Created
August 12, 2010 19:37
-
-
Save jonathonbyrdziak/521577 to your computer and use it in GitHub Desktop.
htaccess Security :: A compilation of .htaccess commands to make your website more secure.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Copyright (c) 2007, 2012 All Right Reserved, Red Rokk, inc | |
| ## | |
| ## THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY | |
| ## KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE | |
| ## IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A | |
| ## PARTICULAR PURPOSE. | |
| ## | |
| ## Author: Jonathon Byrd | |
| ## Email: jonathon@redrokk.com | |
| ## Date: 2012-12-19 | |
| ######################################################################### | |
| ## Standard Settings to ensure security | |
| Options -Indexes | |
| IndexOptions -FancyIndexing | |
| php_flag display_errors off | |
| php_flag display_startup_errors off | |
| php_flag log_errors on | |
| php_flag magic_quotes_gpc off | |
| php_flag magic_quotes_sybase off | |
| php_flag register_globals off | |
| php_flag session.auto_start off | |
| php_flag mbstring.encoding_translation off | |
| php_flag asp_tags off | |
| php_flag short_open_tag off | |
| php_value max_execution_time 200 | |
| php_value max_input_time 200 | |
| php_value max_execution_time 30 | |
| php_value mbstring.http_input pass | |
| php_value mbstring.http_output pass | |
| php_value memory_limit 100M | |
| php_value output_buffering 4096 | |
| php_value post_max_size 20M | |
| php_value session.cookie_lifetime 3600 | |
| php_value session.gc_maxlifetime 3600 | |
| php_value track_errors on | |
| php_value upload_max_filesize 20M | |
| ## Disable the server signature | |
| ServerSignature Off | |
| ## protect against DOS attacks by limiting file upload size - 10240000 is 10 megabytes | |
| LimitRequestBody 10240000 | |
| ## pass the default character set | |
| AddDefaultCharset utf-8 | |
| ######################################################################### | |
| ## Deny Access to these protected file extensions | |
| <FilesMatch "(.*).(?i:exe|sql|htaccess|htpasswd|ini|log|sh|inc|bac?k|pyc|pyo?|so|dll|inc|cmd)$"> | |
| Order Allow,Deny | |
| Deny from All | |
| </FilesMatch> | |
| ## Deny access to these files | |
| <FilesMatch "(?i:(.*)(admin|sql)(.*))$"> | |
| Order Allow,Deny | |
| Deny from All | |
| </FilesMatch> | |
| ######################################################################### | |
| ## GZip Compression | |
| ## compress text, html, javascript, css, xml: | |
| ## | |
| <IfModule mod_deflate.c> | |
| AddOutputFilterByType DEFLATE text/plain | |
| AddOutputFilterByType DEFLATE text/html | |
| AddOutputFilterByType DEFLATE text/xml | |
| AddOutputFilterByType DEFLATE text/css | |
| AddOutputFilterByType DEFLATE application/xml | |
| AddOutputFilterByType DEFLATE application/xhtml+xml | |
| AddOutputFilterByType DEFLATE application/rss+xml | |
| AddOutputFilterByType DEFLATE application/javascript | |
| AddOutputFilterByType DEFLATE application/x-javascript | |
| </IfModule> | |
| ## Limit bandwidth consumption | |
| <IfModule mod_php5.c> | |
| php_value zlib.output_compression 16386 | |
| </IfModule> | |
| ######################################################################### | |
| ## | |
| <IfModule mod_rewrite.c> | |
| RewriteEngine On | |
| ## Block CSX Injections | |
| RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] | |
| ## Block PHP Injections | |
| RewriteCond %{QUERY_STRING} .*(ftp|https?|select|insert|drop|declare|union|base64_decode|base64_encode|globals|request|put|files?|get|post|apache_child_terminate|apache_setenv|define_syslog_variables|escapeshellarg|escapeshellcmd|eval|exec|fp|fput|ftp_connect|ftp_exec|ftp_get|ftp_login|ftp_nb_fput|ftp_put|ftp_raw|ftp_rawlist|highlight_file|ini_alter|ini_get_all|ini_restore|inject_code|mysql_pconnect|openlog|passthru|php_uname|phpAds_remoteInfo|phpAds_XmlRpc|phpAds_xmlrpcDecode|phpAds_xmlrpcEncode|popen|posix_getpwuid|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|posix_setuid|posix_uname|proc_close|proc_get_status|proc_nice|proc_open|proc_terminate|shell_exec|syslog|system|xmlrpc_entity_decode).* [NC,OR] | |
| ## Disable Trace and Track | |
| RewriteCond %{REQUEST_METHOD} ^TRACE | |
| ## Blocking NameProtect Brand Monitoring | |
| RewriteCond %{REMOTE_ADDR} ^12\.148\.196\.(12[8-9]|1[3-9][0-9]|2[0-4][0-9]|25[0-5])$ [OR] | |
| RewriteCond %{REMOTE_ADDR} ^12\.148\.209\.(19[2-9]|2[0-4][0-9]|25[0-5])$ [OR] | |
| RewriteCond %{HTTP_USER_AGENT} NPBot [NC,OR] | |
| ## Blocking Cyveillance | |
| RewriteCond %{REMOTE_ADDR} "^63\.148\.99\.2(2[4-9]|[3-4][0-9]|5[0-5])$" [OR] | |
| ## Block Domains | |
| RewriteCond %{HTTP_USER_AGENT} .*almaden.* [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Anarchie [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} AsiaNetBot [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^ASPSeek [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ASSORT [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ATHENS [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^attach [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^autoemailspider [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} autohttp [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} bew [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} BlackWidow [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^BackWeb [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Bandit [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^BatchFTP [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^.Browse\s [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Buddy [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Bullseye [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Bot\mailto:craftbot@yahoo.com [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^CherryPicker [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Crescent [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Collector [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Copier [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} curl [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} devsoft's\ http\ component [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^DA [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Download\Demon [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Download\Wonder [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Downloader [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Drip [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^DIIbot [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Deweb [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Digimarc [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Digger [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} digout4uagent [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} DISCo [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} dloader(NaverRobot) [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ecollector [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Educate\ Search [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} EirGrabber [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^EmailCollector [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^eCatch [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Express\WebPictures [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} EO\ Browse [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^.Eval [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^FileHound [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^FlashGet [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} fastlwspider [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} FEZhead [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Fetch [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Franklin\ Locator [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Full\ Web\ Bot [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^GetRight [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Getleft [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^GetSmart [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} GetURL [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} GetWebPage [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Gozilla [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^gotit [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Grabber [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^GrabNet [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Grafula [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^.*Harvest [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^HMView [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} HTML\ Works [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^HTTrack [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} "Indy Library" [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} "IUPUI Research Bot" [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^InterGET [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Iria [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^ia_archiver [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^InternetSeer.com [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} IBM_Planetwide [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Image\ Stripper [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Image\ Sucker [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} IncyWincy [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} InterGET [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Internet\ Explore\ 5\.x [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Internet\ Ninja [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Irvine [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^JetCar [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^JOC [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} JOC\ Web\ Spider [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^JustView [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} KWebGet [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} larbin [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} leech [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^lftp [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^likse [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^LinkWalker [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^.*LWP [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} MCspider [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Microsoft\ URL [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Microsoft.URL [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Magnet [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Mag-Net [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Mass\Downloader [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Memo [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^MIDown\tool [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Mirror [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Missauga\ Locator [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Missigua\ Locator [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Mister\ PiX [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Monster [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Mozilla.*NEWT [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Mozilla\/3\.0\.\+Indy\ Library [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Mozilla\/3.Mozilla\/2\.01 [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Mozilla\/4\.0$ [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Mozzilla [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} MSIECrawler [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^NICErsPRO [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^NASA\ Search\ 1\.0$ [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Navroad [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^NearSite [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} netattache [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^NetAnts [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} NetCarta [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^NetSpider [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Net\Vampire [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^NetZip [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} NICErsPRO [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Ninja [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Octopus [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Offline\Explorer [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Offline\ Navigator [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} OpaL [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Openfind [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} OpenTextSiteCrawler [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} pavuk [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} PackRat [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^PapaFoto [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Pockey [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Pump [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^psbot [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Plucker [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Production\ Bot [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Program\ Shareware [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} PushSite [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} RepoMonkey [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Rover [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Rsync [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^RealDownload [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Reaper [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Recorder [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^ReGet [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Siphon [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ScoutAbout [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} searchterms\.it [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} semanticdiscovery [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Shai [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} sitecheck [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Siphon [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Snake [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^SpaceBison [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Spegla [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} SpiderBot [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Stripper [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Sucker [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^SuperBot [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Surfbot [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^.Surf [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} SurfWalker [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^sitecheck.internetseer.com [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} tarspider [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Teleport [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Telesoft [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} Templeton [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} UtilMind [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^Vacuum [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [NC,OR] | |
| ## 403 FORBIDDEN ACCESS | |
| RewriteRule .* - [F,NS,L] | |
| </IfModule> | |
| ######################################################################### | |
| # deny from everyone, except from yourself (whatever IP/net) | |
| #order deny,allow | |
| #deny from all | |
| #allow from 192.0.2.199 | |
| # custom error document with a useful message | |
| #ErrorDocument 403 /updating.html | |
| #<Files updating.html> | |
| # allow from all | |
| #</Files> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment