Archive for March-2007
Mod_Security installation and usage guide
2007-03-24 02:00:00 This guide is going to show you how to install and configure mod_security which
will
help
protect your server from exploits that are passed though apache. Mod_security
does this by inspecting the information sent in apache and filtering out all
of the "bad" requests as determined by the set of rules specified in
the httpd.conf.
The
ruleset
that
I
use
in
this
guide
will
block
out most
of the common exploits, including the nosanity phpbb worms. It should also block
out most of the other common methods of hacking a server passed though php.
First we will download and unzip mod_security.
-----command-----
wget http://www.modsecurity.org/download/modsecurity-apache_1.9.4.tar.gz
tar -zxf modsecurity-apache_1.9.4.tar.gz
-----command-----
If you are using Apache 1.3.x you need to go into the apache1 directory as shown
below. Cpanel and ensim both use apache 1.3.x
-----command-----
cd modsecurity-apache_1.9.4/apache1
-----command-----
If you are using Apache 2.x you need to go into the apache 2 directory as shown
below. Plesk uses apache 2.x and may require the httpd-devel rpm to be installed
to get mod_security working.
-----command-----
cd modsecurity_1.9.4/apache2
-----command-----
Next compile mod_security at a module. One of the lines below should
work to compile it.
-----command-----
/etc/httpd/bin/apxs -cia mod_security.c
-----command-----
If you get a file not found install httpd-devel using up2date then try to compile
it again. This will work fine on Plesk and the newer versions of Ensim that
do not use "ensimized" httpd rpms. If you are running below Ensim
4.0 you should not continue unless you are certain of what you are doing.
-----command-----
up2date -i httpd-devel
/usr/sbin/apxs -cia mod_security.c
-----command-----
Make a backup of your httpd.conf
before touching anything so you have something to go back to if it does not
work.
-----command-----
cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf-mod_sec
-----command-----
Now edit the httpd.conf , even though Ensim has multiple httpd.conf files you
can put it in the primary config.
-----command-----
pico -w /etc/httpd/conf/httpd.conf
-----command-----
If you are running Apache 1.3.x - cPanel and Pre 4.0 Ensim
Scroll down below the following line:
AddModule mod_security.c
If you do not have the addmodule line find where the rest of them are located
and put it right below the others.
If you are running Apache 2.x (Plesk and Ensim 4.0+)
Scroll down below the following line at which point you can continue on and
paste the ruleset.
LoadModule security_module modules/mod_security.so
Now you are going to paste in this ruleset. Please feel free to modify it
as you see fit. I think that it is a very non-agreesive ruleset that will
work
fine on just about any server.
Download rules here :
http://www.modsecurity.org/projects/rules/
http://www.gotroot.com/mod_security+rules
service httpd restart
If sites start to have problems look at error log.
/etc/httpd/logs/audit_log
If you need or want to remove mod_security at any time simply comment out
(put a # in front of) the AddModule mod_security.c line and restart apache. This
will disable all of the rules and not allow it to load into apache.
20 ways to Secure your Apache Configuration
2007-03-24 02:00:00
Here are 20 things you can do to make your apache configuration more secure.
Disclaimer: The thing about security is that there are no guarantees or absolutes. These suggestions should make your server a bit tighter, but don't think your server is necessarily secure after following these suggestions.
First, make sure you've installed latest security patches
Hide the Apache Version number, and other sensitive information.
By default many Apache installations tell the world what version of Apache you're running, what operating system/version you're running, and even what Apache Modules are installed on the server. Attackers can use this information to their advantage when performing an attack. It also sends the message that you have left most defaults alone.
There are two directives that you need to add, or edit in your httpd.conf file:
ServerSignature Off
ServerTokens Prod
The ServerSignature appears on the bottom of pages generated by apache such as 404 pages, directory listings, etc.
The ServerTokens directive is used to determine what Apache will put in the Server HTTP response header. By setting it to Prod it sets the HTTP response header as follows:
Server: Apache
If you're super paranoid you could change this to something other than "Apache" by editing the source code, or by using mod_security (see below).
