I am being informed by the team that manages the servers that enabling mod_rewrite will excessively compromise the server security.
Are they correct?
What can be done to make sure sever security is minimally compromised if at all after enabling the mod_rewrite.
I am not able to clean up joomla urls without mod_rewrite enabled.
Thanks in advance!
They're not correct as the issue depends exactly how "mod_rewrite" is tuned.
You can:
Enable "mod_rewrite" for your specific site/virtualhost and not other sites by using directives such as [RewriteEngine On] and then tune the rewrite code to handle what to do should someone ask for inappropriate url etc.
Remember the server itself is tuned by using other directives and the code within "mod_rewrite" block needs to handle itself as a block.
Here is docs and examples of "mod_rewrite" blocks
http://httpd.apache.org/docs/current/mod/mod_rewrite.html
mod_rewrite together with poorly crafted rewrite rules can potentially weaken your security but as with any server software, the key to keeping your server secure is to configure the software properly and keep it up to date.
mod_rewrite is widely used in conjunction with WordPress, Joomla and Drupal and it seems unlikely that this would be the case if it "excessively compromises" security.
Not using mod_rewrite could be a security issue too as the native Joomla URLs are visible and this gives hackers information about the extensions you have installed on your website.
Reference: https://stackoverflow.com/a/5009900/1983389
Related
I'm using Drupal 8. Multiple sites sharing a single codebase. One .htaccess file for all.
I am receiving the same "page not found error" across all sites. Hackers attempting to break in to the site, presumably.
For example, someone tries to visit https:domain1/wp-admin/admin-ajax.php and https:domain2/wp-admin/admin-ajax.php ... Different domain names, but always the same addresses.
Other addresses include /phpmyadmin/scripts/setup.php and /1/wp-includes/wlwmanifest.xml and so on.
Using .htaccess, what is the most efficient means of redirecting all of these to an internal or external site so that my pages are not even served?
Thank you!
So, the way Drupal and the web server work is that when request arrives, if it matches “serverName” and document root and they points to Drupal then the web-server will hand that to Drupal to handle.
So, you have to ask if this is Drupal destined and if so, handle the redirect at Drupal (probably using the redirect module )
If you want set it up at at web-server level and you have access or using .htaccess then like :
RedirectMatch ^/wp-admin/(.*)$ http://example.com/404/$1
Note, there are plenty of other ways to write the above , but it’s simplest and lightest
I think this is a very common issue about CMS vulnerabilities and hosting security. And security issues is something that can not be done by a simple static action because there's always a new vulnerability. So be careful to always run :
composer update
To have always the last bug fixes and securities updates. Specially when you use modules like webform. At the moment Drupal offers more than one module for better securing your app. And in your case you need to identify IP addresses used by hacking robots and blocking them by using Perimeter .
The good news that the community arround Drupal is very concerned about security. For further reading and securing Drupal you can uses those modules but the more modules you install the more you have performance issues:
https://www.drupal.org/project/clamav
https://www.drupal.org/project/file_upload_secure_validator
https://www.drupal.org/project/key
https://www.drupal.org/project/csp
https://www.drupal.org/project/noopener_filter
https://www.drupal.org/project/hsts
https://www.drupal.org/project/securelogin
...
I also recommend the use of fast 404/403 Drupal error pages to not allow using of Database or more code running to serve that kind of pages.
couldn't find the right answer so here goes my question:
We've moved our webshop to a different platform (from Virtuemart to Opencart 2.0.3.2).
the old links around the internet leading to our products are like https://www.name.ext/category/productcode-detail
the new links come without the '-detail' at the end of it
I've found an extension that'll add the -detail to the product links, but I'd rather have a .htaccess redirect to remove '-detail' on those specific links.
This way, all links on the internet are still valid (but redirected) and Google e.g. can redo the indexing whilst not loosing all SEO earlier.
Can it be done?
Considering your comments to the question this probably is the correct approach. I fail to understand why you couldn't find an answer to this here on SO, it looks absolutely straight forward.
I assume that "category" is meant as a placeholder which can actually take different forms. Same with the "productcode". Since you did not provide any pattern or similar this suggestion is generic:
RewriteEngine on
RewriteRule ^/?(\w+)/(\w+)-detail$ /$1/$2 [R=301]
Note however that your question is vague. I assume that you need to tweak that suggestion, so that other references won't break. Most likely you need a blacklist to prevent some not product related stuff from getting rewritten. But again: since your question is vague there is nothing more specific we can suggest than the above.
It is a good idea to start out with a 302 temporary redirection and only change that to a 301 permanent redirection later, once you are certain everything is correctly set up. That prevents caching issues while trying things out...
This implementation will work likewise in the http servers host configuration or inside a dynamic configuration file (".htaccess" file). Obviously the rewriting module needs to be loaded inside the http server and enabled in the http host. In case you use a dynamic configuration file you need to take care that it's interpretation is enabled at all in the host configuration and that it is located in the host's DOCUMENT_ROOT folder.
And a general remark: you should always prefer to place such rules in the http servers host configuration instead of using dynamic configuration files (".htaccess"). Those dynamic configuration files add complexity, are often a cause of unexpected behavior, hard to debug and they really slow down the http server. They are only provided as a last option for situations where you do not have access to the real http servers host configuration (read: really cheap service providers) or for applications insisting on writing their own rules (which is an obvious security nightmare).
I have a rogue website that is redirecting to my website. It doesn't have any content, 1 page, and some bad backlinks and no relationship with us or our niche, so it's safe to say its up to no good.
We want to distance ourselved from this as best as possible. I've requested that the registrar identify the culprit or remove the redirect, however, I wondered if it was possible to stop the site redirecting to our site full-stop.
We're using IIS7.5 on a Windows 2008 Server, and to date I've looked at blocking requests through urlrewriting but I've had no success. I've also read that request filtering may be an option but again little knowledge as to the capabilities of using this.
I would appreciate any advice regarding the 2 approaches above as to whether they are suited to what I want to achieve and if possible links to a clear example.
Here is an existing post that covers this exact topic. You will need to use URL Rewrite to implement the solution.
There are all sorts of posts out there that advise you on how to add a .htaccess file to remove index.php from the URL. However, in order to get .htaccess files to work, the AllowOverride must be changed (usually to "All").
This tutorial explains that using .htaccess files for mod_rewrite is a misconception and can and should be done in the main config file.
I have been informed by my web security officer that - and I quote - "to change AllowOverride to All increases the risk to the web server as, if exploited, an intruder / hacker / opportunist could override the main servers configuration, which could allow them to get up to allsorts; this would be a serious security breach". I'm not sure how much weight this holds!
So my question is;
are there really serious dangers to changing the AllowOverride
and if so, why is .htaccess being recommended for removing index.php so widely on Stack Overflow?
Well there is little bit of security issue with .htaccess in the sense that if a hacker/intruder gets hold of your file system then they can modify rewrite rules and change the behavior of your website. However do remember that if a hacker gets hold of your DOCUMENT_ROOT folder then a lot more damage can be done by modifying/deleting any other code as well and you have much bigger problem in your hand.
However what .htaccess provides you is utmost flexibility by letting you control your website behavior, authentication needs without need to make those changes in Apache config and restart it every time. Especially in a shared hosting environments Apache config is not even accessible for website owners.
I'm trying to decide whether to use Magento or create my own platform and I was wondering about security. Does Magento's code include some sort of brute force protection? If not, is this not something important?
Protect your Magento Store to Brute force attacks. Follow following step.
Apache Server Users
To whitelist an IP address for the admin panel, add the following rule in root .htaccess file (inside <IfModule mod_rewrite.c>)
RewriteCond %{REMOTE_ADDR} !^xx.xx.xx.xx
RewriteRule ^(index.php/)?admin/ - [L,R=403]
To whitelist an IP address for the RSS feed, add the following rule in the root .htaccess file (inside <IfModule mod_rewrite.c>):
RewriteCond %{REMOTE_ADDR} !^xx.xx.xx.xx
RewriteRule ^(index.php/?)?rss/ - [L,R=403]
To whitelist an IP address for the downloader application, add the following rule in ./downloader/.htaccess file:
order deny,allow
deny from all
allow from xx.xx.xx.xx
So I know this is an old thread but I found it searching for answers on how to protect Magento against brute-force attacks. The things have changed since 2012, so I want to point the people looking for information about Magento security in (hopefully) the right direction.
Seems like Magento has finally decided to stop ignoring the problem of increasing number of brute-force attacks on Magento websites so they have published an official list of recommended steps on how to protect Magento from such attacks: https://magento.com/security/best-practices/protect-your-magento-installation-password-guessing
Hosting companies also started offering solutions to block these hack attempts, from blocking and blacklisting IPs to installing filtering software.
There are also several security extensions including a good number of Two-Factor Authentication ones. In my opinion the most complete security extension currently available is MageFence by ExtensionsMall. Here's a link on Magento Connect: magentocommerce[.]com/magento-connect/catalog/product/view/id/30596/. It has many useful features like scanning your website for malware and vulnerabilities, blocking IP addresses after too many failed login attempts and it comes together with Two-Factor Authentication module.You can also check out MageFence page on ExtensionsMall website to get the idea of all the security holes this module will help you patch up.
The only brute-force protection Magento has is in case of gift cards. When throwing exception there, Magento obscures real exception message (but puts it in logs) and shows 'Wrong gift card code' message instead.
When it comes to login forms, Magento has no brute force protection.
If this is an important factor for you when deciding whether use Magento or write your own platform, remember that you could write your own Magento module that introduces some brute force protection. This would be way less time-consuming than writing own platform with functionalities similar to Magento.
I did a quick search on the Magento Connect and found one extension that, among other things, provides brute force protection. Here it is: http://www.magentocommerce.com/magento-connect/market-ready-germany.html. You can download it using Freegento website and look into the code for clues on how to make something similar.