Results 1 to 6 of 6
  1. #1
    Join Date
    Mar 2009
    Posts
    52

    htaccess or/and Mod security ??

    Hello

    I have a managed VPS with WHM dedicated to host only joomla website... It is suggested to increase security of website by adding some line inside htaccess...here some example of rules:

    ###########################################
    #Start Custom rules
    ###########################################

    #--------------------------------
    #Deny access to all CGI, Perl, Python and text files
    #--------------------------------
    <FilesMatch "\.(cgi|pl|py|txt)">
    Deny from all
    </FilesMatch>
    ##Allow only robots.txt file, if not allowed add sign # at the start of following 3 lines
    <FilesMatch robots.txt>
    Allow from all
    </FilesMatch>

    #--------------------------------
    #Deny perl and other bots from accessing your site
    #--------------------------------

    ########## start block bad bots
    SetEnvIfNoCase User-Agent "^EmailSiphon" bad_bot
    SetEnvIfNoCase User-Agent "^.*psycheclone" bad_bot
    SetEnvIfNoCase User-Agent "^EmailWolf" bad_bot
    SetEnvIfNoCase User-Agent "^ExtractorPro" bad_bot
    SetEnvIfNoCase User-Agent "^CherryPicker" bad_bot
    SetEnvIfNoCase User-Agent "^NICErsPRO" bad_bot
    SetEnvIfNoCase User-Agent "^Teleport" bad_bot
    SetEnvIfNoCase User-Agent "^EmailCollector" bad_bot
    SetEnvIfNoCase User-Agent "^LinkWalker" bad_bot
    SetEnvIfNoCase User-Agent "^Zeus" bad_bot
    SetEnvIfNoCase User-Agent "^Mozilla.*NEWT" bad_bot
    SetEnvIfNoCase User-Agent "^Crescent" bad_bot
    SetEnvIfNoCase User-Agent "^[Ww]eb[Bb]andit" bad_bot
    SetEnvIfNoCase User-Agent "^NICErsPRO" bad_bot
    SetEnvIfNoCase User-Agent "^WebEMailExtrac.*" bad_bot
    SetEnvIfNoCase User-Agent "^Microsoft.URL" bad_bot
    SetEnvIfNoCase User-Agent "^Wget" bad_bot
    SetEnvIfNoCase User-Agent "^DIIbot" bad_bot
    SetEnvIfNoCase User-Agent "^sitecheck.internetseer.com" bad_bot
    SetEnvIfNoCase User-Agent "^psbot" bad_bot
    SetEnvIfNoCase User-Agent "^libwww-perl" bad_bot

    <Limit GET POST>
    Order Allow,Deny
    Allow from all
    Deny from env=bad_bot
    </Limit>
    ########## end block bad bots

    #--------------------------------
    # Block direct access to critical files
    #--------------------------------

    <Files .htaccess>
    order allow,deny
    deny from all
    </Files>

    <FilesMatch "configuration.php">
    Order allow,deny
    Deny from all
    </FilesMatch>

    #--------------------------------
    # Block all attempts to access files with names starting with, "phpMyAdmin" will be redirected to index.php
    #--------------------------------

    RewriteRule ^/phpMyAdmin.*$ /index.php


    ###########################################
    #End Custom rules
    ###########################################

    I have see in some other topic telling is not necessary to use htaccess for include this kind of rule if the server run Mod security...This especially because if the htaccess are bigger this can slow down the site...Also because it can be annoying to set custom htaccess for each site if the security can be apply to the whole VPS for every account...

    My VPS have a pre-configured Mod security but I don't know if this kind or rules are set or not....

    Somebody can tell me if the rules above can be used for Mod security ? Or it is totally different stuff ??

    My goal is especially to fight bad bot, to secure some files (like configuration.php) and to disallow specific file like cgi|pl|py|txt...

    Any suggestion/advice much appreciate...thank

  2. #2
    Join Date
    May 2009
    Location
    /dev/null
    Posts
    171

    *

    I suggest you to use in .htaccess those <FilesMatch "\.(cgi|pl|py|txt)"> rules only and those rewrite rules. However the above rule makes only sense if your site does not use any Perl based scripts.

    Pretty much everything else covered in your .htaccess can be disallowed by ModSec. ModSec rule sets are kinda complicated and your only way is to test all rules yourself manually or hire expert for this job like me Well i am quite busy with my own projects currently but id said this anyway.

    For example blocking by User-Agent, you should take a look at file: modsecurity_crs_35_bad_robots.conf

    Need to remind you that this User-Agent rule only fools script kiddies as all determined hackers easily knows this and they will spoof their User-Agent header to look like as they would be browsing by real browser.

    ModSec is Apache module which means each http request must be debugged by modsecurity. This will also slow down things a bit but with fairly decent machine you should not notice any significant slowdowns.
    Last edited by GameFrame; 08-27-2009 at 03:57 PM.
    NiX API - A powerful Anti-Proxy/Anti-Fraud and IP Reputation Lookup API
    nixapi.com

  3. #3
    Join Date
    Mar 2009
    Posts
    52
    Thank for your reply...

    I have check the bad bot file of modsec and almost all bot are already present....well...

    Yes all host of my VPS will never have any perl script reason why I want disallow all kind of perl...Also because a lot malicious attack seem to be writes in perl...

    Yes for sure....All this are especially for avoid script kiddies problem...A real hacker can always crack any server I think...It must just have a good reason to spend his time for do that...and the sites/data hosted on my VPS will probably never interest nobody... :-)

    So you think is not necessary to Block direct access to critical files ??? In fact I have the configuration file are sensitive... If am not wrong by putting permission to 444 can be enough ?? My VPS run suPHP...

    thank

  4. #4
    Join Date
    May 2009
    Location
    /dev/null
    Posts
    171
    Quote Originally Posted by dotcom22 View Post
    Thank for your reply...

    I have check the bad bot file of modsec and almost all bot are already present....well...

    Yes all host of my VPS will never have any perl script reason why I want disallow all kind of perl...Also because a lot malicious attack seem to be writes in perl...

    Yes for sure....All this are especially for avoid script kiddies problem...A real hacker can always crack any server I think...It must just have a good reason to spend his time for do that...and the sites/data hosted on my VPS will probably never interest nobody... :-)

    So you think is not necessary to Block direct access to critical files ??? In fact I have the configuration file are sensitive... If am not wrong by putting permission to 444 can be enough ?? My VPS run suPHP...

    thank
    It is actually up to you which you want to achieve it. You can use either way for sensitive files or even both .htaccess and chmods if you are really paranoid. chmod 444 actually still grants for everyone read access. Lets say your apache runs by user daemon and your own shell user is lets say "testuser". Instead of chmod 444 i suggest to use instead: chown testuser filename and then chmod 600 filename. Then file is protect also against local users if you have any .

    File with chmod 444 looks like this: r--r--r-- 1 root root 6 Aug 27 23:54 onkko

    Even its owned by root, anyone can read it if this user have read access to directory where this file is on. But for example with chmod 400 it becomes like this:

    -r-------- 1 root root 6 Aug 27 23:54 onkko

    Now only root user can read it.

    I donīt have myself experience from suPHP or from any similar add-ons. ModSecurity is what i know and actually trust, this does not mean others are bad but you know, once you get used to something and you see it working good and getting constantly updated, kinda hard to change to something else just like that.
    Last edited by GameFrame; 08-27-2009 at 05:03 PM.
    NiX API - A powerful Anti-Proxy/Anti-Fraud and IP Reputation Lookup API
    nixapi.com

  5. #5
    Greetings:

    Security is best handled by having as many layers of protection that are practical in terms of keeping those layers up to date and monitoring the layers.

    We recommend mod_security from http://www.modsecurity.org/ as one of those layers.

    mod_security does not replace the need for Joomla and related software users to have solid .htaccess files.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  6. #6
    Join Date
    Mar 2009
    Posts
    52
    Thank for reply.... Yes I think more layer I have more secure is the server/sites...Typically I have already many layer oriented Joomla, ModSec are enabled, I run suPHP and I have set default htaccess (with default joomla security rules and url mod rewrite rules) of joomla with included the rules above.. I affraid just to slow down the sites or make some conflicts between rules..

    Do you have some more suggestions for set a solid htaccess ?? In fact if ModSec include already Bot protection I probably no need to set the same in htaccess...or not ?

Similar Threads

  1. htaccess security advice
    By Jcink in forum Hosting Security and Technology
    Replies: 4
    Last Post: 09-28-2005, 11:31 PM
  2. .htaccess Security File
    By tacoX in forum Programming Discussion
    Replies: 8
    Last Post: 11-10-2004, 09:49 AM
  3. .htaccess security question? (chmod 666)
    By MGCJerry in forum Hosting Security and Technology
    Replies: 5
    Last Post: 06-26-2004, 06:07 AM
  4. htaccess security question
    By Sonicade in forum Hosting Security and Technology
    Replies: 4
    Last Post: 05-06-2004, 08:12 PM
  5. Security: Linux anit-virus + extra security on top of Bastille
    By Tazzman in forum Hosting Security and Technology
    Replies: 7
    Last Post: 02-01-2003, 03:00 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •