之前舊版的Joomla 1.5曾被入侵修改許多檔案,這次整個翻新平臺後,就想加強一些防護措施及習慣,這篇記錄從網路及官方Joomla! Documentation整理的htaccess設定,來提昇Joomla的安全性,官方的文件內容比我列的更多,但部份有點過於太細,或是針對特定套件做的設置,我就沒帶過來了。
###################################################### ## ##以下為針對防止遭受攻擊之設置,取自Joomla! Documentation,請放至Joomla根目錄 ## ###################################################### ########## Begin - Rewrite rules to block out some common exploits ## If you experience problems on your site block out the operations listed below ## This attempts to block the most common type of exploit `attempts` to Joomla! # # If the request query string contains /proc/self/environ (by SigSiu.net) RewriteCond %{QUERY_STRING} proc/self/environ [OR] # Block out any script trying to set a mosConfig value through the URL # (these attacks wouldn't work w/out Joomla! 1.5's Legacy Mode plugin) RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] # Block out any script trying to base64_encode or base64_decode data within the URL RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [OR] ## IMPORTANT: If the above line throws an HTTP 500 error, replace it with these 2 lines: # RewriteCond %{QUERY_STRING} base64_encode\(.*\) [OR] # RewriteCond %{QUERY_STRING} base64_decode\(.*\) [OR] # Block out any script that includes a <script> tag in URL RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] # Block out any script trying to set a PHP GLOBALS variable via URL RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] # Block out any script trying to modify a _REQUEST variable via URL RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) # Return 403 Forbidden header and show the content of the root homepage RewriteRule .* index.php [F] # ########## End - Rewrite rules to block out some common exploits ########## Begin - File injection protection, by SigSiu.net RewriteCond %{REQUEST_METHOD} GET RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC] RewriteRule .* - [F] ########## End - File injection protection ########## Begin - Advanced server protection - query strings, referrer and config # Advanced server protection, version 3.2 - May 2011 # by Nicholas K. Dionysopoulos ## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine ## your PHP version). See http://www.0php.com/php_easter_egg.php and ## http://osvdb.org/12184 for more information RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC] RewriteRule .* - [F] ## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @ ## http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html ## May cause problems on legitimate requests RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR] RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC] RewriteRule .* - [F] ## Referrer filtering for common media files. Replace with your own domain name. ## This blocks most common fingerprinting attacks ;) ## Note: Change www\.example\.com with your own domain name, substituting the ## dots with \. i.e. use www\.example\.com for www.example.com ##因要限制domain,怕影響本機測試,暫時先不設 #RewriteRule ^images/stories/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [L] #RewriteCond %{HTTP_REFERER} . #RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC] #RewriteCond %{REQUEST_FILENAME} -f #RewriteRule \.(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [F] ## Disallow visual fingerprinting of Joomla! sites (module position dump) ## Initial idea by Brian Teeman and Ken Crowder, see: ## http://www.slideshare.net/brianteeman/hidden-joomla-secrets ## Improved by @nikosdion to work more efficiently and handle template ## and tmpl query parameters RewriteCond %{QUERY_STRING} (^|&)tmpl=(component|system) [NC] RewriteRule .* - [L] RewriteCond %{QUERY_STRING} (^|&)t(p|emplate|mpl)= [NC] RewriteRule .* - [F] ## Disallow access to htaccess.txt, configuration.php, configuration.php-dist and php.ini RewriteRule ^(htaccess\.txt|configuration\.php(-dist)?|php\.ini)$ - [F] ########## End - Advanced server protection - query strings, referrer and config ########## Begin - Advanced server protection - paths and files # Advanced server protection, version 3.2 - May 2011 # by Nicholas K. Dionysopoulos ## Back-end protection ## This also blocks fingerprinting attacks browsing for XML and INI files RewriteRule ^administrator/?$ - [L] RewriteRule ^administrator/index\.(php|html?)$ - [L] RewriteRule ^administrator/index[23]\.php$ - [L] RewriteRule ^administrator/(components|modules|templates|images|plugins)/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L] RewriteRule ^administrator/ - [F] ## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ directory RewriteRule ^xmlrpc/(index\.php)?$ - [L] RewriteRule ^xmlrpc/ - [F] ## Disallow front-end access for certain Joomla! system directories RewriteRule ^includes/js/ - [L] RewriteRule ^(cache|includes|language|libraries|logs|tmp)/ - [F] ## Allow limited access for certain Joomla! system directories with client-accessible content RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L] ## Uncomment this line if you have extensions which require direct access to their own ## custom index.php files. Note that this is UNSAFE and the developer should be ashamed ## for being so lame, lazy and security unconscious. # RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*(index\.php)?$ - [L] ## Uncomment the following line if your template requires direct access to PHP files ## inside its directory, e.g. GZip compressed copies of its CSS files # RewriteRule ^templates/([^/]+/)*([^/.]+\.)+php$ - [L] RewriteRule ^(components|modules|plugins|templates)/ - [F] ## Disallow access to rogue PHP files throughout the site, unless they are explicitly allowed RewriteCond %{REQUEST_FILENAME} \.php$ RewriteCond %{REQUEST_FILENAME} !/index[23]?\.php$ ## The next line is to explicitly allow the forum post assistant(fpa-xx)script to run RewriteCond %{REQUEST_FILENAME} !/fpa-[a-z]{2}\.php RewriteCond %{REQUEST_FILENAME} -f RewriteRule ^([^/]+/)*([^/.]+\.)+php$ - [F] ########## End - Advanced server protection - paths and files #Block mySQL injects RewriteCond %{QUERY_STRING} (;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark) [NC,OR] RewriteCond %{QUERY_STRING} \.\./\.\. [OR] RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR] RewriteCond %{QUERY_STRING} \.[a-z0-9] [NC,OR] RewriteCond %{QUERY_STRING} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC] # Note: The final RewriteCond must NOT use the [OR] flag.
另外亦可在administrator目錄底下放置另一htaccess文件,以限制登入後台的IP
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REMOTE_ADDR} !^172.20.8. RewriteRule .* /404.php [R,L] </IfModule>
【參考連結】
- htaccess examples (security) – جملة! توثيق
- Joomla 網站網站安全防護-20160105更新
// ]]>