PEAK XOOPS - Hi guys, New and need a couple of pointers 
Hi guys, New and need a couple of pointers
- You cannot open a new topic into this forum
- Guests cannot post into this forum
Jharis
Posts: 4
Posts: 4
Hi guys,
This is my first visit to the site. Of course it's trouble that brings me knocking! I installed that really nifty protector module last night, but have a couple of problems I'm not sure how to solve. Help is greatly appreciated.
I looked in the root folder where I installed xoops but don't see ".htaccess". Do I just create a text file called ".htaccess" using notepad? If so what extension do I give it?
register_globals' : on Not secure
This setting invites a variety of injecting attacks.
If you can put .htaccess, edit or create...
/home/geeklock/public_html/.htaccess
php_flag register_globals off
I found my "php.ini" file and permissioned to 777. I inserted "php_admin_flag allow_url_fopen off" and saved the file back to the public_html folder, but I still get a warning. Also I didn'tt see the "httpd.conf" file. Does Does the script to be placed in a certain place in the php.ini file?
'allow_url_fopen' : on Not secure
This setting allows attackers to execute arbitrary scripts on remote servers.
Only administrator can change this option.
If you are an admin, edit php.ini or httpd.conf.
Sample of httpd.conf:
php_admin_flag allow_url_fopen off
Else, claim it to your administrators.
Last questions I have are:
Should I set the php.ini file to 644 or 444?
If using my host site password protection. Should I just password protect the entire public_html folder?
What other precausions shoud I take to protect my site?
Thanks guys.
don (el paso)
This is my first visit to the site. Of course it's trouble that brings me knocking! I installed that really nifty protector module last night, but have a couple of problems I'm not sure how to solve. Help is greatly appreciated.
I looked in the root folder where I installed xoops but don't see ".htaccess". Do I just create a text file called ".htaccess" using notepad? If so what extension do I give it?
register_globals' : on Not secure
This setting invites a variety of injecting attacks.
If you can put .htaccess, edit or create...
/home/geeklock/public_html/.htaccess
php_flag register_globals off
I found my "php.ini" file and permissioned to 777. I inserted "php_admin_flag allow_url_fopen off" and saved the file back to the public_html folder, but I still get a warning. Also I didn'tt see the "httpd.conf" file. Does Does the script to be placed in a certain place in the php.ini file?
'allow_url_fopen' : on Not secure
This setting allows attackers to execute arbitrary scripts on remote servers.
Only administrator can change this option.
If you are an admin, edit php.ini or httpd.conf.
Sample of httpd.conf:
php_admin_flag allow_url_fopen off
Else, claim it to your administrators.
Last questions I have are:
Should I set the php.ini file to 644 or 444?
If using my host site password protection. Should I just password protect the entire public_html folder?
What other precausions shoud I take to protect my site?
Thanks guys.
don (el paso)
Votes:0
Average:0.00
tl
Posts: 84
Posts: 84
First of all, we need to know if you are on a shared hosting environment or a dedicated server.
If it is the latter case, then you will need to edit php.ini file. The file stays where it is and no permission change needed. Of course, you must be a superuser to edit the file.
Find
register_globals
allow_url_fopen
make changes to the settings, restart apache/php. You can use pico to edit the file.
If you are on a shared hosting, forget the php.ini file, you can't make changes to it, only server admin can do that.
You must use .htaccess to change settings.
Using Micro$oft notepad: open the notepad and enter the line
php_flag register_globals off
the save the file (select text file format) - just type .htaccess
Or copy one of .htaccess files came with GIJOE's protector package, clear the contents and add the line
php_flag register_globals off
save the file and upload to your root directory. This will take care of register_globals
allow_url_fopen has to be done by server admin and you will have to ask your host for the change. They may well not do it because other users are using it.
If it is the latter case, then you will need to edit php.ini file. The file stays where it is and no permission change needed. Of course, you must be a superuser to edit the file.
Find
register_globals
allow_url_fopen
make changes to the settings, restart apache/php. You can use pico to edit the file.
If you are on a shared hosting, forget the php.ini file, you can't make changes to it, only server admin can do that.
You must use .htaccess to change settings.
Using Micro$oft notepad: open the notepad and enter the line
php_flag register_globals off
the save the file (select text file format) - just type .htaccess
Or copy one of .htaccess files came with GIJOE's protector package, clear the contents and add the line
php_flag register_globals off
save the file and upload to your root directory. This will take care of register_globals
allow_url_fopen has to be done by server admin and you will have to ask your host for the change. They may well not do it because other users are using it.
Votes:1
Average:10.00
Jharis
Posts: 4
Posts: 4
Thanks Corporal for pointing me in the right direction and helping me learn more. I will use your pointers and see what I can and can not do with my host.
My host offers turning indexing off for each folder. I followed their advice and not have the ".htaccess" in every folder that I applied turn indexing off to.
Question... Are there other measures I should take to protect my site?
I have been unable to make the allow_url_fopen happen. I will ask my host to make the change on this one.
Thanks Corporal.
It's nice to have someone answer your questions.
My host offers turning indexing off for each folder. I followed their advice and not have the ".htaccess" in every folder that I applied turn indexing off to.
Question... Are there other measures I should take to protect my site?
I have been unable to make the allow_url_fopen happen. I will ask my host to make the change on this one.
Thanks Corporal.
It's nice to have someone answer your questions.
Votes:0
Average:0.00
Previous post
-
Next post
|
Parent
-
No child
|
Posted on 2005/6/12 17:05
Jharis
Posts: 4
Posts: 4
Here's a little of what I found out about .htaccess. I just kind of hobbled this together from what I found on the net.
1. Why would you want to edit or create a .htaccess file?
A .htaccess files provides a way to make configuration changes on a per-directory basis. The .htaccess file containing one or more rules is placed in a particular directory, and those rules apply to that directory, and all subdirectories.
2. Why does the .htaccess file name look funny?
I don't know. The file is simply named ".htaccess" without the qoute marks. Make sure you do not put an extension on the end of the file.
3. What do I use to create the .htaccess file?
You can use any text editor. To create the file, open up a text editor and save an empty page as .htaccess. Most likely your text editor will add its default extension to .htaccess name. (ex: for Notepad it would call the file .htaccess.txt). Remove the .txt (or other) file extension. Just right click on the file and rename to say .htaccess.
4. Once created.
htaccess files must be uploaded as ASCII mode, not BINARY. You may need to CHMOD the htaccess file to 644 or (RW-R--R--). This makes the file usable by the server, but prevents it from being read by a browser, which can seriously compromise your security.
When writing commands in the .htaccess use one line only. If you use a text editor that uses word-wrap, make sure to disabled that feature or it might throw in a few extra characters.
5. Where do I place it?
In your root directory. However htaccess file sets rules for the directory its placed in and all sub-directories. That is the htaccess file located in your root directory (yoursite.com) would affect yoursite.com/content, yoursite.com/content/contents, etc.
6. The .htaccess file is commonly used to :
a. Provide custom error pages, such as 404 Page Not Found
ErrorDocument 404 my404page.html
This code can be used to create any custom page. Certain pages are more complicated to modify - if you create a custom 403 Forbidden page, then a viewer will not see the custom page. Here is a way to get around this :
ErrorDocument 403 /all/my403page.html
In the /all directory, you would need another .htaccess file, ie:
order allow,deny
allow from all
This would give access to Forbidden users to the /all directory, where the custom 403 page is kept in this example.
b. Password protection
c. Enabling SSI via .htaccess
AddType text/html .shtml
AddHandler server-parsed .shtml
Options Indexes FollowSymLinks Includes
d. Deny users by IP address
order allow,deny
deny from 123.45.67.0
deny from 123.123.7
allow from all
This would ban anyone with an IP address of 123.45.67.0 and would also ban anyone with an IP address starting in 123.123.7, for example, 123.123.74.42 would not gain access.
f. Changing the default directory page
DirectoryIndex homepage.html
Here, anyone visiting http://www.yourwebsite.com would see the homepage.html page, rather than the default index.html.
g. Redirects
Redirect page1.html page2.html
If someone was to visit http://www.yourwebsite.com/page1.html, they would be sent to http://www.yourwebsite.com/page2.html
h. Preventing hotlinking of images
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourwebsite.com/.*$ [NC]
RewriteRule \.(gif|jpg)$ http://www.yourwebsite.com/hotlink.gif [R,L]
Unless the image is displayed on yourwebsite.com, browers would see the image hotlink.gif.
7. Remember the .htaccess file controls the directory it is in, plus all subdirectories. However, by placing additional .htaccess files in the subdirectories, you can overrule this.
I have not played with the .htaccess file other than using GIJoes protector module so my understanding at this time is limited. I hope this helps others get an idea of just what that file can do. If anyone see errors or wishes to add something to this please do.
don (el paso)
1. Why would you want to edit or create a .htaccess file?
A .htaccess files provides a way to make configuration changes on a per-directory basis. The .htaccess file containing one or more rules is placed in a particular directory, and those rules apply to that directory, and all subdirectories.
2. Why does the .htaccess file name look funny?
I don't know. The file is simply named ".htaccess" without the qoute marks. Make sure you do not put an extension on the end of the file.
3. What do I use to create the .htaccess file?
You can use any text editor. To create the file, open up a text editor and save an empty page as .htaccess. Most likely your text editor will add its default extension to .htaccess name. (ex: for Notepad it would call the file .htaccess.txt). Remove the .txt (or other) file extension. Just right click on the file and rename to say .htaccess.
4. Once created.
htaccess files must be uploaded as ASCII mode, not BINARY. You may need to CHMOD the htaccess file to 644 or (RW-R--R--). This makes the file usable by the server, but prevents it from being read by a browser, which can seriously compromise your security.
When writing commands in the .htaccess use one line only. If you use a text editor that uses word-wrap, make sure to disabled that feature or it might throw in a few extra characters.
5. Where do I place it?
In your root directory. However htaccess file sets rules for the directory its placed in and all sub-directories. That is the htaccess file located in your root directory (yoursite.com) would affect yoursite.com/content, yoursite.com/content/contents, etc.
6. The .htaccess file is commonly used to :
a. Provide custom error pages, such as 404 Page Not Found
ErrorDocument 404 my404page.html
This code can be used to create any custom page. Certain pages are more complicated to modify - if you create a custom 403 Forbidden page, then a viewer will not see the custom page. Here is a way to get around this :
ErrorDocument 403 /all/my403page.html
In the /all directory, you would need another .htaccess file, ie:
order allow,deny
allow from all
This would give access to Forbidden users to the /all directory, where the custom 403 page is kept in this example.
b. Password protection
c. Enabling SSI via .htaccess
AddType text/html .shtml
AddHandler server-parsed .shtml
Options Indexes FollowSymLinks Includes
d. Deny users by IP address
order allow,deny
deny from 123.45.67.0
deny from 123.123.7
allow from all
This would ban anyone with an IP address of 123.45.67.0 and would also ban anyone with an IP address starting in 123.123.7, for example, 123.123.74.42 would not gain access.
f. Changing the default directory page
DirectoryIndex homepage.html
Here, anyone visiting http://www.yourwebsite.com would see the homepage.html page, rather than the default index.html.
g. Redirects
Redirect page1.html page2.html
If someone was to visit http://www.yourwebsite.com/page1.html, they would be sent to http://www.yourwebsite.com/page2.html
h. Preventing hotlinking of images
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourwebsite.com/.*$ [NC]
RewriteRule \.(gif|jpg)$ http://www.yourwebsite.com/hotlink.gif [R,L]
Unless the image is displayed on yourwebsite.com, browers would see the image hotlink.gif.
7. Remember the .htaccess file controls the directory it is in, plus all subdirectories. However, by placing additional .htaccess files in the subdirectories, you can overrule this.
I have not played with the .htaccess file other than using GIJoes protector module so my understanding at this time is limited. I hope this helps others get an idea of just what that file can do. If anyone see errors or wishes to add something to this please do.
don (el paso)
Votes:1
Average:0.00
Login