透過htaccess檔強化Joomla安全

  之前舊版的Joomla 1.5曾被入侵修改許多檔案這次整個翻新平臺後就想加強一些防護措施及習慣這篇記錄從網路及官方Joomla! Documentation整理的htaccess設定來提昇Joomla的安全性官方的文件內容比我列的更多但部份有點過於太細或是針對特定套件做的設置我就沒帶過來了

######################################################
##
##以下為針對防止遭受攻擊之設置,取自Joomla! Documentation,請放至Joomla根目錄
##
######################################################


########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
# If the request query string contains /proc/self/environ (by SigSiu.net)
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
# Block out any script trying to set a mosConfig value through the URL
# (these attacks wouldn't work w/out Joomla! 1.5's Legacy Mode plugin)
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode or base64_decode data within the URL
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [OR]
## IMPORTANT: If the above line throws an HTTP 500 error, replace it with these 2 lines:
# RewriteCond %{QUERY_STRING} base64_encode\(.*\) [OR]
# RewriteCond %{QUERY_STRING} base64_decode\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show the content of the root homepage
RewriteRule .* index.php [F]
#
########## End - Rewrite rules to block out some common exploits



########## Begin - File injection protection, by SigSiu.net
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
RewriteRule .* - [F]
########## End - File injection protection


########## Begin - Advanced server protection - query strings, referrer and config
# Advanced server protection, version 3.2 - May 2011
# by Nicholas K. Dionysopoulos

## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine
## your PHP version). See http://www.0php.com/php_easter_egg.php and
## http://osvdb.org/12184 for more information
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]
RewriteRule .* - [F]

## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @
## http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html
## May cause problems on legitimate requests
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC]
RewriteRule .* - [F]

## Referrer filtering for common media files. Replace with your own domain name.
## This blocks most common fingerprinting attacks ;)
## Note: Change www\.example\.com with your own domain name, substituting the
## dots with \.  i.e. use www\.example\.com for www.example.com
##因要限制domain,怕影響本機測試,暫時先不設
#RewriteRule ^images/stories/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [L]
#RewriteCond %{HTTP_REFERER} .
#RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC]
#RewriteCond %{REQUEST_FILENAME} -f
#RewriteRule \.(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [F]

## Disallow visual fingerprinting of Joomla! sites (module position dump)
## Initial idea by Brian Teeman and Ken Crowder, see:
## http://www.slideshare.net/brianteeman/hidden-joomla-secrets
## Improved by @nikosdion to work more efficiently and handle template
## and tmpl query parameters
RewriteCond %{QUERY_STRING} (^|&)tmpl=(component|system) [NC]
RewriteRule .* - [L]
RewriteCond %{QUERY_STRING} (^|&)t(p|emplate|mpl)= [NC]
RewriteRule .* - [F]

## Disallow access to htaccess.txt, configuration.php, configuration.php-dist and php.ini
RewriteRule ^(htaccess\.txt|configuration\.php(-dist)?|php\.ini)$ - [F]

########## End - Advanced server protection - query strings, referrer and config


########## Begin - Advanced server protection - paths and files
# Advanced server protection, version 3.2 - May 2011
# by Nicholas K. Dionysopoulos

## Back-end protection
## This also blocks fingerprinting attacks browsing for XML and INI files
RewriteRule ^administrator/?$ - [L]
RewriteRule ^administrator/index\.(php|html?)$ - [L]
RewriteRule ^administrator/index[23]\.php$ - [L]
RewriteRule ^administrator/(components|modules|templates|images|plugins)/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L]
RewriteRule ^administrator/ - [F]

## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ directory
RewriteRule ^xmlrpc/(index\.php)?$ - [L]
RewriteRule ^xmlrpc/ - [F]

## Disallow front-end access for certain Joomla! system directories
RewriteRule ^includes/js/ - [L]
RewriteRule ^(cache|includes|language|libraries|logs|tmp)/ - [F]

## Allow limited access for certain Joomla! system directories with client-accessible content
RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L]
## Uncomment this line if you have extensions which require direct access to their own
## custom index.php files. Note that this is UNSAFE and the developer should be ashamed
## for being so lame, lazy and security unconscious.
# RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*(index\.php)?$ - [L]
## Uncomment the following line if your template requires direct access to PHP files
## inside its directory, e.g. GZip compressed copies of its CSS files
# RewriteRule ^templates/([^/]+/)*([^/.]+\.)+php$ - [L]
RewriteRule ^(components|modules|plugins|templates)/ - [F]

## Disallow access to rogue PHP files throughout the site, unless they are explicitly allowed
RewriteCond %{REQUEST_FILENAME} \.php$
RewriteCond %{REQUEST_FILENAME} !/index[23]?\.php$
## The next line is to explicitly allow the forum post assistant(fpa-xx)script to run
RewriteCond %{REQUEST_FILENAME} !/fpa-[a-z]{2}\.php
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^([^/]+/)*([^/.]+\.)+php$ - [F]

########## End - Advanced server protection - paths and files


 #Block mySQL injects
 RewriteCond %{QUERY_STRING} (;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark) [NC,OR]

 RewriteCond %{QUERY_STRING} \.\./\.\. [OR]

 RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
 RewriteCond %{QUERY_STRING} \.[a-z0-9] [NC,OR]
 RewriteCond %{QUERY_STRING} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC]
 # Note: The final RewriteCond must NOT use the [OR] flag.

另外亦可在administrator目錄底下放置另一htaccess文件以限制登入後台的IP

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^172.20.8.
RewriteRule .* /404.php [R,L]
</IfModule>

संदर्भ [कड़ी]

// ]]>

एक टिप्पणी छोड़ दो

कृपया ध्यान दें: टिप्पणी मॉडरेशन सक्षम है और अपनी टिप्पणी में देरी हो सकती है. कोई जरूरत नहीं अपनी टिप्पणी को पुनः सबमिट करने की आवश्यकता है.