Make sure apache is running under its own user account and group
Several apache installations have it run as the user nobody. So suppose both Apache, and your mail server were running as nobody an attack through Apache may allow the mail server to also be compromised, and vise versa.
User apache
Group apache
Ensure that files outside the web root are not served
We don't want apache to be able to access any files out side of its
web root. So assuming all your web sites are placed under one directory
(we will call this /web), you would set it up as follows:
<Directory />Note that because we set
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /web>
Order Allow,Deny
Allow from all
</Directory>
Options None and AllowOverride None
this will turn off all options and overrides for the server. You now
have to add them explicitly for each directory that requires an Option
or Override.
Turn off directory browsing
You can do this with an Options directive inside a Directory tag. Set Options to either None or -Indexes
Options -Indexes
Turn off server side includes
This is also done with the Options directive inside a Directory tag. Set Options to either None or -Includes
Options -Includes
Turn off CGI execution
If you're not using CGI turn it off with the Options directive inside a Directory tag. Set Options to either None or -ExecCGI
Options -ExecCGI
Don't allow apache to follow symbolic links
This can again can be done using the Options directive inside a Directory tag. Set Options to either None or -FollowSymLinks
Options -FollowSymLinks
Turning off multiple Options
If you want to turn off all Options simply use:
Options None
If you only want to turn off some separate each option with a space in your Options directive:
Options -ExecCGI -FollowSymLinks -Indexes
Turn off support for .htaccess files
This is done in a Directory tag but with the AllowOverride directive. Set it to None.
AllowOverride None
If you require Overrides ensure that they cannot be downloaded, and/or change the name to something other than .htaccess. For example we could change it to .httpdoverride, and block all files that start with .ht from being downloaded as follows:
AccessFileName .httpdoverride
<Files ~ "^.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>
Run mod_security
mod_security is a super handy Apache module written by Ivan Ristic, the author of Apache Security from O'Reilly press.
You can do the following with mod_security:
- Simple filtering
- Regular Expression based filtering
- URL Encoding Validation
- Unicode Encoding Validation
- Auditing
- Null byte attack prevention
- Upload memory limits
- Server identity masking
- Built in Chroot support
- And more
Disable any unnecessary modules
Apache typically comes with several modules installed. Go through the apache module documentation and learn what each module you have enabled actually does. Many times you will find that you don't need to have the said module enabled.
Look for lines in your httpd.conf that contain LoadModule. To disable the module you can typically just add a # at the beginning of the line. To search for modules run:
grep LoadModule httpd.conf
Here are some modules that are typically enabled but often not needed: mod_imap, mod_include, mod_info, mod_userdir, mod_status, mod_cgi, mod_autoindex.
Make sure only root has read access to apache's config and binaries
This can be done assuming your apache installation is located at /usr/local/apache as follows:
chown -R root:root /usr/local/apache
chmod -R o-rwx /usr/local/apache
Lower the Timeout value
By default the Timeout directive is set to 300 seconds. You can decrease help mitigate the potential effects of a denial of service attack.
Timeout 45
Limiting large requests
Apache has several directives that allow you to limit the size of a request, this can also be useful for mitigating the effects of a denial of service attack.
A good place to start is the LimitRequestBody
directive. This directive is set to unlimited by default. If you are
allowing file uploads of no larger than 1MB, you could set this setting
to something like:
LimitRequestBody 1048576
If you're not allowing file uploads you can set it even smaller.
Some other directives to look at are LimitRequestFields, LimitRequestFieldSize and LimitRequestLine.
These directives are set to a reasonable defaults for most servers, but
you may want to tweak them to best fit your needs. See the documentation for more info.
Limiting the size of an XML Body
If you're running mod_dav (typically used with subversion) then you may want to limit the max size of an XML request body. The LimitXMLRequestBody
directive is only available on Apache 2, and its default value is 1
million bytes (approx 1mb). Many tutorials will have you set this value
to 0 which means files of any size may be uploaded, which may be
necessary if you're using WebDAV to upload large files, but if you're
simply using it for source control, you can probably get away with
setting an upper bound, such as 10mb:
LimitXMLRequestBody 10485760
Limiting Concurrency
Apache has several configuration settings that can be used to adjust handling of concurrent requests. The MaxClients
is the maximum number of child processes that will be created to serve
requests. This may be set too high if your server doesn't have enough
memory to handle a large number of concurrent requests.
Other directives such as MaxSpareServers, MaxRequestsPerChild, and on Apache2 ThreadsPerChild, ServerLimit, and MaxSpareThreads are important to adjust to match your operating system, and hardware.
Restricting Access by IP
If you have a resource that should only by accessed by a certain network, or IP address you can enforce this in your apache configuration. For instance if you want to restrict access to your intranet to allow only the 176.16 network:
Order Deny,Allow
Deny from all
Allow from 176.16.0.0/16
Or by IP:
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Adjusting KeepAlive settings
According to the Apache documentation using HTTP Keep Alive's can improve client performance by as much as 50%, so be careful before changing these settings, you will be trading performance for a slight denial of service mitigation.
KeepAlive's are turned on by default and you should leave them on, but you may consider changing the MaxKeepAliveRequests which defaults to 100, and the KeepAliveTimeout which defaults to 15. Analyze your log files to determine the appropriate values.
Run Apache in a Chroot environment
chroot allows you to run a program in its own isolated
jail. This prevents a break in on one service from being able to effect anything else on the server.
It can be fairly tricky to set this up using chroot due to library dependencies. I mentioned above that the mod_security module has built in chroot support. It makes the process as simple as adding a mod_security directive to your configuration:
SecChrootDir /chroot/apache
There are however some caveats however, so check out the docs for more info.
Category : Security | 0 Comments
Tuning/Optimizing my.cnf file for MySQL
2007-03-24 02:00:00Had to do some fine tuning of MySQL 4.1.9 and here is what my.cnf file looks like for a 2GHz machine with 1GB of memory.
[mysqld]
socket=/path/to/mysql.sock
datadir=/var/lib/mysql
skip-locking
skip-innodb
# MySQL 4.x has query caching available.
# Enable it for vast improvement and it may be all you need to tweak.
query_cache_type=1
query_cache_limit=1M
query_cache_size=32M
# max_connections=500
# Reduced to 200 as memory will not be enough for 500 connections.
# memory=key_buffer+(sort_buffer_size+read_buffer_size)*max_connections
# which is now: 64 + (1 + 1) * 200 = 464 MB
# max_connections = approx. MaxClients setting in httpd.conf file
# Default set to 100.
#max_connections=200
#interactive_timeout=180
interactive_timeout=100
#wait_timeout=180
#wait_timeout=100
# Reduced wait_timeout to prevent idle clients holding connections.
#wait_timeout=30
wait_timeout=15
connect_timeout=10
# max_connect_errors is set to 10 by default
#max_connect_errors=10
#table_cache=256
#table_cache=1024
# Checked opened tables and adjusted accordingly after running for a while.
table_cache=512
#tmp_table_size=32M by default
#thread_cache=128
# Reduced it to 32 to prevent memory hogging. Also, see notes below.
thread_cache=32
# key_buffer=258M
# Reduced it by checking current size of *.MYI files, see notes below.
key_buffer=128M
# Commented out the buffer sizes and keeping the default.
# sort_buffer_size=2M by default.
#sort_buffer_size=1M
# read_buffer_size=128K by default.
#read_buffer_size=1M
# read_rnd_buffer_size=256K by default.
#read_rnd_buffer_size=1M
# myisam_sort_buffer_size=8M by default.
#myisam_sort_buffer_size=64M
# thread_concurrency = 2 * (no. of CPU)
thread_concurrency=2
# log slow queries is a must. Many queries that take more than 2 seconds.
# If so, then your tables need enhancement.
log_slow_queries=/var/log/mysqld.slow.log
long_query_time=2
[mysql.server]
user=mysql
basedir=/var/lib
[safe_mysqld]
err-log=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
open_files_limit=8192
[mysqldump]
quick
max_allowed_packet=16M
[mysql]
no-auto-rehash
# Remove the next comment character if you are not familiar with SQL
#safe-updates
[isamchk]
key_buffer=64M
sort_buffer=64M
read_buffer=16M
write_buffer=16M
[myisamchk]
key_buffer=64M
sort_buffer=64M
read_buffer=16M
write_buffer=16M
[mysqlhotcopy]
interactive-timeout
[client]
socket=/path/to/mysql.sock
Below are notes on some of the important variables, I took down while tuning the config file.
query_cache_size:
MySQL 4 provides one feature that can prove very handy - a query cache. In a situation where the database has to repeatedly run the same queries on the same data set, returning the same results each time, MySQL can cache the result set, avoiding the overhead of running through the data over and over and is extremely helpful on busy servers.
key_buffer_size:
The value of key_buffer_size is the size of the buffer used with indexes. The larger the buffer, the faster the SQL command will finish and a result will be returned. The rule-of-thumb is to set the key_buffer_size to at least a quarter, but no more than half, of the total amount of memory on the server. Ideally, it will be large enough to contain all the indexes (the total size of all .MYI files on the server).
A simple way to check the actual performance of the buffer is to examine four additional variables: key_read_requests, key_reads, key_write_requests, and key_writes.
If you divide the value of key_read by the value of key_reads_requests, the result should be less than 0.01. Also, if you divide the value of key_write by the value of key_writes_requests, the result should be less than 1.
table_cache:
The default is 64. Each time MySQL accesses a table, it places it in the cache. If the system accesses many tables, it is faster to have these in the cache. MySQL, being multi-threaded, may be running many queries on the table at one time, and each of these will open a table. Examine the value of open_tables at peak times. If you find it stays at the same value as your table_cache value, and then the number of opened_tables starts rapidly increasing, you should increase the table_cache if you have enough memory.
sort_buffer:
The sort_buffer is very useful for speeding up myisamchk operations (which is why it is set much higher for that purpose in the default configuration files), but it can also be useful everyday when performing large numbers of sorts.
read_rnd_buffer_size:
The read_rnd_buffer_size is used after a sort, when reading rows in sorted order. If you use many queries with ORDER BY, upping this can improve performance. Remember that, unlike key_buffer_size and table_cache, this buffer is allocated for each thread. This variable was renamed from record_rnd_buffer in MySQL 4.0.3. It defaults to the same size as the read_buffer_size. A rule-of-thumb is to allocate 1KB for each 1MB of memory on the server, for example 1MB on a machine with 1GB memory.
thread_cache:
If you have a busy server that's getting a lot of quick connections, set your thread cache high enough that the Threads_created value in SHOW STATUS stops increasing. This should take some of the load off of the CPU.
tmp_table_size:
"Created_tmp_disk_tables" are the number of implicit temporary tables on disk created while executing statements and "created_tmp_tables" are memory-based. Obviously it is bad if you have to go to disk instead of memory all the time. Category : Mysql | 0 Comments | 0 Trackbacks
Force www vs non-www to avoid duplicate content on Google
2007-03-24 21:20:21Recently, it has been talked a lot about Google and duplicate content as well as Google Canonical problems.That is, when you have your site accessible both under your_domain.com and www.your_domain.com. To avoid such problems you can use the following lines in your .htaccess file to force only the www version of your web site:
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www.your_domain.com$
RewriteRule ^(.*)$ http://www.your_domain.com/$1 [R=301]
Please, note that the .htaccess should be located in the web site main folder.
This will redirect all requests to the non-www version of your site to the www version using 301 Permanent redirect which will make the search engines to index your site only using the www.your_domain.com URL. In this way you will avoid a duplicate content penalty.
Category : SEO | 0 Comments | 0 Trackbacks
Block Bad robots, spiders, crawlers and harvesters
2007-03-24 21:22:45There are lots of examples across the internet that use ModRewrite. We will provide such an examample as well. However, what to do when ModRewrite is not available? We can use SetEnv directive with combination with FilesMatch.
