Fortalecimiento de la seguridad a través del archivo .htaccess Joomla

Antes de la invasión de la versión anterior de Joomla 1.5 ha sido modificado muchos archivos,Después de la renovación de la totalidad de la plataforma,Algunos querían reforzar las medidas de protección y hábitos,Este registros oficiales de Internet y Joomla! configuración htaccess documentación acabado,Para mejorar la seguridad de Joomla!,El contenido de los documentos oficiales que se han enumerado más de,Pero algunos son demasiado poco y demasiado delgada,O hacer por un conjunto determinado paquete,No tocar el tema。

  ######################################################  ##  ##以下為針對防止遭受攻擊之設置,取自Joomla! Documentation,請放至Joomla根目錄  ##  ######################################################      ########## Begin - Rewrite rules to block out some common exploits  ## If you experience problems on your site block out the operations listed below  ## This attempts to block the most common type of exploit `attempts` to Joomla!  #  # If the request query string contains /proc/self/environ (by SigSiu.net)  RewriteCond %{QUERY_STRING} proc/self/environ [OR]  # Block out any script trying to set a mosConfig value through the URL  # (these attacks wouldn't work w/out Joomla! 1.5's Legacy Mode plugin)  RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]  # Block out any script trying to base64_encode or base64_decode data within the URL  RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [OR]  ## IMPORTANT: If the above line throws an HTTP 500 error, replace it with these 2 lines:  # RewriteCond %{QUERY_STRING} base64_encode\(.*\) [OR]  # RewriteCond %{QUERY_STRING} base64_decode\(.*\) [OR]  # Block out any script that includes a <script> tag in URL  RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]  # Block out any script trying to set a PHP GLOBALS variable via URL  RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]  # Block out any script trying to modify a _REQUEST variable via URL  RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})  # Return 403 Forbidden header and show the content of the root homepage  RewriteRule .* index.php [F]  #  ########## End - Rewrite rules to block out some common exploits        ########## Begin - File injection protection, by SigSiu.net  RewriteCond %{REQUEST_METHOD} GET  RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]  RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]  RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]  RewriteRule .* - [F]  ########## End - File injection protection      ########## Begin - Advanced server protection - query strings, referrer and config  # Advanced server protection, version 3.2 - May 2011  # by Nicholas K. Dionysopoulos    ## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine  ## your PHP version). See http://www.0php.com/php_easter_egg.php and  ## http://osvdb.org/12184 for more information  RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]  RewriteRule .* - [F]    ## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @  ## http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html  ## May cause problems on legitimate requests  RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]  RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]  RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC]  RewriteRule .* - [F]    ## Referrer filtering for common media files. Replace with your own domain name.  ## This blocks most common fingerprinting attacks ;)  ## Note: Change www\.example\.com with your own domain name, substituting the  ## dots with \.  i.e. use www\.example\.com for www.example.com  ##因要限制domain,怕影響本機測試,暫時先不設  #RewriteRule ^images/stories/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [L]  #RewriteCond %{HTTP_REFERER} .  #RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC]  #RewriteCond %{REQUEST_FILENAME} -f  #RewriteRule \.(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [F]    ## Disallow visual fingerprinting of Joomla! sites (module position dump)  ## Initial idea by Brian Teeman and Ken Crowder, see:  ## http://www.slideshare.net/brianteeman/hidden-joomla-secrets  ## Improved by @nikosdion to work more efficiently and handle template  ## and tmpl query parameters  RewriteCond %{QUERY_STRING} (^|&)tmpl=(component|system) [NC]  RewriteRule .* - [L]  RewriteCond %{QUERY_STRING} (^|&)t(p|emplate|mpl)= [NC]  RewriteRule .* - [F]    ## Disallow access to htaccess.txt, configuration.php, configuration.php-dist and php.ini  RewriteRule ^(htaccess\.txt|configuration\.php(-dist)?|php\.ini)$ - [F]    ########## End - Advanced server protection - query strings, referrer and config      ########## Begin - Advanced server protection - paths and files  # Advanced server protection, version 3.2 - May 2011  # by Nicholas K. Dionysopoulos    ## Back-end protection  ## This also blocks fingerprinting attacks browsing for XML and INI files  RewriteRule ^administrator/?$ - [L]  RewriteRule ^administrator/index\.(php|html?)$ - [L]  RewriteRule ^administrator/index[23]\.php$ - [L]  RewriteRule ^administrator/(components|modules|templates|images|plugins)/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L]  RewriteRule ^administrator/ - [F]    ## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ directory  RewriteRule ^xmlrpc/(index\.php)?$ - [L]  RewriteRule ^xmlrpc/ - [F]    ## Disallow front-end access for certain Joomla! system directories  RewriteRule ^includes/js/ - [L]  RewriteRule ^(cache|includes|language|libraries|logs|tmp)/ - [F]    ## Allow limited access for certain Joomla! system directories with client-accessible content  RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L]  ## Uncomment this line if you have extensions which require direct access to their own  ## custom index.php files. Note that this is UNSAFE and the developer should be ashamed  ## for being so lame, lazy and security unconscious.  # RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*(index\.php)?$ - [L]  ## Uncomment the following line if your template requires direct access to PHP files  ## inside its directory, e.g. GZip compressed copies of its CSS files  # RewriteRule ^templates/([^/]+/)*([^/.]+\.)+php$ - [L]  RewriteRule ^(components|modules|plugins|templates)/ - [F]    ## Disallow access to rogue PHP files throughout the site, unless they are explicitly allowed  RewriteCond %{REQUEST_FILENAME} \.php$  RewriteCond %{REQUEST_FILENAME} !/index[23]?\.php$  ## The next line is to explicitly allow the forum post assistant(fpa-xx)script to run  RewriteCond %{REQUEST_FILENAME} !/fpa-[a-z]{2}\.php  RewriteCond %{REQUEST_FILENAME} -f  RewriteRule ^([^/]+/)*([^/.]+\.)+php$ - [F]    ########## End - Advanced server protection - paths and files       #Block mySQL injects   RewriteCond %{QUERY_STRING} (;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark) [NC,OR]     RewriteCond %{QUERY_STRING} \.\./\.\. [OR]     RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]   RewriteCond %{QUERY_STRING} \.[a-z0-9] [NC,OR]   RewriteCond %{QUERY_STRING} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC]   # Note: The final RewriteCond must NOT use the [OR] flag.  

另外亦可在administrator目錄底下放置另一htaccess文件以限制登入後台的IP

  <IfModule mod_rewrite.c>  RewriteEngine On  RewriteCond %{REMOTE_ADDR} !^172.20.8.  RewriteRule .* /404.php [R,L]  </IfModule>  

【參考連結】

// ]]>

Deja tu comentario

Por favor, tenga en cuenta: La moderación de comentarios está habilitada y puede retrasar su comentario. No hay necesidad de volver a enviar su comentario.