hi..how to?? do it protect my web???hmm..i set config.php 640 then i met Acess deny with my webProposed update for version 1.3 (as an optional tip)
Code:ServerSignature Off RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR] RewriteCond %{THE_REQUEST} (\\r|\\n|%0A|%0D) [NC,OR] RewriteCond %{HTTP_REFERER} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{HTTP_COOKIE} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|”>|”<|/|\\\.\.\\).{0,9999} [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^$ [OR] RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (libwww-perl|curl|wget|python|nikto|scan) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] #Block mySQL injects RewriteCond %{QUERY_STRING} (;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark) [NC,OR] RewriteCond %{QUERY_STRING} \.\./\.\. [OR] RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR] RewriteCond %{QUERY_STRING} \.[a-z0-9] [NC,OR] RewriteCond %{QUERY_STRING} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC] # Note: The final RewriteCond must NOT use the [OR] flag. # Return 403 Forbidden error. RewriteRule .* index.php [F]
The above should be added in both .htaccess within your XenForo's root directory (add as last line of re-write that is already there) and also added to .htaccess found in /library/
Feedback welcomed
Secure AdminCP and Installation [Deleted]
- Thread starter Adam Howard
- Start date
Adam Howard
Well-known member
Is your host managed or un-managed? If managed, your host has some "odd" settings and you should change it to 644. If un-managed, you have some tweaking to do.
The proposed update helps you from being hacked (see notes from within). It is currently beta (I need some people to try it out) and see if there are any conflicts... (there shouldn't be any). Simply add that to your htaccess with your other re-wire rules if you wish to try it.
Adam Howard
Well-known member
ting.mike
Member
Adam Howard
Well-known member
In the tech world, Super Administrator is GOD. No one can ban you (ie... kill you) and you have unlimited and unquestionable power.
Keep that in mind.
Adam Howard
Well-known member
While it is true, there are dozens (thousands) of htaccess guides. Most of them are not universal and vary between apache versions and if you're running Lite Speed or not.
These have been universally tested on both apache and Lite Speed and should work for everyone (provided you've not done an extremely and highly custom setup).
At the very top of your htaccess add this (yet below the allow and deny part)
Recommended
This helps prevent people fron finding out the php version and apache version you're using. This also helps support any "loose" rewite scripts you may have ( if you don't want that, simply remove or comment out RewriteEngine On ). Finally, this also prevents people from browsing your file structor.
Recommended - IMPORTANT - Strongly advised (I'd call this a requirement)
This should be somewhere at the top or very bottom (I add mine at the buttom). This prevents people from viewing your htaccess directly.
Optional (though I suggest it)
This will automatically make it so everyone is using www, even if they typed your domain name without it. This helps with compatibility and can also help log-in issues (cookies issues). Remember to change the domain name to YOUR domain name. This should be the FIRST rewrite rule above everything else.
Optional
This helps limit and prevents bandwidth thieves ...ie... Hot linking. YOUR domain name should be the FIRST in the list. If you have another domain name for static content it should be the SECOND domain in the list. Everything else you see are the domain names you wish to add as a "safe life" (white list). For example, XenForo.com if you have a signature pic and host it on your server.
This should either be the 2nd rewrite if you use the above www re-write or the 1st re-write if you do not. It's important this sticks close to the top.
Optional
This will keep (most) proxies from even reaching your site. There are some pros and cons to this. Use your own judgement.
Recommended
This adds a little extra wall between a secure server and those script kiddies who'd like to hack your site.
The above should be added in both .htaccess within your XenForo's root directory (add as last line of re-write that is already there) and also added to .htaccess found in /library/ This MUST always be the last re-write.
Feedback welcomed
These have been universally tested on both apache and Lite Speed and should work for everyone (provided you've not done an extremely and highly custom setup).
At the very top of your htaccess add this (yet below the allow and deny part)
Recommended
PHP:
#The top of your .htaccess file
ServerSignature Off
ServerTokens Prod
RewriteEngine On
IndexIgnore *This helps prevent people fron finding out the php version and apache version you're using. This also helps support any "loose" rewite scripts you may have ( if you don't want that, simply remove or comment out RewriteEngine On ). Finally, this also prevents people from browsing your file structor.
Recommended - IMPORTANT - Strongly advised (I'd call this a requirement)
PHP:
######################################################################
# Protect your .htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>This should be somewhere at the top or very bottom (I add mine at the buttom). This prevents people from viewing your htaccess directly.
Optional (though I suggest it)
PHP:
# Forward non www to www
RewriteCond %{HTTP_HOST} !^www.sociallyuncensored.eu [NC]
RewriteCond %{HTTP_HOST} !^([^.]+).sociallyuncensored.eu [NC]
RewriteRule (.*) http://www.sociallyuncensored.eu/$1 [R=301,L]This will automatically make it so everyone is using www, even if they typed your domain name without it. This helps with compatibility and can also help log-in issues (cookies issues). Remember to change the domain name to YOUR domain name. This should be the FIRST rewrite rule above everything else.
Optional
PHP:
#Hot link protection
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?sociallyuncensored.eu [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?sociallyuncensored.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?duckduckgo.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?bing.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yahoo.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?xenforo.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?twitter.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?netdna-cdn.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?maxcdn.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?cloudflare.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|svg|css|js|pdf|zip)$ http://www.sociallyuncensored.eu/hotlink.jpg [NC,R,L]This helps limit and prevents bandwidth thieves ...ie... Hot linking. YOUR domain name should be the FIRST in the list. If you have another domain name for static content it should be the SECOND domain in the list. Everything else you see are the domain names you wish to add as a "safe life" (white list). For example, XenForo.com if you have a signature pic and host it on your server.
This should either be the 2nd rewrite if you use the above www re-write or the 1st re-write if you do not. It's important this sticks close to the top.
Optional
PHP:
# No proxies
RewriteCond %{HTTP:VIA} !^$ [OR]
RewriteCond %{HTTP:FORWARDED} !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
RewriteRule .* - [F]This will keep (most) proxies from even reaching your site. There are some pros and cons to this. Use your own judgement.
Recommended
PHP:
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
RewriteCond %{THE_REQUEST} (\\r|\\n|%0A|%0D) [NC,OR]
RewriteCond %{HTTP_REFERER} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_COOKIE} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|”>|”<|/|\\\.\.\\).{0,9999} [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|curl|wget|python|nikto|scan) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
#Block mySQL injects
RewriteCond %{QUERY_STRING} (;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark) [NC,OR]
RewriteCond %{QUERY_STRING} \.\./\.\. [OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} \.[a-z0-9] [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC]
# Note: The final RewriteCond must NOT use the [OR] flag.
# Return 403 Forbidden error.
RewriteRule .* index.php [F]This adds a little extra wall between a secure server and those script kiddies who'd like to hack your site.
The above should be added in both .htaccess within your XenForo's root directory (add as last line of re-write that is already there) and also added to .htaccess found in /library/ This MUST always be the last re-write.
Feedback welcomed
Was this helpful?
I accept donations
Adam Howard
Well-known member
TheVisitors updated Secure AdminCP with a new update entry:
added htaccess tips
Read the rest of this update entry...
added htaccess tips
Read the rest of this update entry...
hi men
i used code remove www from domain..and i see that code and your code..same as??
Oh my god..when i add your code at the top file htacess...my sites have problem...cant loading
PHP:
# Forward none www to www
RewriteCond %{HTTP_HOST} !^www.sociallyuncensored.eu [NC]
RewriteCond %{HTTP_HOST} !^([^.]+).sociallyuncensored.eu [NC]
RewriteRule (.*) http://www.sociallyuncensored.eu/$1 [R=301,L]Oh my god..when i add your code at the top file htacess...my sites have problem...cant loading
Adam Howard
Well-known member
Basically, yes. They're just a flip flop of each others depending on the order in which you put it.
You CAN NOT use the code together. You can ONLY have one or the other.Oh my god..when i add your code at the top file htacess...my sites have problem...cant loading
Adam Howard
Well-known member
Try commenting out RewriteEngine On from that.
IF that does not work.... You seriously have something wrong with your htaccess code or your server setup.
i dont know...i add other position and met old problems
Adam Howard
Well-known member
So you put it some place else and are now having a problem you had sometime before adding this?i dont know...i add other position and met old problems
Clearly you have an issue with your setup and this is outside the scope of support for this resource (far to many possible variables).
I would suggest start off fresh with the default htacess which came with XenForo and proceed from there. If the default htaccess also gives you errors... The issue is your server and you should contact your host (if it is a managed host).
If it is an unmanaged web host and you setup this yourself.... I would suggest hiring someone (I could do it for example) to properly configure your server.
edit: You can also try to do it again yourself, by following this guide I made
http://xenforo.com/community/resources/debian-server-setup.952/
Adam Howard
Well-known member
Added a new Tip
TIP: It is important not to use common name for your Super Administrator.
For example, such names as
You also do not want to keep with user ID 1
TIP: It is important not to use common name for your Super Administrator.
For example, such names as
- Super Administrator
- Super Admin
- Administrator
- Admin
- Owner
- Founder
- God
- Devil
- Evil Admin
- 666
- 999
- Moderator
- Mod
- Super Moderator
- Super Mod
- The title name of your site
- Your real name
You also do not want to keep with user ID 1
Adam Howard
Well-known member
TheVisitors updated Secure AdminCP with a new update entry:
Common Super Administrator Names - Don't use them
Read the rest of this update entry...
Common Super Administrator Names - Don't use them
Read the rest of this update entry...
Hello
I'm pretty much new at all of this but have a question.
Regarding this "CHMOD .htacess to 644 to prevent anyone from directly reading it." for the admin cp. Wouldn't it be 640?
I know I"m probably wrong but I'm confused.
Thank you for this valuable resource.
Gabby
I'm pretty much new at all of this but have a question.
Regarding this "CHMOD .htacess to 644 to prevent anyone from directly reading it." for the admin cp. Wouldn't it be 640?
I know I"m probably wrong but I'm confused.
Thank you for this valuable resource.
Gabby
Adam Howard
Well-known member
644 for htaccess because your browser needs to be to read and access it. But it does prevent someone from directly reading it on the server. This is not to say that it can't be recovered from browser cache (cause it can), but it does help reduce the odds.Hello
I'm pretty much new at all of this but have a question.
Regarding this "CHMOD .htacess to 644 to prevent anyone from directly reading it." for the admin cp. Wouldn't it be 640?
I know I"m probably wrong but I'm confused.
Thank you for this valuable resource.
Gabby
config.php needs to be read 640 so that no one can access it directly, only the server.
