UnixServerAdmin

Server Administration & Management

How to stop website to get injected from hackers using .htaccess

In now a days its very easy to inject any forum.You can secure your forum by using following code in your .htaccess

# Worm sign
BrowserMatchNoCase SpammerRobot bad_bot
BrowserMatchNoCase SecurityHoleRobot bad_bot

# spam bots
SetEnvIfNoCase User-Agent “^EmailSiphon” bad_bot
SetEnvIfNoCase User-Agent “^EmailWolf” bad_bot
SetEnvIfNoCase User-Agent “^ExtractorPro” bad_bot
SetEnvIfNoCase User-Agent “^CherryPicker” bad_bot
SetEnvIfNoCase User-Agent “^NICErsPRO” bad_bot
SetEnvIfNoCase User-Agent “^Teleport” bad_bot
SetEnvIfNoCase User-Agent “^EmailCollector” bad_bot

# plagarism bot
SetEnvIfNoCase User-Agent “^TurnitinBot” bad_bot

# IP bot
SetEnvIfNoCase User-Agent “^NPBot” bad_bot

# Worm sign
SetEnvIfNoCase User-Agent “^LWP::Simple” bad_bot
SetEnvIfNoCase User-Agent “^lwp-trivial” bad_bot
SetEnvIfNoCase User-Agent “^lwp” bad_bot
SetEnvIfNoCase User-Agent “^LWP” bad_bot

# Anti-Clickjacking Defence
Header append X-FRAME-OPTIONS “DENY”

# Worm sign
Order Deny,Allow
Deny from env=bad_bot

Advertisements

April 28, 2012 Posted by | htaccess, Security | , , | Leave a comment

WordPress default .htaccess file

The default wordpress .htaccess file code is as follows

# BEGIN wordpress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_fileNAME} !-f
RewriteCond %{REQUEST_fileNAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END wordpress

April 26, 2012 Posted by | htaccess, WordPress | , | Leave a comment

How To redirect a main-domain to sub-domain using .htaccess

Here is the .htaccess code for redirecting the main domain http://unixserveradmin.com to sub-domain http://unixserveradmin.com/linux

Options +FollowSymLinks
RewriteEngine on
RewriteCond %{HTTP_HOST} ^unixserveradmin.com$ [OR]
RewriteCond %{HTTP_HOST} ^www.unixserveradmin.com$
redirectMatch permanent ^/?$ http://www.unixserveradmin.com/linux

April 24, 2012 Posted by | htaccess | , | Leave a comment

How to parse php pages in html page using .htaccess

You can use following code in .htaccess file to parse php pages in html pages

RemoveHandler .html .htm
AddType application/x-httpd-php .php .htm .html

To can check above code is working ir not? by creating one test page with following code

# vim test.html

< html>
< head>
< body>
< h1>
< ?php echo “WORKING FINE!”; ?>
< /h1>
< /body>
< /html>

April 22, 2012 Posted by | htaccess, PHP | , , | Leave a comment

How to redirect all users except your IP using .htaccess

Sometimes you didn’t want any visitors to see what you were doing, so you can set up a temporary blog at temp.mydomain.com. All you needed to do then was to redirect all visitors to that domain, but allow yourself to stay on the main domain of http://www.mydomain.com, and continue your maintenance work.

The solution was simple; You simply created a .htaccess file on your main domain, in the root folder. The htaccess contained the following information:

RewriteEngine on
RewriteCond $1 !^http://www.mydomain.com/temp
RewriteCond %{REMOTE_HOST} !^12.345.678.901
RewriteRule (.*) http://temp.mydomain.com/$1 [R=301,L]

It really is that simple to redirect all visitors, except you own IP, to a subdomain. The script above does the following:

1. Turn on the rewrite engine (no need to do this if it is already on in your htaccess).
2. Exclude the folder /temp from my rewrite (this is where the files for my subdomain are stored).
3. Exclude the IP address of 12.345.678.901 from my rewrite rule (you can find out your IP address by going to whatismyip).
4. I am then telling it to redirect everything (.*) to my subdomain http://temp.mydomain.com.

All you need to do is swap in the addresses for you subdomain files, your IP address, and your subdomain address. Simple as that!

April 20, 2012 Posted by | Firewall, htaccess | , , | Leave a comment

How to enable private PHP error logging by using .htaccess

To hide the PHP errors from visitors insert the following code in .htaccess file

# Disable php errors
php_flag display_startup_errors off
php_flag display_errors off
php_flag html_errors off

Once disable the error logs for visitors enable the private PHP error logging by using following code in the .htaccess file

# enable PHP error logging
php_flag log_errors on
php_value error_log /home/path/public_html/domain/PHP_errors.log

The PHP_errors.log file needs to be permission 755 or 777

April 18, 2012 Posted by | htaccess, PHP | , , | Leave a comment

How to change php for single hosting account using .htaccess

We can change the php for single hosting account by using following code in .htaccess file. There are few good values which should be change for specific script. Use following code in .htaccess to changes the values as per your requirement.

php_flag register_globals On
php_flag magic_quotes_gpc off
php_flag session.use_trans_sid off
php_flag session.use_only_cookies 1
php_flag session.bug_compat_warn off
php_flag session.use_only_cookies on

php_admin_flag safe_mode Off

php_value engine off
php_value magic_quotes_gpc off
php_value session.use_cookies 1
php_value post_max_size 20971520
php_value max_execution_time 600
php_value upload_max_filesize 12M
php_value magic_quotes_runtime Off

April 16, 2012 Posted by | htaccess, PHP | , , | Leave a comment

How to block or allow ips using .htaccess

Suppose you have a site example.com and in the document root directory of example.com you have a directory “admin” in which you want to restrict the access to others. But you want to give access to clients from some ips.

You can do this by creating a .htaccess file under “admin” directory.

# vim .htaccess file can be like this.

===================
Order Deny,Allow
Deny from all
Allow from IP_address1
Allow from IP_address2
Allow from IP_address3
Allow from IP_address4
Allow from IP_address5
===================

example.com/admin/ will only be accessible to IP_address1-5

February 16, 2012 Posted by | Apache, htaccess | , , | Leave a comment

Client denied by Server Configuration

Here is the error in  the Apache logs:-

mon nov 28 12:4:38 2011] [error] [client 223.143.133.66] client denied by server configuration: /home/<username>/public_html/index.php

Solution:- Create a .htacess file under the public_html directory of the problamatic account or comment the entry Deny from all in htaccess file

# touch /home/<username>/public_html/.htaccess

# vi /home/<username>/public_html/.htaccess
——————
<Files *.php>
Order Deny,Allow
#Deny from all
</Files>
——————

Try to reload the page now. Issue should be fixed.

November 1, 2011 Posted by | Apache, htaccess | , | Leave a comment

How to password protect a directory through .htacess file

There are two files you need to create that work together to make a folder password protected on a Linux hosted website.

In the folder that you need to protect, you need to place a file called .htaccess which contains instructions for the webserver to make that folder protected.

In the top level of your site you need to place a file called .htpasswd. The top level of your site is the same directory that your www and cgi-bin directories sit in. This file contains the usernames and their respective encrypted passwords, stored one per line.

Note, the dot at the beginning of .htaccess and .htpasswd signify a hidden file on the Linux server, your FTP program may not always be able to see or deal with them. We recommend you follow these steps carefully.

1. Enter the username you want to use for the password protected folder.
2. Enter the cleartext password you want to use for that user on the password protected folder.
3. Click Submit.
Folder username:
Folder password:

.htpasswd
1. In a text editor, create a file called htpasswd.txt.
2. Copy and paste this text into the file. If you need multiple users and passwords, repeat the above submit and paste each entry in, one per line.
3. Save the file.
4. FTP into your web area.
5. Ensure you are in the top level directory of your site (ie, above the www directory.)
6. Upload htpasswd.txt.
7. Rename the file to .htpasswd

.htaccess
1. In a text editor, create a file called htaccess.txt.
2. Copy and paste this text into the file.
3. Save the file.
4. FTP into your web area.
5. Ensure you are in the directory that you wish to password protect.
6. Upload htaccess.txt.
7. Rename htaccess.txt to .htaccess

Notes
1. The . infront of files on linux servers specifies that it is a hidden file so you may not see it after you rename it.
2. As soon as your rename htaccess.txt to .htaccess, it will start attempting to password protect that directory.
3. The directives inside a .htaccess file will take effect for the directory you upload it to and any of it’s subdirectories. If the .htaccess file is in your www directory, it’s directives will apply across your entire site.
4. When you are testing the password protection, it is common for .htaccess details to be cached by your browser. If it is not working as expected, close the browser and use a new one to test again.
5. Visit httpd.apache.org for more info on htaccess.

