blurredreality Posted November 28, 2009 Share Posted November 28, 2009 I couldn't find one, so thought I would create a support group for the "Protect your site via htaccess" contribution. I found the contribution on spook's excellent overview topic of security fixes, found here. This is the contrib: http://addons.oscommerce.com/info/6066 Quote Link to comment Share on other sites More sharing options...
blurredreality Posted November 28, 2009 Author Share Posted November 28, 2009 I shall start (as lack of understanding was my motivation for starting this thread unfortunately). When messing with htaccess, for the reasonably naive OSc user it is quite daunting. I feel, while the mod is great, the instructions could be clearer. First of all, do I literally copy the whole of the code from the htaccess_protection.htm file into my htaccess file (every line, including the ones starting with # and the ones not starting with #) - obviously changing the red text into my address. Secondly - when editing my address in this code, do I edit it to my primary domain, or the domain I would use when specifying the secure address my store uses (e.g. would it be along the lines of http://www.mysite.co.uk OR https://secureXX.hostname.com/~username/ (given that I have a shared SSL certificate) ). Also do I need to include a /catalog at the end of these addresses. My final query would be as to where the IP addresses in the banned IP numbers text file have come from? Are they confirmed as dangerous? Thank you greatly to anyone who can help. My questions are probably very basic but where better a place to start in a support thread! I imagine there will be others like me out there who are apprehensive about messing anything up. Quote Link to comment Share on other sites More sharing options...
rafael-cdkeyhouse Posted December 1, 2009 Share Posted December 1, 2009 I was just asking the same questions, some one can help us for this, These IP are banned WHY ? I have already htaccess in my root directory, so i need to just copy all the code in and paste in my htaccess ???? or ??? Quote Link to comment Share on other sites More sharing options...
♥kymation Posted December 1, 2009 Share Posted December 1, 2009 I'll do my best to answer your questions here. Please don't assume that this means I know everything. Yes, you can copy that whole file into your .htaccess. The lines beginning with # are comments. You don't need these, but they are handy when troubleshooting or making changes. You can also remove any of the blank lines, as they do nothing at all. You need to replace the text in red with your domain. These mods are not needed for your SSL domain, so don't worry if you have a shared cert. The banned IP addresses appear to all be from Turkey. Apparently the author had some problems with people from Turkey. I would avoid doing this unless you are having similar problems. If you need to block access from a certain country or block of IP addresses, then substitute your IP addresses for the ones in this list. Be careful with using this file. There are some parts that may interfere with modified osCommerce stores or other code that may be on your site. For example, the # deny most common except .php section prevents displaying .ihtml files. The FORCE TYPE section will force everything to be seen as PHP, which can interfere with running CGI. Also, the FORCE TYPE line seems to be missing a # at the beginning. I would take this file one section at a time, and determine if it will be useful to you. Here's a quick guide to the sections: # Deny domain access to spammers and other scumbags This block anyone trying to access your site with a perl scrip. These scripts are often but not always used to steal content. There should be some more blocks here for other bad tools. Not very complete or useful. It also has an unrelated line that attempts to turn off Register Globals. This can kill your store if you are running a version older than 2.2RC1. Beware. # Redirect index.php to domain.com Changes index.php to /. This is good for search engines. Do it. # Redirect domain.com to www.domain.com Changes http://example.com to http://www.example.com. Also good for search engines. # filter for most common exploits Blocks some common exploit tools. Also duplicates the perl block from the first section. Warning: This section is incomplete. It needs the RewriteRule from the bottom of the next section to function. If you delete the next section, keep that line or this one will not work. # ban spam bots This blocks a lot of tools that are used by spammers. Note that some of these have legitimate uses, such as preloading pages for someone who is on a slow connection. You may annoy a few customers with tis one. Note that the RewriteRule near the bottom of this section is also used by the previous section. The last two lines of this section contain an (apparently) unrelated Referer rewriter. I have no idea why that is needed. # stop hotlinking (gif/jpg) and serve alternate content This prevents image thieves from hotlinking your content. Don't use this if you use your images on eBay, blogs, etc. BAN IP NUMBERS, ALL OF TURKEY Put a # in front of this line. Only use this if you need to block visitors by IP address. Anyone trying to view your store from one of these addresses will get a 403 Forbidden message instead of the page. # deny most common except .php Prevents any file with an extension in this list from loading. Remove any extensions that your site needs to display. Included files such as templates can stay in the list, as they are not displayed directly. # Disable .htaccess viewing from browser Prevent anyone from downloading your .htaccess file. This is a very good idea. # Disable access to config.php Also a very good idea. Regards Jim multimixer 1 Quote See my profile for a list of my addons and ways to get support. Link to comment Share on other sites More sharing options...
blurredreality Posted December 1, 2009 Author Share Posted December 1, 2009 Jim that is absolutely brilliant thank you. I really appreciate the time you took to write that and I'm sure it'll benefit many others too. I really don't know what sort of a state my store would be in if it weren't for the help of people on these forums - it's all great :thumbsup: ! Anyway - I have one quick question about the first 2 additions - should I notice anything different in my browser navigation bar - i.e. should the addresses convert into the new format? I have modified the htaccess file in the catalog folder (I have a lot of pages in the root directory one level up as well) - modifying the base domain in each case - e.g. blurredreality.co.uk to www.blurredreality.co.uk isntead of blurredreality.co.uk/catalog to www.blurredreality.co.uk/catalog. Does this sound right or am I being incredibly stupid? If you can't help that is fine - worth putting it out there though. Thanks again Jim, Josh Quote Link to comment Share on other sites More sharing options...
♥kymation Posted December 1, 2009 Share Posted December 1, 2009 Any .htaccess rule that rewrites the URL should be in the site root. I'm not sure if it will work in a subdirectory. I guess you could try it and see. You should see the result in the address bar. If you type in http://example.com it should change to http://www.example.com. If that doesn't happen you've done something wrong. Regards Jim Quote See my profile for a list of my addons and ways to get support. Link to comment Share on other sites More sharing options...
♥kymation Posted December 2, 2009 Share Posted December 2, 2009 This post has some more rules that could be added to the exploits section. Regards Jim Quote See my profile for a list of my addons and ways to get support. Link to comment Share on other sites More sharing options...
blurredreality Posted December 2, 2009 Author Share Posted December 2, 2009 That's awesome thanks. Still can't get the pesky URL rewrite to work. I expect the problem to be quite nuanced and subtle so don't worry if you can't figure it out. This is the code I'm using: # Redirect index.php to domain.com RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/ RewriteRule ^index\.php$ http://www.blurredreality.co.uk/ [R=301,L] #Redirect domain.com to www.domain.com RewriteCond %{HTTP_HOST} ^blurredreality.co.uk [NC] RewriteRule ^(.*)$ http://www.blurredreality.co.uk/$1 [L,R=301] RewriteBase / The url in the navigation bar doesnt change at all. Also those new additions you linked to block me from accessing the site (taking me to a 403 error page) - and also says "Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request." I have version 2.2 MS2 installed via Fantastico Deluxe in my host CPanel if that makes any difference. Maybe I have too old a version. Either way thanks for the help. Quote Link to comment Share on other sites More sharing options...
♥kymation Posted December 2, 2009 Share Posted December 2, 2009 Rewrite rules are a pain. The code that you posted looks right to me. Remember that this is intended to be in the .htaccess in the root and to only work in the root. If you have your store installed in a subdirectory, such as /catalog, try removing the last line of the code you posted. The error that you are getting indicates that you have blocked everyone instead of just hackers. Probably an error in the code, or you put it in the wrong place. I'll try to check that out later. I don't recommend installing osCommerce using any third party installer. They never work quite right. MS2 is indeed very old and has several known security holes. You need to update to RC2a if you have not already done so. There's a supported addon for the update in the Addons section. Regards Jim Quote See my profile for a list of my addons and ways to get support. Link to comment Share on other sites More sharing options...
blurredreality Posted December 3, 2009 Author Share Posted December 3, 2009 Heya. Unfortunately it still doesn't work :( (the url rewrite stuff that is - the other ones seem to be effective as far as I can tell). I have also realised I do have RC2a - not sure why I thought I didn't. Anyway - if anyone can help me figure this that'd be great. I'll leave it out there for now. Quote Link to comment Share on other sites More sharing options...
rhubarb Posted December 16, 2009 Share Posted December 16, 2009 My rewrite rules work fine as long as the site is configured in includes/configure.php with the 'www' preceding the domain name for the http addresses. However I cannot get the 'filter for most common exploits' and 'ban spam bots' rules to work. Eg with: RewriteEngine On RewriteBase / RewriteCond %{QUERY_STRING} c99 [OR] RewriteRule ^.* - [F,L] For the whole site I get error 500: "You don't have permission to access / on this server." Quote Link to comment Share on other sites More sharing options...
rhubarb Posted December 16, 2009 Share Posted December 16, 2009 My fault, once I removed the [OR] from the last condition then it worked. Quote Link to comment Share on other sites More sharing options...
offie Posted May 29, 2010 Share Posted May 29, 2010 Hi, I have tried to use the: # Redirect index.php to domain.com and # Redirect domain.com to www.domain.com but I just can not get them to work. My store is in a subdirectory called catalogue and I have a .htaccess rule so that anyone who types the web addrss www.jati-keswick.co.uk will get re-routed to www.jati-keswick.co.uk/catalogue. the .ht code for this is: RewriteEngine on RewriteCond %{HTTP_HOST} ^.*$ RewriteRule ^/?$ "http\:\/\/www\.jati-keswick\.co\.uk\/catalogue\/" [R=301,L] I have tried to add the relevant code to this list but this does not work. I also have another .htaccess file in the catalogue folder which has various pieces of code in and I have also added the rewrite code to this but I just get error messages. Does anyone know where I am going wrong. Thank you. Quote Link to comment Share on other sites More sharing options...
LaurenElise Posted July 9, 2010 Share Posted July 9, 2010 (edited) I dont seem to be able to get the redirection to work either. Here is the code: # Redirect index.php to domain.com RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/ RewriteRule ^index\.php$ http://www.seedbeading.com.au/ [R=301,L] # Redirect domain.com to www.domain.com RewriteCond %{HTTP_HOST} ^seedbeading.com.au [NC] RewriteRule ^(.*)$ http://www.seedbeading.com.au/$1 [L,R=301] I also checked the config file and this already has the 'www' in the http Has anyone had any luck getting this part working? Edited July 9, 2010 by LaurenElise Quote Link to comment Share on other sites More sharing options...
olive12b Posted August 22, 2010 Share Posted August 22, 2010 BAN IP NUMBERS, ALL OF TURKEY Put a # in front of this line. Only use this if you need to block visitors by IP address. Anyone trying to view your store from one of these addresses will get a 403 Forbidden message instead of the page. I just want to have this part in my htaccess file, which is to ban ip numbers from Singapore. After putting in the DENY FROM .... <ip numbers from Singapore>, and testing it, it still does not work. I even put in my own ip address to test, and I can still access the website. Please advise. Thanks. Quote Link to comment Share on other sites More sharing options...
♥kymation Posted August 23, 2010 Share Posted August 23, 2010 Are you on a Windows/IIS or Apache server? This only works in Apache. Regards Jim Quote See my profile for a list of my addons and ways to get support. Link to comment Share on other sites More sharing options...
olive12b Posted August 24, 2010 Share Posted August 24, 2010 Are you on a Windows/IIS or Apache server? This only works in Apache. Regards Jim Thanks Jim. Do you mean the "HTTP Server"? If so, it states "Microsoft-IIS/6.0". If not on Apache, what can I do to ban IP addresses from a particular country? Thanks. Quote Link to comment Share on other sites More sharing options...
♥kymation Posted August 24, 2010 Share Posted August 24, 2010 IIS does not use the .htaccess file. I have no idea if what you want is even possible on IIS. You'll need to find someone who knows that technology. Regards Jim Quote See my profile for a list of my addons and ways to get support. Link to comment Share on other sites More sharing options...
elgaxton Posted June 1, 2011 Share Posted June 1, 2011 I tried to protect my site using Chmod permissions and since few days I have been getting errors such as: Warning: require(includes/functions/compatibility.php) [function.require]: failed to open stream: No such file or directory in /home/example/public_html/includes/application_top.php on line 51 Warning: require(includes/functions/compatibility.php) [function.require]: failed to open stream: No such file or directory in /home/example/public_html/includes/application_top.php on line 51 Fatal error: require() [function.require]: Failed opening required 'includes/functions/compatibility.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/example/public_html/includes/application_top.php on line 51 please help guys! Thank Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.