ασφαλίζοντας τους φακέλους του συστήματος και σταματώντας επιθέσεις και "εξερευνήσεις" από διάφορα bots:
############################################################################### ## The Master .htaccess ## ## Version 2.5 (proposed) - May 16th, 2011 ## ## ---------- ## This file is designed to be the template .htaccess file to put on your new ## sites, increasing your site's security and performance. It is not meant to ## be just dropped in your site, though. You should go through all of its ## sections and modify it to match your site. Most notably, all instances of ## example.com and example\.com should be replaced with your real domain name. ## ## Some sections are too picky and may cause problems with legitimate requests. ## You are ultimately responsible for disabling them or writing exception rules ## for your requests. Most notably, the advanced server protection section will ## cause issues with several minifiers, eXtplorer, VirtueMart and other exten- ## sions which use non-standard scripts as their entry points. You must add ## exceptions for them manually. ## ## Some sections - depending on your server configuration - may cause your site ## to throw 500 Internal Server Error. The only way to figure out which one is ## causing it is trial and error. ## ## Big thank you's to Brian Teeman, Ken Crowder, Radek Suski and Fotis ## Evangelou for sharing their .htaccess rules with the world and inspiring ## the creation of this file. Special thanks to Jon Brown for sharing his ## research and helping me improve this file. ## ## Additional thank-yous to John for his remarks and g1smd for taking the ## time to optimize the speed of the file. ## ## It is usually prudent to remove the comments from the file when using it ## on a live host to minimize the parsing time. ## ## ---------------------------------------------------------------------- ## Do you want to customize this .htaccess file with a few clicks? ## Admin Tools Professional by AkeebaBackup.com does this and much more. ## ## Learn more: http://www.akeebabackup.com/software/admin-tools.html ## ---------------------------------------------------------------------- ## ## Have fun, stay safe. ## ## Nicholas K. Dionysopoulos ## Lead Developer, AkeebaBackup.com ## ## CHANGELOG: ## Version 2.5 (proposed) (May 16th, 2011) ## - Placeholders for custom code. Correction of ruleset ordering. ## Version 2.4 (April 18th, 2011) ## - Dozens of speed optimisations and many logic and syntax corrections. ## Version 2.3 (November 18th, 2010) ## - Added .ico to the pass-through rules, for favicons to load ## Version 2.2 (October 25th, 2010) ## - Bug in the tmpl=component rule ## Version 2.1 (October 19th, 2010) ## - index.php to root redirection would kill some AJAX requests ## - Referer filtering was screwed up ## - Simplified and more thorough PHP Easter Egg code (thanks Jon!) ## - The tp/template/tmpl filter was not thorough and killed some components ## - Optimized Joomla! core SEF section ## - Bot filters and GZip optimization would never run for dynamic content ## - Content expiration optimization got more optimized ## - Added ETag rule ## ############################################################################### ########## Begin - RewriteEngine enabled RewriteEngine On ########## End - RewriteEngine enabled ########## Begin - RewriteBase # Uncomment following line if your webserver's URL # is not directly related to physical file paths. # Update Your Joomla! Directory (just / for root) # RewriteBase / ########## End - RewriteBase ########## Begin - No directory listings ## Note: +FollowSymlinks may cause problems and you might have to remove it IndexIgnore * Options +FollowSymLinks All -Indexes ########## End - No directory listings ########## Begin - File execution order, by Komra.de DirectoryIndex index.php index.html ########## End - File execution order ########## Begin - ETag Optimization ## This rule will create an ETag for files based only on the modification ## timestamp and their size. This works wonders if you are using rsync'ed ## servers, where the inode