June 8, 2011 Posted by | Apache, htaccess | , , | 3 Comments

How to Redirect from http://domain.com to http://www.domain.com

If you want to redirect your domain from  http://domain.com  to http://www.domain.com, then add the following lines in the .htaccess file for domain for which you want to set the redirection

============================================================
RewriteEngine on
RewriteCond %{HTTP_HOST} ^domain.com$ [OR]
RewriteCond %{HTTP_HOST} ^domain.com$
RewriteRule ^/?$ “http://www.domain.com ” [R=301,L]
============================================================

June 7, 2011 Posted by | Apache, htaccess | , , | 4 Comments

How to enable php global registry using .htaccess

Please follow these steps to enable php global registry for your domain using .htaccess file :-

1. Open .htaccess
2. include these lines

==========================
php_value register_globals 1
php_value session.save_path /tmp
==========================

May 26, 2011 Posted by | htaccess, PHP | , | 3 Comments

How to disable Mod_Security using .htaccess file

By .htaccess, we can disable mod_security, edit .htaccess file and add following line :-

================
SecFilterEngine off
================

May 24, 2011 Posted by | Apache, htaccess, Mod_Security | , , , | Leave a comment

How to remove the .html extension from the URLs using .htaccess

If you want to  remove the  .html extension from  URL’s then just add the below code in the .htaccess file :

===============================
Options +FollowSymLinks
Options +Indexes
RewriteEngine on
RewriteCond %{SCRIPT_FILENAME} !-d
RewriteRule ^([^.]+)$ $index.html [NC,L]
===============================

That’s all this will do it.

May 22, 2011 Posted by | Apache, htaccess | , , | 1 Comment

How to remove the .php extension from the URLs using .htaccess

If you want to  remove the  .php  extension from  URL’s then just add the below code in the .htaccess file :

================================
Options +FollowSymLinks
Options +Indexes
RewriteEngine on
RewriteCond %{SCRIPT_FILENAME} !-d
RewriteRule ^([^.]+)$ $index.php [NC,L]
================================

That’s all this will do it.

May 21, 2011 Posted by | Apache, htaccess | , , | 3 Comments

How to turn off & disable magic_quotes_gpc using .htaccess

It’s not only insecure but it inconveniently commands the use of PHP function stripslashes() every time you pull something from the database or when you get something from the client side. While most of the hosts out there are using factory settings of PHP that turn off magic_quotes_gpc by default, there are a few that don’t.

The value of magic_quotes_gpc cannot be set with the ini_set() function after PHP 4.2.3, some hosts enable custom php.ini in your home directory which you can use to set magic_quotes_gpc to 0 (zero) or false. Otherwise, you’d have to resort to .htaccess to set the PHP configuration values for your local directories.

To turn off magic_quotes and magic_quotes_gpc off in .htaccess, simply put these lines in the .htaccess file of your site / directory wherein you want magic_quotes or magic_quotes_gpc disabled:

=========================
php_value magic_quotes 0
php_flag magic_quotes off
php_value magic_quotes_gpc 0
php_flag magic_quotes_gpc off
=========================

May 9, 2011 Posted by | htaccess | , | 3 Comments

Su-PHP

Securing a server is a challenging task as it has to be secured from outside and from inside a website. Vulnerable scripts or incorrect permissions can cause compromises from inside a server. PHP has built-in features to help, but ultimately it’s the wrong place to address the problem. Apache has built-in features too, but the performance cost of  these features is prohibitive. This is where suPHP, created by Sebastian Marsching comes to the rescue.

Like Apache’s own suexec, suphp is a solution that allows PHP to run as the user and group that owns any particular website on a  server. Technically, suPHP is a tool for executing PHP scripts with the permissions of their owners.
It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the UID of the process executing the PHP interpreter.

Su-php consists of two components :-

* mod_suphp, an Apache module that replaces mod_php
* suphp, a setuid binary that replaces Apache’s suexec

Every time a PHP script is run, suphp has to fork Apache and then execute another copy of the PHP/CGI binary. This approach provides the absolute security benefits that we seek. It means that if a script contains a vulnerability, and got exploited, then only that particular user will be affected.

Su-PHP has the following advantages :-

* PHP runs as your user/group
* PHP files can have permissions of 640 (hiding things like passwords from other accounts)
* Files/folders written by PHP are written as user/group (no Apache or other global user)
* Custom php.ini file per site (can add/remove security options)

Note: Su-PHP does not allow permissions 666 and 777.

Some users make use of .htaccess files to set php configuration lines using php_flag var setting. Having a .htaccess file
use the php_flag directive will result in a 500 error be produced. PHP flags no longer work in the .htaccess file. If you
need to enable things such as register globals you can follow the below guide:

In .htaccess under public_html, add the following :-

======================================
suPHP_ConfigPath /home/user/public_html
order allow,deny
deny from all
======================================

Note: You must change user to your account username.

Create a php.ini file under public_html add any of the below settings that you need:-

=========================
register_globals = On
upload_max_filesize = 30M
post_max_size = 30M
memory_limit = 30M
upload_tmp_dir = 30M
max_execution_time = 180
=========================

Using a php.ini file may cause issues if your scripts use Zend Optomizer or IonCube encoding. You then just need to add the following to your php.ini file to resolve the issue:

Note: this may not be needed. Please test before using.

====================================================================
[Zend]
zend_extension=/usr/local/ioncube/ioncube_loader_lin_4.4.so
zend_optimizer.optimization_level=15
zend_extension_manager.optimizer=/usr/local/Zend/lib/Optimizer-3.2.6
zend_extension_manager.optimizer_ts=/usr/local/Zend/lib/Optimizer_TS-3.2.6
zend_extension=/usr/local/Zend/lib/ZendExtensionManager.so
zend_extension_ts=/usr/local/Zend/lib/ZendExtensionManager_TS.so
====================================================================

For the PHP settings you do not have in your php.ini file, PHP will use our default configurations. It will not use the
server php.ini but rather a default one. You may need to set other settings. You may create a phpinfo.php file in public_html with the beginning and ending php tags and the following in between to see any changes by browsing it

March 27, 2011 Posted by | Apache, htaccess, PHP | , , , | 1 Comment

PHP ERROR – parse error unexpected t_string

If you get this error in the error log :

” PHP Parse error: syntax error, unexpected T_STRING”

Then just add the following code in the .htaccess file.

==========================
php_flag short_open_tag X
==========================

OR

If  the server is SuExec enabled  server then you can add the following code in the “php.ini” file

# vi /etc/php.ini “OR” /usr/lib/php.ini

==========================
php_flag short_open_tag X
==========================

March 18, 2011 Posted by | Apache, htaccess, PHP | , , , | 2 Comments

Warning_ file() [function.file]_ URL file-access is disabled in the server configuration

If you are getting the above error then  make the following changes in the php.ini file (Suexec  server) or .htaccess file (non-Suexec server) :-

# vi /usr/lib/php.ini (Suexec  server)

Edit follwoing lines

=======================
allow_url_fopen = On
allow_url_include = On
=======================

# vi .htaccess (non-Suexec server)

=====================================
<IfModule mod_php5.c>
php_admin_value allow_url_fopen On
php_admin_value allow_url_include On
</IfModule>
=====================================

March 17, 2011 Posted by | Apache, htaccess | , , | 1 Comment

Permission Deny Error on .htaccess

Error : [Tues March 15 22:01:42 2011] [crit] [client 127.0.0.1] (13)Permission denied: /home/username/public_html/.htaccess

When you get this errror, then  just run the following commands :-

# find -type d -exec chmod 755 {} ;

# find -type f -exec chmod 644 {} ;

# chown usename.username  * -R

March 16, 2011 Posted by | Apache, htaccess | , , | 3 Comments