Stärkung der Sicherheit durch die Joomla .htaccess Datei

Vor der Invasion der älteren Version von Joomla 1.5 wurde viele Dateien geändert,Nach der Renovierung der gesamten Plattform,Einige wollten Schutzmaßnahmen und Gewohnheiten stärken,Diese offiziellen Aufzeichnungen aus dem Internet und Joomla! Dokumentation Finishing .htaccess-Einstellungen,Um die Sicherheit von Joomla zu verbessern!,Die offiziellen Inhalte der Dokumente Ich habe mehr aufgelistet als,Aber einige sind zu wenig zu dünn,Oder tun für ein bestimmtes Paket Set,Ich brachte es nicht auf。

  ######################################################  ##  ##以下為針對防止遭受攻擊之設置,取自Joomla! Documentation,請放至Joomla根目錄  ##  ######################################################      ########## Begin - Rewrite rules to block out some common exploits  ## If you experience problems on your site block out the operations listed below  ## This attempts to block the most common type of exploit `attempts` to Joomla!  #  # If the request query string contains /proc/self/environ (by SigSiu.net)  RewriteCond %{QUERY_STRING} proc/self/environ [OR]  # Block out any script trying to set a mosConfig value through the URL  # (these attacks wouldn't work w/out Joomla! 1.5's Legacy Mode plugin)  RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]  # Block out any script trying to base64_encode or base64_decode data within the URL  RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [OR]  ## IMPORTANT: If the above line throws an HTTP 500 error, replace it with these 2 lines:  # RewriteCond %{QUERY_STRING} base64_encode\(.*\) [OR]  # RewriteCond %{QUERY_STRING} base64_decode\(.*\) [OR]  # Block out any script that includes a <script> tag in URL  RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]  # Block out any script trying to set a PHP GLOBALS variable via URL  RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]  # Block out any script trying to modify a _REQUEST variable via URL  RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})  # Return 403 Forbidden header and show the content of the root homepage  RewriteRule .* index.php [F]  #  ########## End - Rewrite rules to block out some common exploits        ########## Begin - File injection protection, by SigSiu.net  RewriteCond %{REQUEST_METHOD} GET  RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]  RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]  RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]  RewriteRule .* - [F]  ########## End - File injection protection      ########## Begin - Advanced server protection - query strings, referrer and config  # Advanced server protection, version 3.2 - May 2011  # by Nicholas K. Dionysopoulos    ## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine  ## your PHP version). See http://www.0php.com/php_easter_egg.php and  ## http://osvdb.org/12184 for more information  RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]  RewriteRule .* - [F]    ## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @  ## http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html  ## May cause problems on legitimate requests  RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]  RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]  RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC]  RewriteRule .* - [F]    ## Referrer filtering for common media files. Replace with your own domain name.  ## This blocks most common fingerprinting attacks ;)  ## Note: Change www\.example\.com with your own domain name, substituting the  ## dots with \.  i.e. use www\.example\.com for www.example.com  ##因要限制domain,怕影響本機測試,暫時先不設  #RewriteRule ^images/stories/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [L]  #RewriteCond %{HTTP_REFERER} .  #RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC]  #RewriteCond %{REQUEST_FILENAME} -f  #RewriteRule \.(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [F]    ## Disallow visual fingerprinting of Joomla! sites (module position dump)  ## Initial idea by Brian Teeman and Ken Crowder, see:  ## http://www.slideshare.net/brianteeman/hidden-joomla-secrets  ## Improved by @nikosdion to work more efficiently and handle template  ## and tmpl query parameters  RewriteCond %{QUERY_STRING} (^|&)tmpl=(component|system) [NC]  RewriteRule .* - [L]  RewriteCond %{QUERY_STRING} (^|&)t(p|emplate|mpl)= [NC]  RewriteRule .* - [F]    ## Disallow access to htaccess.txt, configuration.php, configuration.php-dist and php.ini  RewriteRule ^(htaccess\.txt|configuration\.php(-dist)?|php\.ini)$ - [F]    ########## End - Advanced server protection - query strings, referrer and config      ########## Begin - Advanced server protection - paths and files  # Advanced server protection, version 3.2 - May 2011  # by Nicholas K. Dionysopoulos    ## Back-end protection  ## This also blocks fingerprinting attacks browsing for XML and INI files  RewriteRule ^administrator/?$ - [L]  RewriteRule ^administrator/index\.(php|html?)$ - [L]  RewriteRule ^administrator/index[23]\.php$ - [L]  RewriteRule ^administrator/(components|modules|templates|images|plugins)/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L]  RewriteRule ^administrator/ - [F]    ## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ directory  RewriteRule ^xmlrpc/(index\.php)?$ - [L]  RewriteRule ^xmlrpc/ - [F]    ## Disallow front-end access for certain Joomla! system directories  RewriteRule ^includes/js/ - [L]  RewriteRule ^(cache|includes|language|libraries|logs|tmp)/ - [F]    ## Allow limited access for certain Joomla! system directories with client-accessible content  RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L]  ## Uncomment this line if you have extensions which require direct access to their own  ## custom index.php files. Note that this is UNSAFE and the developer should be ashamed  ## for being so lame, lazy and security unconscious.  # RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*(index\.php)?$ - [L]  ## Uncomment the following line if your template requires direct access to PHP files  ## inside its directory, e.g. GZip compressed copies of its CSS files  # RewriteRule ^templates/([^/]+/)*([^/.]+\.)+php$ - [L]  RewriteRule ^(components|modules|plugins|templates)/ - [F]    ## Disallow access to rogue PHP files throughout the site, unless they are explicitly allowed  RewriteCond %{REQUEST_FILENAME} \.php$  RewriteCond %{REQUEST_FILENAME} !/index[23]?\.php$  ## The next line is to explicitly allow the forum post assistant(fpa-xx)script to run  RewriteCond %{REQUEST_FILENAME} !/fpa-[a-z]{2}\.php  RewriteCond %{REQUEST_FILENAME} -f  RewriteRule ^([^/]+/)*([^/.]+\.)+php$ - [F]    ########## End - Advanced server protection - paths and files       #Block mySQL injects   RewriteCond %{QUERY_STRING} (;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark) [NC,OR]     RewriteCond %{QUERY_STRING} \.\./\.\. [OR]     RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]   RewriteCond %{QUERY_STRING} \.[a-z0-9] [NC,OR]   RewriteCond %{QUERY_STRING} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC]   # Note: The final RewriteCond must NOT use the [OR] flag.  

Des Weiteren auch eine andere .htaccess unter dem Verzeichnisdatei Administrator platziert,Anmelden, um den Hintergrund IP zu begrenzen

  <IfModule mod_rewrite.c>  RewriteEngine On  RewriteCond %{REMOTE_ADDR} !^172.20.8.  RewriteRule .* /404.php [R,L]  </IfModule>  

Referenz [link]

// ]]>

Leave a Comment

Bitte beachten Sie,: Kommentar Moderation ist aktiviert und kann Ihren Kommentar verzögern. Es besteht keine Notwendigkeit zur Stellungnahme reichen Sie.