" post.
We gave you a forum warning because you wrote some insulting comments about another forum user
Umbungo wrote:

Code: Select all

CONTENT REMOVED BY USER:
I'm sorry this advanced robots.txt file has been removed due to forum trolling allowed in this topic, unfortunatly I thought contributing what people normally pay for within this topic would be easy, but due to the fact I removed my trolled post here I got many forum warnings and a huge drama happened making sharing my code and experience in this forum way to much hassle.
Note to moderator: there was nothing insulting in my comment, only comedy from the harsh yet hypercritical backlash of another forum troller which has been allowed to troll my posts, so I moved my origional post below his and added that comedy post containing no insults that you banned above.
Please keep all discussions constructive.
Calling someone a "hypocrite" and "a troll" is not constructive.
That's insulting, and not allowed at this forum, see:
http://forum.joomla.org/viewtopic.php?f=8&t=65
Keep all commentary civil, and be courteous at all times. Constructive criticism is welcome, but insults directed towards other users or the site admins will not be tolerated. Coarse/insulting language will not be tolerated.
Kind Regards,
Peter Martin, Global Moderator
Company website: https://db8.nl/en/ - Joomla specialist, Nijmegen, Netherlands
The best website: https://the-best-website.com

User avatar
Umbungo
Joomla! Apprentice
Joomla! Apprentice
Posts: 47
Joined: Fri Apr 11, 2008 8:11 am

Re: Suggested Master .htaccess file

Post by Umbungo » Tue Nov 09, 2010 12:23 pm

Sorry
It was stating a fact
No more contributions from me

---END

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Suggested Master .htaccess file

Post by leolam » Tue Nov 09, 2010 1:22 pm

darb wrote:I think this is a very important discussion and improvements for Joomla and I hope/suggest that one or a group of Joomla core devs would be responsible for updating this certified "Joomla master .htaccess" file continuously when needed.
I completely agree and found some of the adjustments you posted in the enhanced version lately you posted very useful and needed. I regretfully cannot add or change anything to the initial file I uploaded so Mandville or PhilD can we open a second threat where we post "proposed" changes (PhilD I only think about your htaccess-addendum re. XML-files I have seen as an example. At present we cannot add this so if we propose changes as yours is either of the security moderators able to add this (with appropriate kudo's/change referrals) to the Suggested htacces Master file?

Open to any suggestions to improve the highly quality piece posted by Nicholas online?

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
darb
Joomla! Hero
Joomla! Hero
Posts: 2038
Joined: Thu Jul 06, 2006 12:57 pm
Location: Stockholm Sweden

Re: Suggested Master .htaccess file

Post by darb » Tue Nov 09, 2010 1:31 pm

Well let all of use be friend now guys and not behave like small kids? We are a Joomla community guys!

If we keep this discussion constructive we can help Joomla and discuss this for the improvements that helps Joomla itself cant we?

-----------------------------------------------------------------------------------------------------------------------------------------------------------------
Note: Remember Umbungo --> you have already published your htaccess file without any copyrights when you published it first time.

And this standard code that comes from standard coding patterns is not something I guess you can have copyright about too.

I published my extra code for a .htaccess file like that why don't you do it too for all other Joomla people?

All the best!

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Suggested Master .htaccess file

Post by mandville » Tue Nov 09, 2010 2:52 pm

we (moderators) cant really alter the originsla post to make amendments as this would cause the chain of posts to become unreadable.
you could always use the wiki eg http://docs.joomla.org/Htaccess_examples_%28security%29 that could do evolving htaccess files
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Suggested Master .htaccess file

Post by leolam » Tue Nov 09, 2010 3:10 pm

mandville wrote:we (moderators) cant really alter the originsla post to make amendments as this would cause the chain of posts to become unreadable.
you could always use the wiki eg http://docs.joomla.org/Htaccess_examples_%28security%29 that could do evolving htaccess files
Mandville, you (seemingly...I do not know for sure how this works) have closed the post for editing and that could be undone so I can edit posts and add improvements with clear markings (as added to original or something)

Leo 8)
Last edited by leolam on Tue Nov 09, 2010 4:19 pm, edited 1 time in total.
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Suggested Master .htaccess file

Post by mandville » Tue Nov 09, 2010 4:05 pm

The forum automatically closes editing rights for regular forum members after a crertain period. we (phild and I ) cant override that
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Suggested Master .htaccess file

Post by leolam » Tue Nov 09, 2010 4:19 pm

Got it tnx
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -


Locked

Return to “Security in Joomla! 1.5”