{"id":1397,"date":"2009-12-31T23:17:17","date_gmt":"2010-01-01T04:17:17","guid":{"rendered":"http:\/\/g33kinfo.com\/info\/?p=1397"},"modified":"2009-12-31T23:17:17","modified_gmt":"2010-01-01T04:17:17","slug":"better-than-nothing-security-part-iv","status":"publish","type":"post","link":"https:\/\/g33kinfo.com\/info\/better-than-nothing-security-part-iv\/","title":{"rendered":"PART IV: BETTER THAN NOTHING SECURITY"},"content":{"rendered":"<p>Shamlessly grep&#8217;d from the <a href=\"http:\/\/www.hackerfactor.com\/blog\/\">http:\/\/www.hackerfactor.com\/blog\/<\/a> There be good stuff here&#8230;<\/p>\n<p>In my last three entries about minimal web server security, I covered security by obscurity methods to deter a blind attacker and very basic methods to prevent unintentional information disclosure by blocking open directory browsing.<\/p>\n<p>The best solution to prevent open directory browsing is simply turn it off. Using a .htaccess file and setting Options -Indexes, you block undesirable directory browsing. However, the .htaccess file can do much more than just disabling directory indexing.<\/p>\n<p>(The following examples are part of a presentation I gave earlier this week for the Fort Collins Internet Professional&#8217;s Technical Track.)<\/p>\n<p>Redirecting Errors<\/p>\n<p>When you use Options -Indexes, requests for the open directory will return a server error (403 Forbidden). However, you might want to return a nicer error code. Using your .htaccess file, you can catch and redirect errors to an HTML page or return simple HTML. For example:<br \/>\nErrorDocument 403 \/403.html<\/p>\n<p>ErrorDocument 404 &#8220;That page was <b>not found<\/b>.&#8221;<\/p>\n<p>ErrorDocument 401 \/login\/unauthorized.cgi<\/p>\n<p>You can also redirect based on substring matches. For example:<br \/>\nRedirectMatch 301 (.*\/secret.txt) \/~user\/block.cgi?$1<br \/>\nThe extended regular expression &#8220;(.*\/secret.txt)&#8221; is a little cryptic. It says to look for any substring in the URL that contains &#8220;\/secret.txt&#8221;. It then redirects the user to a CGI web page and appends the offending URL to the query for the CGI.<\/p>\n<p>Blocking Attacks<\/p>\n<p>The .htaccess file allows you to define variables and then use the variables as conditionals. For example, my blog should not have any kind of quotes in the URL. If someone submits a quote, then they are likely trying to attack my site with an SQL or CGI injection attack. By defining a few environment variables, I can detect and block potential attacks long before they ever get to my blog software (and potentially compromise my site).<br \/>\n<code><br \/>\nSetEnvIf Request_URI \"'\" bad_bot=1<\/p>\n<p>SetEnvIf Request_URI '\"' bad_bot=1<\/p>\n<p>SetEnvIf Request_URI '`' bad_bot=1<\/p>\n<p>SetEnvIf Request_URI '%22' bad_bot=1<\/p>\n<p>SetEnvIf Request_URI '%27' bad_bot=1<\/p>\n<p>SetEnvIf Request_URI '%60' bad_bot=1<\/p>\n<limit HEAD GET POST>\n<p>  Order Allow,Deny<\/p>\n<p>  Allow from all<\/p>\n<p>  Deny from env=bad_bot<\/p>\n<\/limit>\n<\/code><\/p>\n<p>The first part sets an environment variable called &#8220;bad_bot&#8221; if any kind of quote is seen in the URI. (The URI is the part of the URL that comes after the hostname and before any question mark.)<\/p>\n<p>The second part limits who can access the web site. If you do a HEAD, GET, or POST request, and you include a quote in the URI, then you are blocked. Since casual\/friendly users don&#8217;t include quotes in the URL, this is not a problem for regular visitors.<\/p>\n<p>Other characters you might want to block include < , >, $, !, and the backslash (\\).<\/p>\n<p>Depending on your site, you might even want to block them from query strings (everything after the question mark). To do this requires the mod_rewrite engine.<\/p>\n<p><code><br \/>\nRewriteEngine on<\/p>\n<p>RewriteCond %{THE_REQUEST} .*['\"`!$<>;].* [OR]<\/p>\n<p>RewriteCond %{THE_REQUEST} .*%22.* [NC,OR]<\/p>\n<p>RewriteCond %{THE_REQUEST} .*%27.* [NC,OR]<\/p>\n<p>RewriteCond %{THE_REQUEST} .*%60.* [NC,OR]<\/p>\n<p>RewriteCond %{THE_REQUEST} .*%3C.* [NC,OR]<\/p>\n<p>RewriteCond %{THE_REQUEST} .*%3E.* [NC,OR]<\/p>\n<p>RewriteCond %{THE_REQUEST} .*%3B.* <\/p>\n<p>RewriteRule $ - [l,F]<br \/>\n<\/code><\/p>\n<p>This looks for any of the forbidden characters in the entire HTTP request and fails access if any are seen.<\/p>\n<p>Stopping Undesirables<\/p>\n<p>Attacks can be technical or political. For example, let&#8217;s say you don&#8217;t want people to hyperlink to images on your site. How do you stop them? The answer is to look for the referrer (spelled &#8220;referer&#8221;). If the referrer for the image does not come from your site, then someone is cross-linking to you. In this example, we look for any jpeg, gif, png, or bmp request that was not linked from my site. If one is found, then a CGI script is called. Ideally, the script will generate an image that is the correct size but contains a nasty message about cross-linking.<\/p>\n<p><code><br \/>\n# Identify if a Referer is used<\/p>\n<p>SetEnvIf Referer \"^http:\/\/www.hackerfactor.com\/\" from_me=1<\/p>\n<p>SetEnvIf Referer \"^http:\/\/hackerfactor.com\/\" from_me=1<\/p>\n<p>SetEnvIf Request_URI .jpg has_image=1<\/p>\n<p>SetEnvIf Request_URI .gif has_image=1<\/p>\n<p>SetEnvIf Request_URI .png has_image=1<\/p>\n<p>SetEnvIf Request_URI .bmp has_image=1<\/p>\n<p>RewriteEngine on <\/p>\n<p>RewriteCond %{env:has_image} 1<\/p>\n<p>RewriteCond %{env:from_me} !1<\/p>\n<p>RewriteRule (.*) \/block_image_theft.php [l]<br \/>\n<\/code><\/p>\n<p>Of course, the most annoying type of undesirable visitor are those spam-bots. If you are a web master, then you know what I am talking about. They find forms on your site and submit tons of spam. Since many of these bots don&#8217;t use a referer, we can block posts that lack a referrer.<br \/>\n<code><br \/>\n# Identify if a Referer is used<\/p>\n<p>SetEnvIf Referer \"^$\" no_referer=1<\/p>\n<limit POST>\n<p>  Order Allow,Deny<\/p>\n<p>  Allow from all<\/p>\n<p>  Deny from env=no_referer<\/p>\n<\/limit>\n<\/code><\/p>\n<p>Not Too Bad<\/p>\n<p>With a little practice, your .htaccess file can block potential attacks against your web site. A well-configured .htaccess can deter undesirable visitors, protect you from potential exploits, and enhance your site&#8217;s usability by returning informative error messages.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Shamlessly grep&#8217;d from the http:\/\/www.hackerfactor.com\/blog\/ There be good stuff here&#8230; In my last three entries about minimal web server security, I covered security by obscurity methods to deter a blind attacker and very basic methods to prevent unintentional information disclosure by blocking open directory browsing. The best solution to prevent open directory browsing is simply&#8230; <\/p>\n<div class=\"read-more navbutton\"><a href=\"https:\/\/g33kinfo.com\/info\/better-than-nothing-security-part-iv\/\">Read More<i class=\"fa fa-angle-double-right\"><\/i><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-1397","post","type-post","status-publish","format-standard","hentry","category-info"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>PART IV: BETTER THAN NOTHING SECURITY - Linux Shtuff<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/g33kinfo.com\/info\/better-than-nothing-security-part-iv\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"PART IV: BETTER THAN NOTHING SECURITY - Linux Shtuff\" \/>\n<meta property=\"og:description\" content=\"Shamlessly grep&#8217;d from the http:\/\/www.hackerfactor.com\/blog\/ There be good stuff here&#8230; In my last three entries about minimal web server security, I covered security by obscurity methods to deter a blind attacker and very basic methods to prevent unintentional information disclosure by blocking open directory browsing. The best solution to prevent open directory browsing is simply... Read More\" \/>\n<meta property=\"og:url\" content=\"https:\/\/g33kinfo.com\/info\/better-than-nothing-security-part-iv\/\" \/>\n<meta property=\"og:site_name\" content=\"Linux Shtuff\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/fb.me\/g33kinf0\" \/>\n<meta property=\"article:author\" content=\"https:\/\/fb.me\/g33kinf0\" \/>\n<meta property=\"article:published_time\" content=\"2010-01-01T04:17:17+00:00\" \/>\n<meta name=\"author\" content=\"g33kadmin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/drsinger1111\" \/>\n<meta name=\"twitter:site\" content=\"@drsinger1111\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/better-than-nothing-security-part-iv\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/better-than-nothing-security-part-iv\\\/\"},\"author\":{\"name\":\"g33kadmin\",\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/#\\\/schema\\\/person\\\/c022e4c40b13ea1b678e6f020756f547\"},\"headline\":\"PART IV: BETTER THAN NOTHING SECURITY\",\"datePublished\":\"2010-01-01T04:17:17+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/better-than-nothing-security-part-iv\\\/\"},\"wordCount\":666,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/#\\\/schema\\\/person\\\/c022e4c40b13ea1b678e6f020756f547\"},\"articleSection\":[\"General Info\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/g33kinfo.com\\\/info\\\/better-than-nothing-security-part-iv\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/better-than-nothing-security-part-iv\\\/\",\"url\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/better-than-nothing-security-part-iv\\\/\",\"name\":\"PART IV: BETTER THAN NOTHING SECURITY - Linux Shtuff\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/#website\"},\"datePublished\":\"2010-01-01T04:17:17+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/better-than-nothing-security-part-iv\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/g33kinfo.com\\\/info\\\/better-than-nothing-security-part-iv\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/better-than-nothing-security-part-iv\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"PART IV: BETTER THAN NOTHING SECURITY\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/#website\",\"url\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/\",\"name\":\"Linux Shtuff\",\"description\":\"Because I have CRS Syndrome...\",\"publisher\":{\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/#\\\/schema\\\/person\\\/c022e4c40b13ea1b678e6f020756f547\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/#\\\/schema\\\/person\\\/c022e4c40b13ea1b678e6f020756f547\",\"name\":\"g33kadmin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/minion-researchA.gif\",\"url\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/minion-researchA.gif\",\"contentUrl\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/minion-researchA.gif\",\"width\":512,\"height\":512,\"caption\":\"g33kadmin\"},\"logo\":{\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/minion-researchA.gif\"},\"description\":\"I am a g33k, Linux blogger, developer, student and Tech Writer for Liquidweb.com\\\/kb. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....\",\"sameAs\":[\"https:\\\/\\\/thelinuxreport.com\",\"https:\\\/\\\/fb.me\\\/g33kinf0\",\"https:\\\/\\\/x.com\\\/https:\\\/\\\/twitter.com\\\/drsinger1111\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"PART IV: BETTER THAN NOTHING SECURITY - Linux Shtuff","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/g33kinfo.com\/info\/better-than-nothing-security-part-iv\/","og_locale":"en_US","og_type":"article","og_title":"PART IV: BETTER THAN NOTHING SECURITY - Linux Shtuff","og_description":"Shamlessly grep&#8217;d from the http:\/\/www.hackerfactor.com\/blog\/ There be good stuff here&#8230; In my last three entries about minimal web server security, I covered security by obscurity methods to deter a blind attacker and very basic methods to prevent unintentional information disclosure by blocking open directory browsing. The best solution to prevent open directory browsing is simply... Read More","og_url":"https:\/\/g33kinfo.com\/info\/better-than-nothing-security-part-iv\/","og_site_name":"Linux Shtuff","article_publisher":"https:\/\/fb.me\/g33kinf0","article_author":"https:\/\/fb.me\/g33kinf0","article_published_time":"2010-01-01T04:17:17+00:00","author":"g33kadmin","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/drsinger1111","twitter_site":"@drsinger1111","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/g33kinfo.com\/info\/better-than-nothing-security-part-iv\/#article","isPartOf":{"@id":"https:\/\/g33kinfo.com\/info\/better-than-nothing-security-part-iv\/"},"author":{"name":"g33kadmin","@id":"https:\/\/g33kinfo.com\/info\/#\/schema\/person\/c022e4c40b13ea1b678e6f020756f547"},"headline":"PART IV: BETTER THAN NOTHING SECURITY","datePublished":"2010-01-01T04:17:17+00:00","mainEntityOfPage":{"@id":"https:\/\/g33kinfo.com\/info\/better-than-nothing-security-part-iv\/"},"wordCount":666,"commentCount":0,"publisher":{"@id":"https:\/\/g33kinfo.com\/info\/#\/schema\/person\/c022e4c40b13ea1b678e6f020756f547"},"articleSection":["General Info"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/g33kinfo.com\/info\/better-than-nothing-security-part-iv\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/g33kinfo.com\/info\/better-than-nothing-security-part-iv\/","url":"https:\/\/g33kinfo.com\/info\/better-than-nothing-security-part-iv\/","name":"PART IV: BETTER THAN NOTHING SECURITY - Linux Shtuff","isPartOf":{"@id":"https:\/\/g33kinfo.com\/info\/#website"},"datePublished":"2010-01-01T04:17:17+00:00","breadcrumb":{"@id":"https:\/\/g33kinfo.com\/info\/better-than-nothing-security-part-iv\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/g33kinfo.com\/info\/better-than-nothing-security-part-iv\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/g33kinfo.com\/info\/better-than-nothing-security-part-iv\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/g33kinfo.com\/info\/"},{"@type":"ListItem","position":2,"name":"PART IV: BETTER THAN NOTHING SECURITY"}]},{"@type":"WebSite","@id":"https:\/\/g33kinfo.com\/info\/#website","url":"https:\/\/g33kinfo.com\/info\/","name":"Linux Shtuff","description":"Because I have CRS Syndrome...","publisher":{"@id":"https:\/\/g33kinfo.com\/info\/#\/schema\/person\/c022e4c40b13ea1b678e6f020756f547"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/g33kinfo.com\/info\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/g33kinfo.com\/info\/#\/schema\/person\/c022e4c40b13ea1b678e6f020756f547","name":"g33kadmin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/g33kinfo.com\/info\/wp-content\/uploads\/2022\/07\/minion-researchA.gif","url":"https:\/\/g33kinfo.com\/info\/wp-content\/uploads\/2022\/07\/minion-researchA.gif","contentUrl":"https:\/\/g33kinfo.com\/info\/wp-content\/uploads\/2022\/07\/minion-researchA.gif","width":512,"height":512,"caption":"g33kadmin"},"logo":{"@id":"https:\/\/g33kinfo.com\/info\/wp-content\/uploads\/2022\/07\/minion-researchA.gif"},"description":"I am a g33k, Linux blogger, developer, student and Tech Writer for Liquidweb.com\/kb. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....","sameAs":["https:\/\/thelinuxreport.com","https:\/\/fb.me\/g33kinf0","https:\/\/x.com\/https:\/\/twitter.com\/drsinger1111"]}]}},"_links":{"self":[{"href":"https:\/\/g33kinfo.com\/info\/wp-json\/wp\/v2\/posts\/1397","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/g33kinfo.com\/info\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/g33kinfo.com\/info\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/g33kinfo.com\/info\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/g33kinfo.com\/info\/wp-json\/wp\/v2\/comments?post=1397"}],"version-history":[{"count":0,"href":"https:\/\/g33kinfo.com\/info\/wp-json\/wp\/v2\/posts\/1397\/revisions"}],"wp:attachment":[{"href":"https:\/\/g33kinfo.com\/info\/wp-json\/wp\/v2\/media?parent=1397"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/g33kinfo.com\/info\/wp-json\/wp\/v2\/categories?post=1397"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/g33kinfo.com\/info\/wp-json\/wp\/v2\/tags?post=1397"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}