Jump to content
Sign in to follow this  
blurredreality

Protect your site via htaccess - support

Recommended Posts

I shall start (as lack of understanding was my motivation for starting this thread unfortunately).

 

When messing with htaccess, for the reasonably naive OSc user it is quite daunting. I feel, while the mod is great, the instructions could be clearer.

 

First of all, do I literally copy the whole of the code from the htaccess_protection.htm file into my htaccess file (every line, including the ones starting with # and the ones not starting with #) - obviously changing the red text into my address.

 

Secondly - when editing my address in this code, do I edit it to my primary domain, or the domain I would use when specifying the secure address my store uses (e.g. would it be along the lines of http://www.mysite.co.uk OR https://secureXX.hostname.com/~username/ (given that I have a shared SSL certificate) ). Also do I need to include a /catalog at the end of these addresses.

 

My final query would be as to where the IP addresses in the banned IP numbers text file have come from? Are they confirmed as dangerous?

 

 

 

 

Thank you greatly to anyone who can help. My questions are probably very basic but where better a place to start in a support thread! I imagine there will be others like me out there who are apprehensive about messing anything up.

Share this post


Link to post
Share on other sites

I was just asking the same questions, some one can help us for this, These IP are banned WHY ?

 

I have already htaccess in my root directory, so i need to just copy all the code in and paste in my htaccess ???? or ???

Share this post


Link to post
Share on other sites

I'll do my best to answer your questions here. Please don't assume that this means I know everything.

 

Yes, you can copy that whole file into your .htaccess. The lines beginning with # are comments. You don't need these, but they are handy when troubleshooting or making changes. You can also remove any of the blank lines, as they do nothing at all.

 

You need to replace the text in red with your domain. These mods are not needed for your SSL domain, so don't worry if you have a shared cert.

 

The banned IP addresses appear to all be from Turkey. Apparently the author had some problems with people from Turkey. I would avoid doing this unless you are having similar problems. If you need to block access from a certain country or block of IP addresses, then substitute your IP addresses for the ones in this list.

 

Be careful with using this file. There are some parts that may interfere with modified osCommerce stores or other code that may be on your site. For example, the # deny most common except .php section prevents displaying .ihtml files. The FORCE TYPE section will force everything to be seen as PHP, which can interfere with running CGI. Also, the FORCE TYPE line seems to be missing a # at the beginning.

 

I would take this file one section at a time, and determine if it will be useful to you. Here's a quick guide to the sections:

 

# Deny domain access to spammers and other scumbags

This block anyone trying to access your site with a perl scrip. These scripts are often but not always used to steal content. There should be some more blocks here for other bad tools. Not very complete or useful. It also has an unrelated line that attempts to turn off Register Globals. This can kill your store if you are running a version older than 2.2RC1. Beware.

 

# Redirect index.php to domain.com

Changes index.php to /. This is good for search engines. Do it.

 

# Redirect domain.com to www.domain.com

Changes http://example.com to http://www.example.com. Also good for search engines.

 

# filter for most common exploits

Blocks some common exploit tools. Also duplicates the perl block from the first section. Warning: This section is incomplete. It needs the RewriteRule from the bottom of the next section to function. If you delete the next section, keep that line or this one will not work.

 

# ban spam bots

This blocks a lot of tools that are used by spammers. Note that some of these have legitimate uses, such as preloading pages for someone who is on a slow connection. You may annoy a few customers with tis one. Note that the RewriteRule near the bottom of this section is also used by the previous section.

 

The last two lines of this section contain an (apparently) unrelated Referer rewriter. I have no idea why that is needed.

 

# stop hotlinking (gif/jpg) and serve alternate content

This prevents image thieves from hotlinking your content. Don't use this if you use your images on eBay, blogs, etc.

 

BAN IP NUMBERS, ALL OF TURKEY

Put a # in front of this line. Only use this if you need to block visitors by IP address. Anyone trying to view your store from one of these addresses will get a 403 Forbidden message instead of the page.

