Before the invasion of the older version of Joomla 1.5 has been modified many files,After the renovation of the entire platform,Some wanted to strengthen protection measures and habits,This official records from the Internet and Joomla! Documentation finishing htaccess settings,To enhance the security of Joomla!,The official contents of the documents I have listed more than,But some are too little too thin,Or do for a particular package set,I did not bring it up。
###################################################### ## ##以下為針對防止遭受攻擊之設置,取自Joomla! Documentation,請放至Joomla根目錄 ## ###################################################### ########## Begin - Rewrite rules to block out some common exploits ## If you experience problems on your site block out the operations listed below ## This attempts to block the most common type of exploit `attempts` to Joomla! # # If the request query string contains /proc/self/environ (by SigSiu.net) RewriteCond %{QUERY_STRING} proc/self/environ [OR] # Block out any script trying to set a mosConfig value through the URL # (these attacks wouldn't work w/out Joomla! 1.5's Legacy Mode plugin) RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] # Block out any script trying to base64_encode or base64_decode data within the URL RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [OR] ## IMPORTANT: If the above line throws an HTTP 500 error, replace it with these 2 lines: # RewriteCond %{QUERY_STRING} base64_encode\(.*\) [OR] # RewriteCond %{QUERY_STRING} base64_decode\(.*\) [OR] # Block out any script that includes a <script> tag in URL RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] # Block out any script trying to set a PHP GLOBALS variable via URL RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] # Block out any script trying to modify a _REQUEST variable via URL RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) # Return 403 Forbidden header and show the content of the root homepage RewriteRule .* index.php [F] # ########## End - Rewrite rules to block out some common exploits ########## Begin - File injection protection, by SigSiu.net RewriteCond %{REQUEST_METHOD} GET RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC] RewriteRule .* - [F] ########## End - File injection protection ########## Begin - Advanced server protection - query strings, referrer and config # Advanced server protection, version 3.2 - May 2011 # by Nicholas K. Dionysopoulos ## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine ## your PHP version). See http://www.0php.com/php_easter_egg.php and ## http://osvdb.org/12184 for more information RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC] RewriteRule .* - [F] ## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @ ## http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html ## May cause problems on legitimate requests RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR] RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC] RewriteRule .* - [F] ## Referrer filtering for common media files. Replace with your own domain name. ## This blocks most common fingerprinting attacks ;) ## Note: Change www\.example\.com with your own domain name, substituting the ## dots with \. i.e. use www\.example\.com for www.example.com ##因要限制domain,怕影響本機測試,暫時先不設 #RewriteRule ^images/stories/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [L] #RewriteCond %{HTTP_REFERER} . #RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC] #RewriteCond %{REQUEST_FILENAME} -f #RewriteRule \.(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [F] ## Disallow visual fingerprinting of Joomla! sites (module position dump) ## Initial idea by Brian Teeman and Ken Crowder, see: ## http://www.slideshare.net/brianteeman/hidden-joomla-secrets ## Improved by @nikosdion to work more efficiently and handle template ## and tmpl query parameters RewriteCond %{QUERY_STRING} (^|&)tmpl=(component|system) [NC] RewriteRule .* - [L] RewriteCond %{QUERY_STRING} (^|&)t(p|emplate|mpl)= [NC] RewriteRule .* - [F] ## Disallow access to htaccess.txt, configuration.php, configuration.php-dist and php.ini RewriteRule ^(htaccess\.txt|configuration\.php(-dist)?|php\.ini)$ - [F] ########## End - Advanced server protection - query strings, referrer and config ########## Begin - Advanced server protection - paths and files # Advanced server protection, version 3.2 - May 2011 # by Nicholas K. Dionysopoulos ## Back-end protection ## This also blocks fingerprinting attacks browsing for XML and INI files RewriteRule ^administrator/?$ - [L] RewriteRule ^administrator/index\.(php|html?)$ - [L] RewriteRule ^administrator/index[23]\.php$ - [L] RewriteRule ^administrator/(components|modules|templates|images|plugins)/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L] RewriteRule ^administrator/ - [F] ## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ directory RewriteRule ^xmlrpc/(index\.php)?$ - [L] RewriteRule ^xmlrpc/ - [F] ## Disallow front-end access for certain Joomla! system directories RewriteRule ^includes/js/ - [L] RewriteRule ^(cache|includes|language|libraries|logs|tmp)/ - [F] ## Allow limited access for certain Joomla! system directories with client-accessible content RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L] ## Uncomment this line if you have extensions which require direct access to their own ## custom index.php files. Note that this is UNSAFE and the developer should be ashamed ## for being so lame, lazy and security unconscious. # RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*(index\.php)?$ - [L] ## Uncomment the following line if your template requires direct access to PHP files ## inside its directory, e.g. GZip compressed copies of its CSS files # RewriteRule ^templates/([^/]+/)*([^/.]+\.)+php$ - [L] RewriteRule ^(components|modules|plugins|templates)/ - [F] ## Disallow access to rogue PHP files throughout the site, unless they are explicitly allowed RewriteCond %{REQUEST_FILENAME} \.php$ RewriteCond %{REQUEST_FILENAME} !/index[23]?\.php$ ## The next line is to explicitly allow the forum post assistant(fpa-xx)script to run RewriteCond %{REQUEST_FILENAME} !/fpa-[a-z]{2}\.php RewriteCond %{REQUEST_FILENAME} -f RewriteRule ^([^/]+/)*([^/.]+\.)+php$ - [F] ########## End - Advanced server protection - paths and files #Block mySQL injects RewriteCond %{QUERY_STRING} (;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark) [NC,OR] RewriteCond %{QUERY_STRING} \.\./\.\. [OR] RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR] RewriteCond %{QUERY_STRING} \.[a-z0-9] [NC,OR] RewriteCond %{QUERY_STRING} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC] # Note: The final RewriteCond must NOT use the [OR] flag.
Further another htaccess also placed under the directory file administrator,Login to limit the background IP
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REMOTE_ADDR} !^172.20.8. RewriteRule .* /404.php [R,L] </IfModule>
【參考連結】
- htaccess examples (security) – Joomla! Documentation
- Joomla Web site security update -20,160,105
// ]]>