SetEnvIfNoCase user-agent "^BlackWidow" bad_bot=1
SetEnvIfNoCase user-agent "^Bot mailto:craftbot@yahoo.com" bad_bot=1
SetEnvIfNoCase user-agent "^ChinaClaw" bad_bot=1
SetEnvIfNoCase user-agent "^Custo" bad_bot=1
SetEnvIfNoCase user-agent "^DISCo" bad_bot=1
SetEnvIfNoCase user-agent "^Download Demon" bad_bot=1
SetEnvIfNoCase user-agent "^eCatch" bad_bot=1
SetEnvIfNoCase user-agent "^EirGrabber" bad_bot=1
SetEnvIfNoCase user-agent "^EmailSiphon" bad_bot=1
SetEnvIfNoCase user-agent "^EmailWolf" bad_bot=1
SetEnvIfNoCase user-agent "^Express WebPictures" bad_bot=1
SetEnvIfNoCase user-agent "^ExtractorPro" bad_bot=1
SetEnvIfNoCase user-agent "^EyeNetIE" bad_bot=1
SetEnvIfNoCase user-agent "^FlashGet" bad_bot=1
SetEnvIfNoCase user-agent "^GetRight" bad_bot=1
SetEnvIfNoCase user-agent "^GetWeb!" bad_bot=1
SetEnvIfNoCase user-agent "^Go!Zilla" bad_bot=1
SetEnvIfNoCase user-agent "^Go-Ahead-Got-It" bad_bot=1
SetEnvIfNoCase user-agent "^GrabNet" bad_bot=1
SetEnvIfNoCase user-agent "^Grafula" bad_bot=1
SetEnvIfNoCase user-agent "^HMView" bad_bot=1
SetEnvIfNoCase user-agent “HTTrack” bad_bot=1
SetEnvIfNoCase user-agent "^Image Stripper" bad_bot=1
SetEnvIfNoCase user-agent "^Image Sucker" bad_bot=1
SetEnvIfNoCase user-agent "Indy Library" [NC,OR]
SetEnvIfNoCase user-agent "^InterGET" bad_bot=1
SetEnvIfNoCase user-agent "^Internet Ninja" bad_bot=1
SetEnvIfNoCase user-agent "^JetCar" bad_bot=1
SetEnvIfNoCase user-agent "^JOC Web Spider" bad_bot=1
SetEnvIfNoCase user-agent "^larbin" bad_bot=1
SetEnvIfNoCase user-agent "^LeechFTP" bad_bot=1
SetEnvIfNoCase user-agent "^Mass Downloader" bad_bot=1
SetEnvIfNoCase user-agent "^MIDown tool" bad_bot=1
SetEnvIfNoCase user-agent "^Mister PiX" bad_bot=1
SetEnvIfNoCase user-agent "^Navroad" bad_bot=1
SetEnvIfNoCase user-agent "^NearSite" bad_bot=1
SetEnvIfNoCase user-agent "^NetAnts" bad_bot=1
SetEnvIfNoCase user-agent "^NetSpider" bad_bot=1
SetEnvIfNoCase user-agent "^Net Vampire" bad_bot=1
SetEnvIfNoCase user-agent "^NetZIP" bad_bot=1
SetEnvIfNoCase user-agent "^Octopus" bad_bot=1
SetEnvIfNoCase user-agent "^Offline Explorer" bad_bot=1
SetEnvIfNoCase user-agent "^Offline Navigator" bad_bot=1
SetEnvIfNoCase user-agent "^PageGrabber" bad_bot=1
SetEnvIfNoCase user-agent "^Papa Foto" bad_bot=1
SetEnvIfNoCase user-agent "^pavuk" bad_bot=1
SetEnvIfNoCase user-agent "^pcBrowser" bad_bot=1
SetEnvIfNoCase user-agent "^RealDownload" bad_bot=1
SetEnvIfNoCase user-agent "^ReGet" bad_bot=1
SetEnvIfNoCase user-agent "^SiteSnagger" bad_bot=1
SetEnvIfNoCase user-agent "^SmartDownload" bad_bot=1
SetEnvIfNoCase user-agent "^SuperBot" bad_bot=1
SetEnvIfNoCase user-agent "^SuperHTTP" bad_bot=1
SetEnvIfNoCase user-agent "^Surfbot" bad_bot=1
SetEnvIfNoCase user-agent "^tAkeOut" bad_bot=1
SetEnvIfNoCase user-agent "^Teleport Pro" bad_bot=1
SetEnvIfNoCase user-agent "^VoidEYE" bad_bot=1
SetEnvIfNoCase user-agent "^Web Image Collector" bad_bot=1
SetEnvIfNoCase user-agent "^Web Sucker" bad_bot=1
SetEnvIfNoCase user-agent "^WebAuto" bad_bot=1
SetEnvIfNoCase user-agent "^WebCopier" bad_bot=1
SetEnvIfNoCase user-agent "^WebFetch" bad_bot=1
SetEnvIfNoCase user-agent "^WebGo IS" bad_bot=1
SetEnvIfNoCase user-agent "^WebLeacher" bad_bot=1
SetEnvIfNoCase user-agent "^WebReaper" bad_bot=1
SetEnvIfNoCase user-agent "^WebSauger" bad_bot=1
SetEnvIfNoCase user-agent "^Website eXtractor" bad_bot=1
SetEnvIfNoCase user-agent "^Website Quester" bad_bot=1
SetEnvIfNoCase user-agent "^WebStripper" bad_bot=1