number of identical files differs. ## Note: It may cause problems on your server and you may need to remove it FileETag MTime Size ########## End - ETag Optimization ########## Begin - Common hacking tools and bandwidth hoggers block ## By SigSiu.net and @nikosdion. # This line also disables Akeeba Remote Control 2.5 and earlier SetEnvIf user-agent "Indy Library" stayout=1 # WARNING: Disabling wget will also block the most common method for # running CRON jobs. Remove if you have issues with CRON jobs. SetEnvIf user-agent "Wget" stayout=1 # The following rules are for bandwidth-hogging download tools SetEnvIf user-agent "libwww-perl" stayout=1 SetEnvIf user-agent "Download Demon" stayout=1 SetEnvIf user-agent "GetRight" stayout=1 SetEnvIf user-agent "GetWeb!" stayout=1 SetEnvIf user-agent "Go!Zilla" stayout=1 SetEnvIf user-agent "Go-Ahead-Got-It" stayout=1 SetEnvIf user-agent "GrabNet" stayout=1 SetEnvIf user-agent "TurnitinBot" stayout=1 # This line denies access to all of the above tools deny from env=stayout ########## End - Common hacking tools and bandwidth hoggers block ########## Begin - Automatic compression of resources # Compress text, html, javascript, css, xml, kudos to Komra.de # May kill access to your site for old versions of Internet Explorer # The server needs to be compiled with mod_deflate otherwise it will send HTTP 500 Error. # mod_deflate is not available on Apache 1.x series. Can only be used with Apache 2.x server. # AddOutputFilterByType is now deprecated by Apache. Use mod_filter in the future. AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript ########## End - Automatic compression of resources ########## Begin - Add optional bad user agent or IP blocking code # # If you need to block certain user agents or IP addresses and # other signatures, place that code here. Ensure the rules use # the correct RewriteRule syntax and the [F] flag. # ########## End - Add optional bad user agent or IP blocking code ########## Begin - Rewrite rules to block out some common exploits ## If you experience problems on your site block out the operations listed below ## This attempts to block the most common type of exploit `attempts` to Joomla! # # If the request query string contains /proc/self/environ (by SigSiu.net) RewriteCond %{QUERY_STRING} proc/self/environ [OR] # Block out any script trying to set a mosConfig value through the URL # (these attacks wouldn't work w/out Joomla! 1.5's Legacy Mode plugin) RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] # Block out any script trying to base64_encode or base64_decode data within the URL RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [OR] ## IMPORTANT: If the above line throws an HTTP 500 error, replace it with these 2 lines: # RewriteCond %{QUERY_STRING} base64_encode\(.*\) [OR] # RewriteCond %{QUERY_STRING} base64_decode\(.*\) [OR] # Block out any script that includes a <script> tag in URL RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] # Block out any script trying to set a PHP GLOBALS variable via URL RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] # Block out any script trying to modify a _REQUEST variable via URL RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) # Return 403 Forbidden header and show the content of the root homepage RewriteRule .* index.php [F] # ########## End - Rewrite rules to block out some common exploits ########## Begin - File injection protection, by SigSiu.net RewriteCond %{REQUEST_METHOD} GET RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC] RewriteRule .* - [F] ########## End - File injection protection ########## Begin - Basic antispam Filter, by SigSiu.net ## I removed some common words, tweak to your liking ## This code uses PCRE and works only with Apache 2.x. ## This code will NOT work with Apache 1.x servers. RewriteCond %{QUERY_STRING} \b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b [NC,OR] RewriteCond %{QUERY_STRING} \b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b [NC,OR] RewriteCond %{QUERY_STRING} \b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b [NC,OR] RewriteCond %{QUERY_STRING} \b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b [NC] ## Note: The final RewriteCond must NOT use the [OR] flag. RewriteRule .