 

# deny most common except .php

Prevents any file with an extension in this list from loading. Remove any extensions that your site needs to display. Included files such as templates can stay in the list, as they are not displayed directly.

 

# Disable .htaccess viewing from browser

Prevent anyone from downloading your .htaccess file. This is a very good idea.

 

# Disable access to config.php

Also a very good idea.

 

Regards

Jim


See my profile for a list of my addons and ways to get support.

Share this post


Link to post
Share on other sites

Jim that is absolutely brilliant thank you. I really appreciate the time you took to write that and I'm sure it'll benefit many others too. I really don't know what sort of a state my store would be in if it weren't for the help of people on these forums - it's all great :thumbsup: !

 

Anyway - I have one quick question about the first 2 additions - should I notice anything different in my browser navigation bar - i.e. should the addresses convert into the new format?

 

I have modified the htaccess file in the catalog folder (I have a lot of pages in the root directory one level up as well) - modifying the base domain in each case - e.g. blurredreality.co.uk to www.blurredreality.co.uk isntead of blurredreality.co.uk/catalog to www.blurredreality.co.uk/catalog. Does this sound right or am I being incredibly stupid?

 

If you can't help that is fine - worth putting it out there though.

 

Thanks again Jim,

 

Josh

Share this post


Link to post
Share on other sites

Any .htaccess rule that rewrites the URL should be in the site root. I'm not sure if it will work in a subdirectory. I guess you could try it and see.

You should see the result in the address bar. If you type in http://example.com it should change to http://www.example.com. If that doesn't happen you've done something wrong.

 

Regards

Jim


See my profile for a list of my addons and ways to get support.

Share this post


Link to post
Share on other sites

This post has some more rules that could be added to the exploits section.

 

Regards

Jim


See my profile for a list of my addons and ways to get support.

Share this post


Link to post
Share on other sites

That's awesome thanks.

 

Still can't get the pesky URL rewrite to work. I expect the problem to be quite nuanced and subtle so don't worry if you can't figure it out. This is the code I'm using:

 

 

# Redirect index.php to domain.com
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/

RewriteRule ^index\.php$ http://www.blurredreality.co.uk/ [R=301,L] 


#Redirect domain.com to www.domain.com
RewriteCond %{HTTP_HOST} ^blurredreality.co.uk [NC]

RewriteRule ^(.*)$ http://www.blurredreality.co.uk/$1 [L,R=301]
RewriteBase /

 

The url in the navigation bar doesnt change at all.

 

Also those new additions you linked to block me from accessing the site (taking me to a 403 error page) - and also says "Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request."

 

I have version 2.2 MS2 installed via Fantastico Deluxe in my host CPanel if that makes any difference. Maybe I have too old a version.

 

Either way thanks for the help.

Share this post


Link to post
Share on other sites

Rewrite rules are a pain. The code that you posted looks right to me. Remember that this is intended to be in the .htaccess in the root and to only work in the root. If you have your store installed in a subdirectory, such as /catalog, try removing the last line of the code you posted.

 

The error that you are getting indicates that you have blocked everyone instead of just hackers. Probably an error in the code, or you put it in the wrong place. I'll try to check that out later.

 

I don't recommend installing osCommerce using any third party installer. They never work quite right. MS2 is indeed very old and has several known security holes. You need to update to RC2a if you have not already done so. There's a supported addon for the update in the Addons section.

 

Regards

Jim


See my profile for a list of my addons and ways to get support.

Share this post


Link to post
Share on other sites

Heya.

 

Unfortunately it still doesn't work :( (the url rewrite stuff that is - the other ones seem to be effective as far as I can tell).

 

I have also realised I do have RC2a - not sure why I thought I didn't. Anyway - if anyone can help me figure this that'd be great. I'll leave it out there for now.

Share this post


Link to post
Share on other sites

My rewrite rules work fine as long as the site is configured in includes/configure.php with the 'www' preceding the domain name for the http addresses. However I cannot get the 'filter for most common exploits' and 'ban spam bots' rules to work.

 

Eg with:

 

RewriteEngine On 
RewriteBase /
RewriteCond %{QUERY_STRING} c99 [OR]
RewriteRule ^.* - [F,L]

 

For the whole site I get error 500: "You don't have permission to access / on this server."

Share this post


Link to post
Share on other sites

Hi, I have tried to use the:

 

# Redirect index.php to domain.com and # Redirect domain.com to www.domain.com

 

but I just can not get them to work.

 

My store is in a subdirectory called catalogue and I have a .htaccess rule so that anyone who types the web addrss www.jati-keswick.co.uk will get re-routed to www.jati-keswick.co.uk/catalogue.

 

the .ht code for this is:

 

RewriteEngine on

RewriteCond %{HTTP_HOST} ^.*$
RewriteRule ^/?$ "http\:\/\/www\.jati-keswick\.co\.uk\/catalogue\/" [R=301,L]

 

I have tried to add the relevant code to this list but this does not work.

 

I also have another .htaccess file in the catalogue folder which has various pieces of code in and I have also added the rewrite code to this but I just get error messages.

 

Does anyone know where I am going wrong.

 

Thank you.

Share this post


Link to post
Share on other sites

I dont seem to be able to get the redirection to work either. Here is the code:

 

# Redirect index.php to domain.com
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/
RewriteRule ^index\.php$ http://www.seedbeading.com.au/ [R=301,L]
# Redirect domain.com to www.domain.com
RewriteCond %{HTTP_HOST} ^seedbeading.com.au [NC]
RewriteRule ^(.*)$ http://www.seedbeading.com.au/$1 [L,R=301]

 

I also checked the config file and this already has the 'www' in the http

 

Has anyone had any luck getting this part working?

Edited by LaurenElise

Share this post


Link to post
Share on other sites

 

BAN IP NUMBERS, ALL OF TURKEY

Put a # in front of this line. Only use this if you need to block visitors by IP address. Anyone trying to view your store from one of these addresses will get a 403 Forbidden message instead of the page.

 

I just want to have this part in my htaccess file, which is to ban ip numbers from Singapore. After putting in the DENY FROM .... <ip numbers from Singapore>, and testing it, it still does not work. I even put in my own ip address to test, and I can still access the website.

 

Please advise.

 

Thanks.

Share this post


Link to post
Share on other sites

Are you on a Windows/IIS or Apache server? This only works in Apache.

 

Regards

Jim


See my profile for a list of my addons and ways to get support.

Share this post


Link to post
Share on other sites

Are you on a Windows/IIS or Apache server? This only works in Apache.

 

Regards

Jim

 

Thanks Jim.

 

Do you mean the "HTTP Server"? If so, it states "Microsoft-IIS/6.0".

 

If not on Apache, what can I do to ban IP addresses from a particular country?

 

Thanks.

Share this post


Link to post
Share on other sites

IIS does not use the .htaccess file. I have no idea if what you want is even possible on IIS. You'll need to find someone who knows that technology.

 

Regards

Jim


See my profile for a list of my addons and ways to get support.

Share this post


Link to post
Share on other sites

I tried to protect my site using Chmod permissions and since few days I have been getting errors such as:

Warning: require(includes/functions/compatibility.php) [function.require]: failed to open stream: No such file or directory in /home/example/public_html/includes/application_top.php on line 51

 

Warning: require(includes/functions/compatibility.php) [function.require]: failed to open stream: No such file or directory in /home/example/public_html/includes/application_top.php on line 51

 

Fatal error: require() [function.require]: Failed opening required 'includes/functions/compatibility.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/example/public_html/includes/application_top.php on line 51

 

please help guys!

Thank

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×