SetEnvIfNoCase user-agent "^WebWhacker" bad_bot=1
SetEnvIfNoCase user-agent "^WebZIP" bad_bot=1
SetEnvIfNoCase user-agent "^Widow" bad_bot=1
SetEnvIfNoCase user-agent "^WWWOFFLE" bad_bot=1
SetEnvIfNoCase user-agent "^Xaldon WebSpider" bad_bot=1
SetEnvIfNoCase user-agent "^Zeus" bad_bot=1
<FilesMatch "(.*)">
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</FilesMatch>
How it works? If the string or regular expression matches the user-agent HTTP header it sets the bad_bot environment variable. Then in the FilesMatch we tell the server to deny access (show Forbidden page) to all users/bots that did match any of the strings above.
Category : Security | 0 Comments | 0 Trackbacks
Block Bad robots, spiders, crawlers and harvesters 2
2007-03-24 21:24:17ModRewrite based example:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot mailto:craftbot@yahoo.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download Demon [OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
RewriteCond %{HTTP_USER_AGENT} ^Express WebPictures [OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Image Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} Indy Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
RewriteCond %{HTTP_USER_AGENT} ^Internet Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC Web Spider [OR]
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mass Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^MIDown tool [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister PiX [OR]
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Net Vampire [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline Explorer [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline Navigator [OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa Foto [OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport Pro [OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web Image Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo IS [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website eXtractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website Quester [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule ^.* - [F,L]
What it does? The RewriteCond looks for a string or regular expression that matches. In case that there is a match it shows a Forbidden Error page.
Category : Security | 0 Comments | 0 Trackbacks
Disable Hot-Linking of images and other files
2007-03-24 21:26:26A hot-linking is when some other site uses images hosted on yours. For example a.com has some pretty nice images. Then b.com decides that instead of hosting these images on their server, they can just link from their pages to the images hosted on site a.com.
Hot-linking usually is bandwidth and of course content stealing. The b.com site will not pay for the traffic used as the image is being loaded from site a.com.
So it is a good practice to prevent images hot-linking:
You can prevent the hot-linking of your images by creating a .htaccess file with the following content:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)?your-domain.com/.*$ [NC]
RewriteRule .(gif|jpe?g|png)$ - [F]
The above code will result in a broken image to be displayed when it is hot-linked.
The example above works for .gif,.jpg and .png files, but you can add any file extension.
If you place the .htaccess file in the main folder of your site it will disable hotlinking for all your site.
To block other type of files, just add their extension to the list above. For example to block movie files:
RewriteRule .(mov|avi|wmv|mpe?g)$ - [F]
The Hot-Linking prevention is based on an Apache module called ModRewrite. So your web host should support it in order for you to be able to use these on your site. Category : Security | 0 Comments | 0 Trackbacks
How to quickly bind a range of IPs on RedHat based systems
2007-03-24 21:44:45In this short post I will show you how you can quickly add a range of IPs on any RedHat based system (Rhel, Centos, Fedora, etc). When you have to add many IPs to a system this can be quite handy and save a lot of time.
Normally when you add a new IP to a network interface in a RedHat based system you create a file ifcfg-eth0:x in /etc/sysconfig/network-scripts/. For example:
/etc/sysconfig/network-scripts/ifcfg-eth0:0
DEVICE=eth0:0
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.0.100
NETMASK=255.255.255.0
NETWORK=192.168.0.0
BROADCAST=192.168.0.255
TYPE=Ethernet
Similar to the above example you can create several aliases. But what if you have to add a lot of IPs that are in a range like this? Let’s say that I want to add 100 IPs this way… this is possible, but not very effective, right? RedHat based systems offer a method to bind a range of IPs in a quick way allowing us to eliminate the need to create a lot of files and saving us time doing this.
Create a file /etc/sysconfig/network-scripts/ifcfg-eth0-range0 if this doesn’t exist, or just add to it if you already have it, the following lines:
/etc/sysconfig/network-scripts/ifcfg-eth0-range0
IPADDR_START=192.168.0.100
IPADDR_END=192.168.0.200
CLONENUM_START=0
where: IPADDR_START is the first IP and IPADDR_END is the last IP in the range. CLONENUM_START is the number that will be assigned to the first IP alias interface (eth0:0 in this example).
If you need to add more ranges of IPs then just use a different file for ex. ifcfg-eth0-range1, for each one of the ranges. You need to be careful and use the proper CLONENUM_START to not overwrite other aliases. Once you have configured the range/s of IPs you just need to restart the network service in order to activate it:
service network restart
Category : Linux | 0 Comments | 0 Trackbacks
Changing a Hostname
2007-03-24 21:46:32Want to change your server's hostname?
There are a few places you should check.
Edit the name in /etc/hosts
Edit /etc/sysconfig/network. It'll contain something like this:
NETWORKING=yes
HOSTNAME="yourserver.com"
Edit /etc/hostname. e.g. echo "yourserver.com" > /etc/hostname
Reboot your server, or just run: "hostname --file /etc/hostname" i.e. set the host name based on the name in the /etc/hostname file.
Applications that were running before you changed the hostname will probably not reflect the new host name until after an application (or server) restart.
Of course the server's hostname can be anything you want it to be. It doesn't mean anything to external servers. They will rely on public DNS information. Category : Linux | 0 Comments | 0 Trackbacks
Setting a UTC Timezone
2007-03-24 22:00:25Scenario: The hosting company is in country W; the data center is in timezone X; the customer is in country Y; and their users are in country Z.
What timezone should you use for your server? Perhaps you should try Universal Co-ordinated Time (UTC).
vi /etc/sysconfig/clock and change the UTC line to: "UTC=true"
Set localtimezone to UTC: ln -sf /usr/share/zoneinfo/UTC /etc/localtime
If you want to set your timezone to something else, perhaps your personal timezone, then you find that timezone under /usr/share/zoneinfo and link that to /etc/localtime. For example: ln -sf /usr/share/zoneinfo/Australia/Brisbane /etc/localtime.
search
profile
Complete Profile
categories:
- SEO (12)
- Security (11)
- Apache (1)
- PHP (4)
- Mysql (1)
- Linux (5)
- htaccess (4)
- Spam (3)
- Free Icons (4)
- Open Source Softwares (12)
- How to Make Money Online (4)
archives:
- October-2008 (21)
- October-2007 (5)
- November-2008 (4)
- May-2008 (2)
- March-2009 (1)
- March-2007 (11)
- January-2009 (1)
- January-2008 (12)
- January-2007 (2)
- February-2008 (1)
- December-2006 (1)
calendar:
| August | ||||||
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
| 29 | 30 | 31 | ||||
sindicate:
