Htaccessexample
From e107 Wiki
This page contains three versions of code that does basically the same thing.
- The first version is a simple .htaccess file that will block a large number of attacks. This is suitable for most e107 sites. It does block access to contact.php, so if you are using the "Contact Us" feature you must rename contact.php to a different file name.
- The second version is a very aggressive block, suitable for heavily attacked sites. This blocks all POST requests coming from outside the site, which will present some services such as PayPal from working. If you are running an e-commerce site, you should probably use the first version. Like the first version, this block requires the Apache "mod_rewrite" module; most hosts have this module installed by default.
- The third version (lower down) is an aggressive block for Apache servers that lack mod_rewrite.
NOTE: This code will ONLY WORK on Apache servers that make use of .htaccess files and have such enabled. If you are a server owner, add the code to your httpd.conf file instead. Depending on your server setup you might also want to look at your "apache22/vhosts" files where more detailed configuration per domain hosted can be done.
Copy and paste the contents from either of the code windows below into a file named .htaccess in the root of your e107 CMS installation. Make sure that the file permissions of this file is set to chmod 0644. Do not paste this into the file named e107.htaccess. The file e107.htaccess is merely an example file.
1. If you've just come here looking for how to fix a hacked e107 site, you should know that these .htaccess scripts won't help you if you haven't upgraded to the current e107 version! You must install 0.7.22. If you're running anything less, you will get hacked. This .htaccess is only to help mitigate Denial-of-Service attacks.
2. You should check first to see if your web host already has provided an .htaccess file for your account. If so, do not replace it, as it is probably necessary for your site to function. Instead, add these rules to your existing .htaccess file.
VERSION 1 - SIMPLE, REQUIRES MOD_REWRITE
# ERROR PAGE
ErrorDocument 404 /404.html
ErrorDocument 403 default
# Turn rewrite engine on and set base
RewriteEngine On
RewriteBase /
# 2. Redirect all access to the following user agents and files
RewriteCond %{HTTP_USER_AGENT} ^Mozilla/4\.76\ \[ru\]\ \(X11;\ U;\ SunOS\ 5\.7\ sun4u\) [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5.0$ [OR]
RewriteCond %{HTTP_USER_AGENT} (Bot\ Search|kangen|CaSpEr|MaMa|crew|plaNETWORK|dex|perl\ post$) [NC,OR]
RewriteCond %{REQUEST_URI} (contact\.php|help_us\.php|\.htaccess)
RewriteRule .* http://%{REMOTE_ADDR}/ [R,L]
# 3. Deny access to requests with contact.php or help_us.php in the query
# string, UNLESS those are referred from our own site (e.g. search)
RewriteCond %{QUERY_STRING} (contact\.php|help_us\.php|casper)
RewriteCond %{HTTP_REFERER} !^http://(.*\.)?your_site\.com [NC]
RewriteRule .* - [F,L]
EXPLANATION OF THE CODE:
- The first line assumes there is a file 404.html present in your root folder. This is the "404 File Not Found" message. Using an HTML file will help to lower the use of bandwidth of your e107 website in case there are (lots of) errors raised.
- The second line uses Apache's built-in default message for "403 Forbidden" errors. This will reduce bandwidth and disk access.
- The next block with RewriteCond and RewriteRule will sort out the visiting user_agents and file requests. The script will search for each user agent as specified. (User agent "Casper Bot Search" or "dex Bot Search" are covered by "Bot Search"). The last RewriteCond checks for attempts to access files contact.php, help_us.php, or .htaccess. If the request is for a prohibited file, or from a prohibited user agent, the request is redirected back to the attacker's own computer at REMOTE_ADDR. To do this, your server will send a "302 redirect" message to the attacker. You can (if you want) change the line
RewriteRule .* http://%{REMOTE_ADDR}/ [R,L]
toRewriteRule .* - [F,L]
if you would rather send a "403 Forbidden" response. Either of these messages will likely be ignored by the attacker, and either one uses roughly the same amount of your server and router resources.
- The final block will check for "contact.php" or "help_us.php" in the query string of the request. These are attacks of the form http://www.your_site.com/some_file.php?contact.php (the part after the question mark is the query string). The second RewriteCond will allow those query strings if the request comes from your own site, which can happen if someone types "contact.php" into your search box. You must change "your_site\.com" to your own domain name, with a backslash before the period (like "e107\.org" for example). This block will send a 403 Forbidden response to a prohibited query.
The [OR], [NC], [F,L] and [R,L] are simple Apache code rules which means:
[OR] - Either this condition OR the next condition will satisfy the rule. (If you don't specify OR, the default for RewriteConds is AND.)
[NC] - Not Case sensitive
[F] - Forbid the request (send a 403 Forbidden response)
[R] - Redirect the request (send a 302 Redirect response)
[L] - make this the Last rewrite rule. If this rule is satisfied, skip all following rules.
If you are using the "Contact Us" feature, you must rename your contact.php to something else. If you rename contact.php you must rename e107_languages/English/lan_contact.php accordingly, and adjust Admin > Site Links accordingly as well by editing your 'Contact' entry 'Link URL'.
Instead of renaming the contact page, you can create your own standalone contact page.
VERSION 2 - AGRRESIVE AND REQUIRES MOD_REWRITE
# e107 .htaccess script for hosts with mod_rewrite
# If e107 is not installed in the document root, then make RewriteBase
# RewriteBase /your-e107-folder/
ErrorDocument 404 /404.html
ErrorDocument 403 default
RewriteEngine on
RewriteBase /
# 1. Deny access to all POST requests, except to certain files and folders
# when referred from our site. e107_admin (or whatever you have renamed
# it to) MUST be permitted. If you're not using news.php as your site's
# main page, add your main page (e.g. page.php) to the permitted list.
# NOTE: IF you are using PayPal payments, omit the following four lines!
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} !^/?(news\.php|signup\.php|e107_admin/|e107_plugins/forum/|e107_plugins/.*/.*config\.php)
RewriteCond %{HTTP_REFERER} !^http://(.*\.)?your_site\.com [NC]
RewriteRule .* - [F,L]
# 2. Redirect all access to the following user agents and files
RewriteCond %{HTTP_USER_AGENT} ^Mozilla/4\.76\ \[ru\]\ \(X11;\ U;\ SunOS\ 5\.7\ sun4u\) [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5.0$ [OR]
RewriteCond %{HTTP_USER_AGENT} (Bot\ Search|kangen|CaSpEr|MaMa|crew|plaNETWORK|dex|perl\ post$) [NC,OR]
RewriteCond %{REQUEST_URI} (contact\.php|help_us\.php|\.htaccess)
RewriteRule .* http://%{REMOTE_ADDR}/ [R,L]
# 3. Deny access to requests with contact.php or help_us.php in the query
# string, UNLESS those are referred from our own site (e.g. search)
RewriteCond %{QUERY_STRING} (contact\.php|help_us\.php|casper)
RewriteCond %{HTTP_REFERER} !^http://(.*\.)?your_site\.com [NC]
RewriteRule .* - [F,L]
# 4. Redirect empty user agent, UNLESS it's accessing the RSS feed
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteCond %{REQUEST_URI} !^/?e107_plugins/rss_menu/rss.php
RewriteRule .* http://%{REMOTE_ADDR}/ [R,L]
# 5. Deny access to these files UNLESS referred from our site.
RewriteCond %{REQUEST_URI} ^/?(top|download|user|search|submitnews|fpw)\.php
RewriteCond %{HTTP_REFERER} !^http://(.*\.)?your_site\.com [NC]
RewriteRule .* - [F]
EXPLANATION OF THE CODE:
The first part of this script, and blocks 2 and 3, are the same as for the simple version, described above. You should have a file 404.html in your document root folder.
- Block #1 rejects POST requests. POST attacks tend to be huge and bog down the server. The second line lists files and folders for which POST requests will be permitted. Your site's front page (e.g. news.php) must be one of these, or users won't be able to log in. e107_admin/ must also be in this list, or you won't be able to do any administration tasks, most of which use POST. signup.php is included so that new users can register, and e107_plugins/forum/ so that users can post in the forum. NOTE: If you have renamed e107_admin and e107_plugins to different names, you will have to adjust the .htaccess file to match. You may need to add other exceptions. The third line requires that POST requests come from internal site links -- change your_site\.com to your domain name. If you have too many problems with your users, or you, getting "403 Forbidden" messages, try deleting this first rule block entirely. NOTE: This block may prevent PayPal from linking back to your site. If you are using PayPal for e-commerce, you should delete this block.
- Block #4 rejects any requests with an empty (null) user agent, unless it's attempting to access the RSS feed. (Some RSS readers -- in particular, e107's newsfeed reader -- send an empty user agent.) These get redirected back to the originating server.
- Block #5 rejects access to the six most-attacked "legitimate" e107 pages, unless the request comes from an internal site link. (By now you should have renamed contact.php to something else, so it's not on this list.) These get a 403 Forbidden message.
In blocks #1, #3, and #5, change your_site\.com to your actual domain name.
VERSION 3 - CAN WORK WITHOUT MOD_REWRITE
If your server does not have mod_rewrite enabled you can use the following code.
# e107 .htaccess script for hosts with mod_access and mod_setenvif ErrorDocument 404 /404.html ErrorDocument 403 default Order Allow,Deny allow from all # 1. Deny access to all POST requests, except to certain files and folders # when referred from our site. This can be overridden by <Limit> commands # in subfolder .htaccess files. e107_admin (or whatever you have renamed # it to) MUST be permitted. If you're not using news.php as your site's # main page, add your main page (e.g. page.php) to the permitted list. # NOTE: If you are using PayPal payments, omit the following eight lines! SetEnvIfNoCase Request_Method POST BAD_POST_REFERER BAD_POST_URI SetEnvIfNoCase Referer "^http://(.*\.)?your_site\.com" !BAD_POST_REFERER SetEnvIf Request_URI "^/?(news\.php|signup\.php|e107_admin/|e107_plugins/forum/|e107_plugins/.*/.*config\.php)" !BAD_POST_URI <Limit POST> Order Deny,Allow Deny from env=BAD_POST_REFERER Deny from env=BAD_POST_URI </Limit> # 2. Deny all access to the following user agents and files SetEnvIf User-Agent "^Mozilla/4\.76\ \[ru\]\ \(X11;\ U;\ SunOS\ 5\.7\ sun4u\)" BAD_BOT SetEnvIf User-Agent "^Mozilla/5.0$" BAD_BOT SetEnvIfNoCase User-Agent "(Bot\ Search|kangen|CaSpEr|MaMa|crew|plaNETWORK|dex|perl\ post$)" BAD_BOT Deny from env=BAD_BOT <Files .htaccess> Deny from all </Files> <Files contact.php> Deny from all </Files> <Files help_us.php> Deny from all </Files> # 3. Deny access to requests with contact.php or help_us.php in the query # string, UNLESS those are referred from our own site (e.g. search) # NOT POSSIBLE WITH MOD_ACCESS - REQUIRES MOD_REWRITE # 4. Deny access to empty user agent, UNLESS it's accessing the RSS feed SetEnvIf User-Agent "^$" NULL_AGENT SetEnvIf Request_URI "^/?e107_plugins/rss_menu/rss.php" !NULL_AGENT Deny from env=NULL_AGENT # 5. Deny access to these files UNLESS referred from our site. SetEnvIf Request_URI "^/?(top|download|user|search|submitnews|fpw)\.php" ATTACKED_FILES SetEnvIfNoCase Referer "^http://(.*\.)?your_site\.com" !ATTACKED_FILES Deny from env=ATTACKED_FILES
EXPLANATION OF THE CODE:
- As usual, the first line assumes there is a file 404.html present in your root folder. You must manually create this file and load into the public_html directory of your site.
- Blocks #1 through #5 correspond to the mod_rewrite rules, documented above.
- Block #1 is a bit complex. (Essentially this is because mod_access can do a logical "OR" but not a logical "AND".) If the request is a POST it will set two flags, BAD_POST_REFERER and BAD_POST_URI. If the HTTP referer is your own site, the BAD_POST_REFERER flag is cleared. If the request URI is for one of the pages which are permitted to receive POST requests, the BAD_POST_URI is cleared. If both the BAD_POST_REFERER and the BAD_POST_URI flags are cleared, the request will be allowed. Otherwise "Deny" will send a 403 Forbidden response. (Advanced .htaccess programmers will observe that for POST requests the order has been changed to Deny,Allow. This allows .htaccess rules in subfolders to override this rule and allow more POST requests.)
- Block #2 sets the BAD_BOT flag if a forbidden user agent is detected, and then sends a Deny response (403 Forbidden) to any such agent. It also explicitly denies access to .htaccess, contact.php, and help_us.php.
- Block #3: there is no block #3! It can't be implemented with just mod_access and mod_setenvif.
- Block #4 sets the NULL_AGENT flag if the request's user agent is empty. But if the request is for the RSS feed, the NULL_AGENT flag is then cleared (to permit the request).
- Block #5 sets the ATTACKED_FILES flag if the request is for any of the frequently-attacked e107 files (top.php, download.php, user.php, search.php, submitnews.php, or fpw.php). But if the request comes from an internal site link, the ATTACKED_FILES flag is cleared, to permit the request.
In blocks #1, #3, and #5, change your_site\.com to your actual domain name.
If you want to test this code, add it to your .htaccess file and watch your server's access logs. If it works correctly you should see the bot logging an access call. Something like:
143.107.142.226 - - [02/Jul/2010:14:24:27 +0400] "POST /contact.php HTTP/1.1" 403 298 "-" "Casper Bot Search"
Note the time. In this case it is 14:24:27
Now open your sites error log and you should see an error log at the same time stating that the bot's request has been denied. Something like:
[Fri Jul 02 14:24:27 2010] [error] [client 143.107.142.226] client denied by server configuration:
It is important to note that this script will not prevent router traffic, but only server access. For router traffic relief you will need to add the IP addresses to your blocking firewall.
