.htaccess security help
July 21, 2005 9:13 AM Subscribe
Web site security question: How can I protect my .htaccess file?
I've been fighting off referrer spammers from my site using these popular modifications of my .htaccess file. The methods have proven mostly successful, but this morning I awoke to find my site once again bogged down in spam. I took a peek at the .htaccess file and found that my anti-spam modifications had been stripped out of the file. What do I need to do to protect this file from outside meddling?
I've been fighting off referrer spammers from my site using these popular modifications of my .htaccess file. The methods have proven mostly successful, but this morning I awoke to find my site once again bogged down in spam. I took a peek at the .htaccess file and found that my anti-spam modifications had been stripped out of the file. What do I need to do to protect this file from outside meddling?
Well if someone's been able to change your .htaccess file, you've got much bigger problems than the spammers. First thing to do is change all your passwords and then run software that checks for rootkits. You might want to ask your web host if the security of the server has been compromised.
If everything is as it should be, then no-one should be able to change your .htaccess file.
What type of server is it? Does the server software make any automatic changes to configuration files? (Maybe some routine activity of the server over-wrote the files) What are the permissions on the .htaccess file? Has anything been restored from backup lately?
posted by winston at 9:23 AM on July 21, 2005
If everything is as it should be, then no-one should be able to change your .htaccess file.
What type of server is it? Does the server software make any automatic changes to configuration files? (Maybe some routine activity of the server over-wrote the files) What are the permissions on the .htaccess file? Has anything been restored from backup lately?
posted by winston at 9:23 AM on July 21, 2005
Is it possible that your host rolled your site back to a backup copy due to a drive failure or something like that?
posted by bcwinters at 9:28 AM on July 21, 2005
posted by bcwinters at 9:28 AM on July 21, 2005
Response by poster: permissions are as they should be. everything else seems to be untouched. I've changed my passwords and am checking with my host to see if anything has been restored from a backup copy recently. Thank you all for your input.
posted by TBoneMcCool at 9:42 AM on July 21, 2005
posted by TBoneMcCool at 9:42 AM on July 21, 2005
If people have been writing your .htaccess file without your permission, you have *major* problems. Consider the server compromised, back up as much data as you can without copying anything else that could be compromised (SQL dumps are a good place to start, but you'll probably want to reset passwords & check all sensitive options). Reinstall the OS, restore bit by bit. If you're on shared hosting, bitch & moan for a while.
(Although if you're on shared hosting, it may well be an automated backup)
posted by devilsbrigade at 10:07 AM on July 21, 2005
(Although if you're on shared hosting, it may well be an automated backup)
posted by devilsbrigade at 10:07 AM on July 21, 2005
Best answer: Alternately, your .htaccess may have been badly written (I'm guilty of that) and horribly bogging down your host's server, leading them to lop out the offending portion.
An example of that would be if your .htaccess filtered out on the basis of domain names, rather than IP addresses, but your host (wisely) doesn't have Apache/IIS resolve IPs of incoming traffic. The result would be that each hit on your site would lead Apache to fork a process to look up the domain name. That can really be a drain.
posted by waldo at 11:48 AM on July 21, 2005
An example of that would be if your .htaccess filtered out on the basis of domain names, rather than IP addresses, but your host (wisely) doesn't have Apache/IIS resolve IPs of incoming traffic. The result would be that each hit on your site would lead Apache to fork a process to look up the domain name. That can really be a drain.
posted by waldo at 11:48 AM on July 21, 2005
Best answer: This is indeed odd. Are you using a blog app at your site? I've seen at least one popular app rewrite .htaccess.
After creating your new .htaccess, issue a chmod 444
This limits user, group, and other to read only perms. Ownership of the file is not changed, of course, so if you need to edit it again, just chmod 644 and you're set to edit.
What is key to remember is that any file that is writeable by that file's owner is writeable by any application running as said owner.
If an app is making changes, a file with a mask of 444 is going to throw up errors... and if that happens, you've found the culprit and can go bitch to the author for a fix.
The tutorial you cite says Notepad can be used. I somewhat disagree. If you are doing this, do yourself a favor and clean up the ^ clutter in one of the following ways. The first is the easiest but it is not always available.
dos2unix dosfile.txt unixfile.txt
tr -d '\15\32' < dosfile.txt> unixfile.txt
awk '{ sub("\r$", ""); print }' dosfile.txt > unixfile.txt
Without seeing the files and the logs, I'm forced to guess at an answer. I hope this helps.
posted by V. at 11:56 AM on July 21, 2005
After creating your new .htaccess, issue a chmod 444
This limits user, group, and other to read only perms. Ownership of the file is not changed, of course, so if you need to edit it again, just chmod 644 and you're set to edit.
What is key to remember is that any file that is writeable by that file's owner is writeable by any application running as said owner.
If an app is making changes, a file with a mask of 444 is going to throw up errors... and if that happens, you've found the culprit and can go bitch to the author for a fix.
The tutorial you cite says Notepad can be used. I somewhat disagree. If you are doing this, do yourself a favor and clean up the ^ clutter in one of the following ways. The first is the easiest but it is not always available.
dos2unix dosfile.txt unixfile.txt
tr -d '\15\32' < dosfile.txt> unixfile.txt
awk '{ sub("\r$", ""); print }' dosfile.txt > unixfile.txt
Without seeing the files and the logs, I'm forced to guess at an answer. I hope this helps.
posted by V. at 11:56 AM on July 21, 2005
Response by poster: Thanks again to all of you for thoughtful answers. After a long, opaque conversation with my host's tech support, the problem appears have been a rollback on my shared server -- though I'm not 100 percent convinced the guy I was talking to was being straight with me or knew exactly what he was talking about. I have just enough Web skills to be dangerous, and all this stuff confuses the hell out of me. I think maybe it's time to switch to a new host. So again, thanks for the input!
posted by TBoneMcCool at 12:33 PM on July 21, 2005
posted by TBoneMcCool at 12:33 PM on July 21, 2005
I turned off referrers since I was never really getting any and I installed the hashcash plugin for Wordpress to defeat automated comment spam. I've never had any spam since then, and people can leave comments without any annoyances.
posted by exhilaration at 2:21 PM on July 21, 2005
posted by exhilaration at 2:21 PM on July 21, 2005
WordPress did this. Might have been an upgrade you made or a theme or a plugin you installed. Has happened to me a number of times.
posted by mr.marx at 2:45 PM on July 21, 2005
posted by mr.marx at 2:45 PM on July 21, 2005
This thread is closed to new comments.
In any case, you can edit ownership permissions on this file with the following command:
chmod 755 .htaccess
This will make the file writeable only by you, the owner. Everyone else can read the file but not make any changes.
posted by Rothko at 9:21 AM on July 21, 2005