* - [F] ## Note: The previous lines are a "compressed" version ## of the filters. You can add your own filters as: ## RewriteCond %{QUERY_STRING} \bbadword\b [NC,OR] ## where "badword" is the word you want to exclude. ########## End - Basic antispam Filter, by SigSiu.net ########## Begin - Advanced server protection - query strings, referrer and config # Advanced server protection, version 3.2 - May 2011 # by Nicholas K. Dionysopoulos ## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine ## your PHP version). See http://www.0php.com/php_easter_egg.php and ## http://osvdb.org/12184 for more information RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC] RewriteRule .* - [F] ## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @ ## http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html ## May cause problems on legitimate requests RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR] RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC] RewriteRule .* - [F] ## Referrer filtering for common media files. Replace with your own domain name. ## This blocks most common fingerprinting attacks ;) ## Note: Change www\.example\.com with your own domain name, substituting the ## dots with \. i.e. use www\.example\.com for www.example.com RewriteRule ^images/stories/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [L] RewriteCond %{HTTP_REFERER} . RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC] RewriteCond %{REQUEST_FILENAME} -f RewriteRule \.(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [F] ## Disallow visual fingerprinting of Joomla! sites (module position dump) ## Initial idea by Brian Teeman and Ken Crowder, see: ## http://www.slideshare.net/brianteeman/hidden-joomla-secrets ## Improved by @nikosdion to work more efficiently and handle template ## and tmpl query parameters RewriteCond %{QUERY_STRING} (^|&)tmpl=(component|system) [NC] RewriteRule .* - [L] RewriteCond %{QUERY_STRING} (^|&)t(p|emplate|mpl)= [NC] RewriteRule .* - [F] ## Disallow access to htaccess.txt, configuration.php, configuration.php-dist and php.ini RewriteRule ^(htaccess\.txt|configuration\.php(-dist)?|php\.ini)$ - [F] ########## End - Advanced server protection - query strings, referrer and config ########## Begin - Advanced server protection rules exceptions #### ## ## These are sample exceptions to the Advanced Server Protection 3.1 ## rule set further down this file. ## ## Allow UddeIM CAPTCHA RewriteRule ^components/com_uddeim/captcha15\.php$ - [L] ## Allow Phil Taylor's Turbo Gears RewriteRule ^plugins/system/GoogleGears/gears-manifest\.php$ - [L] ## Allow JoomlaWorks AllVideos RewriteRule ^plugins/content/jw_allvideos/includes/jw_allvideos_scripts\.php$ - [L] ## Allow Admin Tools Joomla! updater to run RewriteRule ^administrator/components/com_admintools/restore\.php$ - [L] ## Allow Akeeba Backup Professional's integrated restoration script to run RewriteRule ^administrator/components/com_akeeba/restore\.php$ - [L] ## Allow Akeeba Kickstart RewriteRule ^kickstart\.php$ - [L] # Add more rules to single PHP files here ## Allow Agora attachments, but not PHP files in that directory! RewriteCond %{REQUEST_FILENAME} !(\.php)$ RewriteCond %{REQUEST_FILENAME} -f RewriteRule ^components/com_agora/img/members/ - [L] # Add more rules for allowing full access (except PHP files) on more directories here ## Uncomment to allow full access to the cache directory (strongly not recommended!) #RewriteRule ^cache/ - [L] ## Uncomment to allow full access to the tmp directory (strongly not recommended!) #RewriteRule ^tmp/ - [L] # Add more full access rules here ########## End - Advanced server protection rules exceptions #### ########## Begin - Advanced server protection - paths and files # Advanced server protection, version 3.2 - May 2011 # by Nicholas K. Dionysopoulos ## Back-end protection ## This also blocks fingerprinting attacks browsing for XML and INI files RewriteRule ^administrator/?$ - [L] RewriteRule ^administrator/index\.(php|html?)$ - [L] RewriteRule ^administrator/index[23]\.php$ - [L] RewriteRule ^administrator/(components|modules|templates|images|plugins)/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L] RewriteRule ^administrator/ - [F] ## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ directory RewriteRule ^xmlrpc/(index\.php)?$ - [L] RewriteRule ^xmlrpc/ - [F] ## Disallow front-end access for certain Joomla! system directories RewriteRule ^includes/js/ - [L] RewriteRule ^(cache|includes|language|libraries|logs|tmp)/ - [F] ## Allow limited access for certain Joomla! system directories with client-accessible content RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L] ## Uncomment this line if you have extensions which require direct access to their own ## custom index.php files. Note that this is UNSAFE and the developer should be ashamed ## for being so lame, lazy and security unconscious. # RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*(index\.php)?$ - [L] ## Uncomment the following line if your template requires direct access to PHP files ## inside its directory, e.g. GZip compressed copies of its CSS files # RewriteRule ^templates/([^/]+/)*([^/.]+\.)+php$ - [L] RewriteRule ^(components|modules|plugins|templates)/ - [F] ## Disallow access to rogue PHP files throughout the site, unless they are explicitly allowed RewriteCond %{REQUEST_FILENAME} \.php$ RewriteCond %{REQUEST_FILENAME} !/index[23]?\.php$ ## The next line is to explicitly allow the forum post assistant(fpa-xx)script to run RewriteCond %{REQUEST_FILENAME} !/fpa-[a-z]{2}\.php RewriteCond %{REQUEST_FILENAME} -f RewriteRule ^([^/]+/)*([^/.]+\.)+php$ - [F] ########## End - Advanced server protection - paths and files ########## Begin - Google Apps redirection, by Komra.de ## Uncomment the following line to enable: # RewriteRule ^mail http://mail.google.com/a/example.com [R=301,L] ## If the above doesn't work on your server, try this: ## RewriteRule ^mail http://mail.google.com/a/example.com [R,L] ########## End - Google Apps redirection ########## Begin - Custom redirects # # If you need to redirect some pages, place that code here. Ensure those # redirects use the correct RewriteRule syntax and the [R=301,L] flags. # ########## End - Custom redirects ########## Begin - Redirect (www.)olddomain.com to www.example.com ## Note: olddomain.com is your old domain name, you want to redirect FROM, ## whereas www.example.com is the new domain name you want to redirect TO. ## Change those names to reflect your current configuration. Remember, this ## small part of the file is supposed to be placed in www.olddomain.com! ## Note: Replace [R=301,L] with [R,L] if you get error 500. ## Uncomment the following lines to enable: # RewriteCond %{HTTP_HOST} ^(www\.)?olddomain\.com [NC] # RewriteRule (.*) http://www.example.com/$1 [R=301,L] ## Note: The above section is only required if you are changing your domain name. ########## End - Redirect (www.)olddomain.com to www.example.com ########## Begin - Force HTTPS for certain pages # Force the page foobar.html to run in HTTPS mode, no matter what Joomla! says. # This is a sample redirection for foobar.html. Do note that you have to change # www.example.com to reflect your own domain. Remember to escape the dots using # \. in the left hand side of each rule. You need BOTH LINES PER URL for the rule # to work. RewriteCond %{SERVER_PORT} !^443$ ## Alternatively, comment the above line and uncomment the following line: # RewriteCond %{HTTPS} ^off$ [NC] RewriteRule ^foobar\.html$ https://www.example.com/foobar.html [R=301,L] ## NOTE: If you get an HTTP 500 error, please swap [R=301,L] with [R,L] # Add more rules below this line as required ########## End - Force HTTPS for certain pages ########## Begin - Redirect index.php to / ## Note: Change example.com to reflect your own domain name RewriteCond %{THE_REQUEST} !^POST RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/ RewriteCond %{SERVER_PORT}>s ^(443>(s)|[0-9]+>s)$ RewriteRule ^index\.php$ http%2://www.example.com/$1 [R=301,L] ## If the above line throws a 500 error, change [R=301,L] to [R,L] ########## End - Redirect index.php to / ########## Begin - Redirect non-www to www RewriteCond %{HTTP_HOST} !^www\. [NC] RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L] ## If the above throws an HTTP 500 error, swap [R=301,L] with [R,L] ########## End - Redirect non-www to www ########## Begin - Redirect www to non-www ## WARNING: Comment out the non-www to www rule if you choose to use this # RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC] # RewriteRule ^(.*)$ http://%1/$1 [R=301,L] ## If the above throws an HTTP 500 error, swap [R=301,L] with [R,L] ########## End - Redirect non-www to www ########## Begin - Custom internal rewrites # # If you need to internally rewrite some specific URL requests, # place that code here. Ensure those internal rewrites use the # correct RewriteRule syntax without domain name and with [L] flag. # ########## End - Custom internal rewrites ########## Begin - Joomla! core SEF Section # RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] # # If the requested path and file is not /index.php and the request # has not already been internally rewritten to the index.php script RewriteCond %{REQUEST_URI} !^/index\.php # and the request is for the site root, or for an extensionless URL, # or the requested URL ends with one of the listed extensions RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw|ini|zip|json|file))$ [NC] # and the requested path and file doesn't directly match a physical file RewriteCond %{REQUEST_FILENAME} !-f # and the requested path doesn't directly match a physical folder RewriteCond %{REQUEST_FILENAME} !-d # internally rewrite the request to the index.php script RewriteRule .* index.php [L] # ########## End - Joomla! core SEF Section ########## Begin - Optimal default expiration time ## Note: this might cause problems and you might have to comment it out by ## placing a hash in front of this section's lines <IfModule mod_expires.c> # Enable expiration control ExpiresActive On # Default expiration: 1 hour after request ExpiresDefault "now plus 1 hour" # CSS and JS expiration: 1 week after request ExpiresByType text/css "now plus 1 week" ExpiresByType application/javascript "now plus 1 week" ExpiresByType application/x-javascript "now plus 1 week" # Image files expiration: 1 month after request ExpiresByType image/bmp "now plus 1 month" ExpiresByType image/gif "now plus 1 month" ExpiresByType image/jpeg "now plus 1 month" ExpiresByType image/jp2 "now plus 1 month" ExpiresByType image/pipeg "now plus 1 month" ExpiresByType image/png "now plus 1 month" ExpiresByType image/svg+xml "now plus 1 month" ExpiresByType image/tiff "now plus 1 month" ExpiresByType image/vnd.microsoft.icon "now plus 1 month" ExpiresByType image/x-icon "now plus 1 month" ExpiresByType image/ico "now plus 1 month" ExpiresByType image/icon "now plus 1 month" ExpiresByType text/ico "now plus 1 month" ExpiresByType application/ico "now plus 1 month" ExpiresByType image/vnd.wap.wbmp "now plus 1 month" ExpiresByType application/vnd.wap.wbxml "now plus 1 month" ExpiresByType application/smil "now plus 1 month" # Audio files expiration: 1 month after request ExpiresByType audio/basic "now plus 1 month" ExpiresByType audio/mid "now plus 1 month" ExpiresByType audio/midi "now plus 1 month" ExpiresByType audio/mpeg "now plus 1 month" ExpiresByType audio/x-aiff "now plus 1 month" ExpiresByType audio/x-mpegurl "now plus 1 month" ExpiresByType audio/x-pn-realaudio "now plus 1 month" ExpiresByType audio/x-wav "now plus 1 month" # Movie files expiration: 1 month after request ExpiresByType application/x-shockwave-flash "now plus 1 month" ExpiresByType x-world/x-vrml "now plus 1 month" ExpiresByType video/x-msvideo "now plus 1 month" ExpiresByType video/mpeg "now plus 1 month" ExpiresByType video/mp4 "now plus 1 month" ExpiresByType video/quicktime "now plus 1 month" ExpiresByType video/x-la-asf "now plus 1 month" ExpiresByType video/x-ms-asf "now plus 1 month" </IfModule> ########## End - Optimal expiration time
