Защита сайта от взлома .htaccess для сайта

Универсальный метод защиты для всех CMS:
Добавьте в файл .htaccess

########## Begin - RewriteEngine enabled
RewriteEngine On
########## End - RewriteEngine enabled

########## Begin - RewriteBase
# Uncomment following line if your webserver's URL
# is not directly related to physical file paths.
# Update Your Joomla! Directory (just / for root)
#RewriteBase /
########## End - RewriteBase

########## Begin - No directory listings
IndexIgnore *
########## End - No directory listings

########## Begin - File execution order, by Komra.de
DirectoryIndex index.php index.html
########## End - File execution order

########## Begin - ETag Optimization
## This rule will create an ETag for files based only on the modification
## timestamp and their size. This works wonders if you are using rsync'ed
## servers, where the inode number of identical files differs.
## Note: It may cause problems on your server and you may need to remove it
FileETag MTime Size
########## End - ETag Optimization

########## Begin - Common hacking tools and bandwidth hoggers block
## By SigSiu.net and @nikosdion.
# This line also disables Akeeba Remote Control 2.5 and earlier
SetEnvIf user-agent "Indy Library" stayout=1
# WARNING: Disabling wget will also block the most common method for
# running CRON jobs. Remove if you have issues with CRON jobs.
SetEnvIf user-agent "Wget" stayout=1
# The following rules are for bandwidth-hogging download tools
SetEnvIf user-agent "libwww-perl" stayout=1
SetEnvIf user-agent "Download Demon" stayout=1
SetEnvIf user-agent "GetRight" stayout=1
SetEnvIf user-agent "GetWeb!" stayout=1
SetEnvIf user-agent "Go!Zilla" stayout=1
SetEnvIf user-agent "Go-Ahead-Got-It" stayout=1
SetEnvIf user-agent "GrabNet" stayout=1
SetEnvIf user-agent "TurnitinBot" stayout=1
# This line denies access to all of the above tools
deny from env=stayout
########## End - Common hacking tools and bandwidth hoggers block

########## Begin - Automatic compression of resources
# Compress text, html, javascript, css, xml, kudos to Komra.de
# May kill access to your site for old versions of Internet Explorer
# The server needs to be compiled with mod_deflate otherwise it will send HTTP 500 Error.
# mod_deflate is not available on Apache 1.x series. Can only be used with Apache 2.x server.
# AddOutputFilterByType is now deprecated by Apache. Use mod_filter in the future.
AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript
########## End - Automatic compression of resources

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
# If the request query string contains /proc/self/environ (by SigSiu.net)
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
# Block out any script trying to set a mosConfig value through the URL
# (these attacks wouldn't work w/out Joomla! 1.5's Legacy Mode plugin)
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode or base64_decode data within the URL
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [OR]
## IMPORTANT: If the above line throws an HTTP 500 error, replace it with these 2 lines:
# RewriteCond %{QUERY_STRING} base64_encode\(.*\) [OR]
# RewriteCond %{QUERY_STRING} base64_decode\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show the content of the root homepage
RewriteRule .* index.php [F]
#
########## End - Rewrite rules to block out some common exploits

########## Begin - Advanced server protection rules exceptions ####
##
## These are sample exceptions to the Advanced Server Protection 3.1
## rule set further down this file.
##
## Allow UddeIM CAPTCHA
RewriteRule ^components/com_uddeim/captcha15\.php$ - [L]
## Allow Phil Taylor's Turbo Gears
RewriteRule ^plugins/system/GoogleGears/gears-manifest\.php$ - [L]
## Allow JoomlaWorks AllVideos
RewriteRule ^plugins/content/jw_allvideos/includes/jw_allvideos_scripts\.php$ - [L]
## Allow Admin Tools Joomla! updater to run
RewriteRule ^administrator/components/com_admintools/restore\.php$ - [L]
## Allow Akeeba Backup Professional's integrated restoration script to run
RewriteRule ^administrator/components/com_akeeba/restore\.php$ - [L]
## Allow Akeeba Kickstart
RewriteRule ^kickstart\.php$ - [L]

# Add more rules to single PHP files here

## Allow Agora attachments, but not PHP files in that directory!
RewriteCond %{REQUEST_FILENAME} !(\.php)$
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^components/com_agora/img/members/ - [L]

########## End - Advanced server protection rules exceptions ####

########## Begin - File injection protection, by SigSiu.net
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
RewriteRule .* - [F]
########## End - File injection protection

########## Begin - Basic antispam Filter, by SigSiu.net
## I removed some common words, tweak to your liking
## This code uses PCRE and works only with Apache 2.x.
## This code will NOT work with Apache 1.x servers.
RewriteCond %{QUERY_STRING} \b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b [NC]
## Note: The final RewriteCond must NOT use the [OR] flag.
RewriteRule .* - [F]
## Note: The previous lines are a "compressed" version
## of the filters. You can add your own filters as:
## RewriteCond %{QUERY_STRING} \bbadword\b [NC,OR]
## where "badword" is the word you want to exclude.
########## End - Basic antispam Filter, by SigSiu.net

########## Begin - Advanced server protection - paths and files

## Back-end protection
## This also blocks fingerprinting attacks browsing for XML and INI files
RewriteRule ^administrator/?$ - [L]
RewriteRule ^administrator/index\.(php|html?)$ - [L]
RewriteRule ^administrator/index[23]\.php$ - [L]
RewriteRule ^administrator/(components|modules|templates|images|plugins)/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L]
RewriteRule ^administrator/ - [F]

## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ directory
RewriteRule ^xmlrpc/(index\.php)?$ - [L]
RewriteRule ^xmlrpc/ - [F]

## Allow limited access for certain Joomla! system directories with client-accessible content
RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L]
## Uncomment this line if you have extensions which require direct access to their own
## custom index.php files. Note that this is UNSAFE and the developer should be ashamed
## for being so lame, lazy and security unconscious.
# RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*(index\.php)?$ - [L]
## Uncomment the following line if your template requires direct access to PHP files
## inside its directory, e.g. GZip compressed copies of its CSS files
# RewriteRule ^templates/([^/]+/)*([^/.]+\.)+php$ - [L]
RewriteRule ^(components|modules|plugins|templates)/ - [F]

## Disallow access to rogue PHP files throughout the site, unless they are explicitly allowed
RewriteCond %{REQUEST_FILENAME} \.php$
RewriteCond %{REQUEST_FILENAME} !/index[23]?\.php$
## The next line is to explicitly allow the forum post assistant(fpa-xx)script to run
RewriteCond %{REQUEST_FILENAME} !/fpa-[a-z]{2}\.php
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^([^/]+/)*([^/.]+\.)+php$ - [F]

########## End - Advanced server protection - paths and files

########## Begin - Advanced server protection - query strings, referrer and config
# Advanced server protection, version 3.2 - May 2011
# by Nicholas K. Dionysopoulos

## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine
## your PHP version). See http://www.0php.com/php_easter_egg.php and
## http://osvdb.org/12184 for more information
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]
RewriteRule .* - [F]

## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @
## http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html
## May cause problems on legitimate requests
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC]
RewriteRule .* - [F]

## Disallow visual fingerprinting of Joomla! sites (module position dump)
## Initial idea by Brian Teeman and Ken Crowder, see:
## http://www.slideshare.net/brianteeman/hidden-joomla-secrets
## Improved by @nikosdion to work more efficiently and handle template
## and tmpl query parameters
RewriteCond %{QUERY_STRING} (^|&)tmpl=(component|system) [NC]
RewriteRule .* - [L]
RewriteCond %{QUERY_STRING} (^|&)t(p|emplate|mpl)= [NC]
RewriteRule .* - [F]

## Disallow access to htaccess.txt, configuration.php, configuration.php-dist and php.ini
RewriteRule ^(htaccess\.txt|configuration\.php(-dist)?|php\.ini)$ - [F]

########## End - Advanced server protection - query strings, referrer and config

########## Begin - Joomla! core SEF Section
#
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
#
# If the requested path and file is not /index.php and the request
# has not already been internally rewritten to the index.php script
RewriteCond %{REQUEST_URI} !^/index\.php
# and the request is for the site root, or for an extensionless URL,
# or the requested URL ends with one of the listed extensions
RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw|ini|zip|json|file))$ [NC]
# and the requested path and file doesn't directly match a physical file
RewriteCond %{REQUEST_FILENAME} !-f
# and the requested path doesn't directly match a physical folder
RewriteCond %{REQUEST_FILENAME} !-d
# internally rewrite the request to the index.php script
RewriteRule .* index.php [L]
#
########## End - Joomla! core SEF Section

########## Begin - Optimal default expiration time
## Note: this might cause problems and you might have to comment it out by
## placing a hash in front of this section's lines
<IfModule mod_expires.c>
# Enable expiration control
ExpiresActive On

# Default expiration: 1 hour after request
ExpiresDefault "now plus 1 hour"

# CSS and JS expiration: 1 week after request
ExpiresByType text/css "now plus 1 week"
ExpiresByType application/javascript "now plus 1 week"
ExpiresByType application/x-javascript "now plus 1 week"

# Image files expiration: 1 month after request
ExpiresByType image/bmp "now plus 1 month"
ExpiresByType image/gif "now plus 1 month"
ExpiresByType image/jpeg "now plus 1 month"
ExpiresByType image/jp2 "now plus 1 month"
ExpiresByType image/pipeg "now plus 1 month"
ExpiresByType image/png "now plus 1 month"
ExpiresByType image/svg+xml "now plus 1 month"
ExpiresByType image/tiff "now plus 1 month"
ExpiresByType image/vnd.microsoft.icon "now plus 1 month"
ExpiresByType image/x-icon "now plus 1 month"
ExpiresByType image/ico "now plus 1 month"
ExpiresByType image/icon "now plus 1 month"
ExpiresByType text/ico "now plus 1 month"
ExpiresByType application/ico "now plus 1 month"
ExpiresByType image/vnd.wap.wbmp "now plus 1 month"
ExpiresByType application/vnd.wap.wbxml "now plus 1 month"
ExpiresByType application/smil "now plus 1 month"

# Audio files expiration: 1 month after request
ExpiresByType audio/basic "now plus 1 month"
ExpiresByType audio/mid "now plus 1 month"
ExpiresByType audio/midi "now plus 1 month"
ExpiresByType audio/mpeg "now plus 1 month"
ExpiresByType audio/x-aiff "now plus 1 month"
ExpiresByType audio/x-mpegurl "now plus 1 month"
ExpiresByType audio/x-pn-realaudio "now plus 1 month"
ExpiresByType audio/x-wav "now plus 1 month"

# Movie files expiration: 1 month after request
ExpiresByType application/x-shockwave-flash "now plus 1 month"
ExpiresByType x-world/x-vrml "now plus 1 month"
ExpiresByType video/x-msvideo "now plus 1 month"
ExpiresByType video/mpeg "now plus 1 month"
ExpiresByType video/mp4 "now plus 1 month"
ExpiresByType video/quicktime "now plus 1 month"
ExpiresByType video/x-la-asf "now plus 1 month"
ExpiresByType video/x-ms-asf "now plus 1 month"
</IfModule>
########## End - Optimal expiration time

########## Block bad user agents
## The following list may include bots that no longer exist or are not a problem for your site.
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
## Note: The final RewriteCond must NOT use the [OR] flag.
## Return 403 Forbidden error.
RewriteRule .* - [F]

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

########## Begin - RewriteEngine enabled

RewriteEngine On

########## End - RewriteEngine enabled

########## Begin - RewriteBase

# Uncomment following line if your webserver's URL

# is not directly related to physical file paths.

# Update Your Joomla! Directory (just / for root)

#RewriteBase /

########## End - RewriteBase

########## Begin - No directory listings

IndexIgnore *

########## End - No directory listings

########## Begin - File execution order, by Komra.de

DirectoryIndex index.php index.html

########## End - File execution order

########## Begin - ETag Optimization

## This rule will create an ETag for files based only on the modification

## timestamp and their size. This works wonders if you are using rsync'ed

## servers, where the inode number of identical files differs.

## Note: It may cause problems on your server and you may need to remove it

FileETag MTime Size

########## End - ETag Optimization

########## Begin - Common hacking tools and bandwidth hoggers block

## By SigSiu.net and @nikosdion.

# This line also disables Akeeba Remote Control 2.5 and earlier

SetEnvIf user-agent "Indy Library" stayout=1

# WARNING: Disabling wget will also block the most common method for

# running CRON jobs. Remove if you have issues with CRON jobs.

SetEnvIf user-agent "Wget" stayout=1

# The following rules are for bandwidth-hogging download tools

SetEnvIf user-agent "libwww-perl" stayout=1

SetEnvIf user-agent "Download Demon" stayout=1

SetEnvIf user-agent "GetRight" stayout=1

SetEnvIf user-agent "GetWeb!" stayout=1

SetEnvIf user-agent "Go!Zilla" stayout=1

SetEnvIf user-agent "Go-Ahead-Got-It" stayout=1

SetEnvIf user-agent "GrabNet" stayout=1

SetEnvIf user-agent "TurnitinBot" stayout=1

# This line denies access to all of the above tools

deny from env=stayout

########## End - Common hacking tools and bandwidth hoggers block

########## Begin - Automatic compression of resources

# Compress text, html, javascript, css, xml, kudos to Komra.de

# May kill access to your site for old versions of Internet Explorer

# The server needs to be compiled with mod_deflate otherwise it will send HTTP 500 Error.

# mod_deflate is not available on Apache 1.x series. Can only be used with Apache 2.x server.

# AddOutputFilterByType is now deprecated by Apache. Use mod_filter in the future.

AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript

########## End - Automatic compression of resources

########## Begin - Rewrite rules to block out some common exploits

## If you experience problems on your site block out the operations listed below

## This attempts to block the most common type of exploit `attempts` to Joomla!

# If the request query string contains /proc/self/environ (by SigSiu.net)

RewriteCond %{QUERY_STRING} proc/self/environ [OR]

# Block out any script trying to set a mosConfig value through the URL

# (these attacks wouldn't work w/out Joomla! 1.5's Legacy Mode plugin)

RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]

# Block out any script trying to base64_encode or base64_decode data within the URL

RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*$[^)]*$ [OR]

## IMPORTANT: If the above line throws an HTTP 500 error, replace it with these 2 lines:

# RewriteCond %{QUERY_STRING} base64_encode$.*$ [OR]

# RewriteCond %{QUERY_STRING} base64_decode$.*$ [OR]

# Block out any script that includes a <script> tag in URL

RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]

# Block out any script trying to set a PHP GLOBALS variable via URL

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

# Block out any script trying to modify a _REQUEST variable via URL

RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})

# Return 403 Forbidden header and show the content of the root homepage

RewriteRule .* index.php [F]

########## End - Rewrite rules to block out some common exploits

########## Begin - Advanced server protection rules exceptions ####

## These are sample exceptions to the Advanced Server Protection 3.1

## rule set further down this file.

## Allow UddeIM CAPTCHA

RewriteRule ^components/com_uddeim/captcha15\.php$ - [L]

## Allow Phil Taylor's Turbo Gears

RewriteRule ^plugins/system/GoogleGears/gears-manifest\.php$ - [L]

## Allow JoomlaWorks AllVideos

RewriteRule ^plugins/content/jw_allvideos/includes/jw_allvideos_scripts\.php$ - [L]

## Allow Admin Tools Joomla! updater to run

RewriteRule ^administrator/components/com_admintools/restore\.php$ - [L]

## Allow Akeeba Backup Professional's integrated restoration script to run

RewriteRule ^administrator/components/com_akeeba/restore\.php$ - [L]

## Allow Akeeba Kickstart

RewriteRule ^kickstart\.php$ - [L]

# Add more rules to single PHP files here

## Allow Agora attachments, but not PHP files in that directory!

RewriteCond %{REQUEST_FILENAME} !(\.php)$

RewriteCond %{REQUEST_FILENAME} -f

RewriteRule ^components/com_agora/img/members/ - [L]

########## End - Advanced server protection rules exceptions ####

########## Begin - File injection protection, by SigSiu.net

RewriteCond %{REQUEST_METHOD} GET

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]

RewriteRule .* - [F]

########## End - File injection protection

########## Begin - Basic antispam Filter, by SigSiu.net

## I removed some common words, tweak to your liking

## This code uses PCRE and works only with Apache 2.x.

## This code will NOT work with Apache 1.x servers.

RewriteCond %{QUERY_STRING} \b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b [NC,OR]

RewriteCond %{QUERY_STRING} \b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b [NC,OR]

RewriteCond %{QUERY_STRING} \b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b [NC,OR]

RewriteCond %{QUERY_STRING} \b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b [NC]

## Note: The final RewriteCond must NOT use the [OR] flag.

RewriteRule .* - [F]

## Note: The previous lines are a "compressed" version

## of the filters. You can add your own filters as:

## RewriteCond %{QUERY_STRING} \bbadword\b [NC,OR]

## where "badword" is the word you want to exclude.

########## End - Basic antispam Filter, by SigSiu.net

########## Begin - Advanced server protection - paths and files

## Back-end protection

## This also blocks fingerprinting attacks browsing for XML and INI files

RewriteRule ^administrator/?$ - [L]

RewriteRule ^administrator/index\.(php|html?)$ - [L]

RewriteRule ^administrator/index[23]\.php$ - [L]

RewriteRule ^administrator/(components|modules|templates|images|plugins)/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L]

RewriteRule ^administrator/ - [F]

## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ directory

RewriteRule ^xmlrpc/(index\.php)?$ - [L]

RewriteRule ^xmlrpc/ - [F]

## Allow limited access for certain Joomla! system directories with client-accessible content

RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L]

## Uncomment this line if you have extensions which require direct access to their own

## custom index.php files. Note that this is UNSAFE and the developer should be ashamed

## for being so lame, lazy and security unconscious.

# RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*(index\.php)?$ - [L]

## Uncomment the following line if your template requires direct access to PHP files

## inside its directory, e.g. GZip compressed copies of its CSS files

# RewriteRule ^templates/([^/]+/)*([^/.]+\.)+php$ - [L]

RewriteRule ^(components|modules|plugins|templates)/ - [F]

## Disallow access to rogue PHP files throughout the site, unless they are explicitly allowed

RewriteCond %{REQUEST_FILENAME} \.php$

RewriteCond %{REQUEST_FILENAME} !/index[23]?\.php$

## The next line is to explicitly allow the forum post assistant(fpa-xx)script to run

RewriteCond %{REQUEST_FILENAME} !/fpa-[a-z]{2}\.php

RewriteCond %{REQUEST_FILENAME} -f

RewriteRule ^([^/]+/)*([^/.]+\.)+php$ - [F]

########## End - Advanced server protection - paths and files

########## Begin - Advanced server protection - query strings, referrer and config

# Advanced server protection, version 3.2 - May 2011

# by Nicholas K. Dionysopoulos

## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine

## your PHP version). See http://www.0php.com/php_easter_egg.php and

## http://osvdb.org/12184 for more information

RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]

RewriteRule .* - [F]

## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @

## http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html

## May cause problems on legitimate requests

RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]

RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]

RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC]

RewriteRule .* - [F]

## Disallow visual fingerprinting of Joomla! sites (module position dump)

## Initial idea by Brian Teeman and Ken Crowder, see:

## http://www.slideshare.net/brianteeman/hidden-joomla-secrets

## Improved by @nikosdion to work more efficiently and handle template

## and tmpl query parameters

RewriteCond %{QUERY_STRING} (^|&)tmpl=(component|system) [NC]

RewriteRule .* - [L]

RewriteCond %{QUERY_STRING} (^|&)t(p|emplate|mpl)= [NC]

RewriteRule .* - [F]

## Disallow access to htaccess.txt, configuration.php, configuration.php-dist and php.ini

RewriteRule ^(htaccess\.txt|configuration\.php(-dist)?|php\.ini)$ - [F]

########## End - Advanced server protection - query strings, referrer and config

########## Begin - Joomla! core SEF Section

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

# If the requested path and file is not /index.php and the request

# has not already been internally rewritten to the index.php script

RewriteCond %{REQUEST_URI} !^/index\.php

# and the request is for the site root, or for an extensionless URL,

# or the requested URL ends with one of the listed extensions

RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw|ini|zip|json|file))$ [NC]

# and the requested path and file doesn't directly match a physical file

RewriteCond %{REQUEST_FILENAME} !-f

# and the requested path doesn't directly match a physical folder

RewriteCond %{REQUEST_FILENAME} !-d

# internally rewrite the request to the index.php script

RewriteRule .* index.php [L]

########## End - Joomla! core SEF Section

########## Begin - Optimal default expiration time

## Note: this might cause problems and you might have to comment it out by

## placing a hash in front of this section's lines

# Enable expiration control

ExpiresActive On

# Default expiration: 1 hour after request

ExpiresDefault "now plus 1 hour"

# CSS and JS expiration: 1 week after request

ExpiresByType text/css "now plus 1 week"

ExpiresByType application/javascript "now plus 1 week"

ExpiresByType application/x-javascript "now plus 1 week"

# Image files expiration: 1 month after request

ExpiresByType image/bmp "now plus 1 month"

ExpiresByType image/gif "now plus 1 month"

ExpiresByType image/jpeg "now plus 1 month"

ExpiresByType image/jp2 "now plus 1 month"

ExpiresByType image/pipeg "now plus 1 month"

ExpiresByType image/png "now plus 1 month"

ExpiresByType image/svg+xml "now plus 1 month"

ExpiresByType image/tiff "now plus 1 month"

ExpiresByType image/vnd.microsoft.icon "now plus 1 month"

ExpiresByType image/x-icon "now plus 1 month"

ExpiresByType image/ico "now plus 1 month"

ExpiresByType image/icon "now plus 1 month"

ExpiresByType text/ico "now plus 1 month"

ExpiresByType application/ico "now plus 1 month"

ExpiresByType image/vnd.wap.wbmp "now plus 1 month"

ExpiresByType application/vnd.wap.wbxml "now plus 1 month"

ExpiresByType application/smil "now plus 1 month"

# Audio files expiration: 1 month after request

ExpiresByType audio/basic "now plus 1 month"

ExpiresByType audio/mid "now plus 1 month"

ExpiresByType audio/midi "now plus 1 month"

ExpiresByType audio/mpeg "now plus 1 month"

ExpiresByType audio/x-aiff "now plus 1 month"

ExpiresByType audio/x-mpegurl "now plus 1 month"

ExpiresByType audio/x-pn-realaudio "now plus 1 month"

ExpiresByType audio/x-wav "now plus 1 month"

# Movie files expiration: 1 month after request

ExpiresByType application/x-shockwave-flash "now plus 1 month"

ExpiresByType x-world/x-vrml "now plus 1 month"

ExpiresByType video/x-msvideo "now plus 1 month"

ExpiresByType video/mpeg "now plus 1 month"

ExpiresByType video/mp4 "now plus 1 month"

ExpiresByType video/quicktime "now plus 1 month"

ExpiresByType video/x-la-asf "now plus 1 month"

ExpiresByType video/x-ms-asf "now plus 1 month"

</IfModule>

########## End - Optimal expiration time

########## Block bad user agents

## The following list may include bots that no longer exist or are not a problem for your site.

RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]

RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]

RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]

RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]

RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]

RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]

RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]

RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]

RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]

RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]

RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]

RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]

RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]

RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]

RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]

RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]

RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]

RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]

RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]

RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]

RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]

RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]

RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]

RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]

RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]

RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]

RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]

RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]

RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]

RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]

RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]

RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]

RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]

RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]

RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]

RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]

RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]

RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]

RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]

RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]

RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]

RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]

RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]

RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]

RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]

RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]

RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]

RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]

RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]

RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]

RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]

RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]

RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]

RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]

RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]

RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]

RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]

RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]

RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]

RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]

RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]

RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]

RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]

RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]

RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]

RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]

RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]

RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]

RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]

RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]

RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]

RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]

RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]

RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]

RewriteCond %{HTTP_USER_AGENT} ^Zeus

## Note: The final RewriteCond must NOT use the [OR] flag.

## Return 403 Forbidden error.

RewriteRule .* - [F]

Section 1. Внимание, ниже не рабочий конфиг, не на всех Joomla работает.

######################################## START PROTECT ################################################## #
# Enable mod rewrite
RewriteEngine On


########## Begin - No directory listings
IndexIgnore *
Options -Indexes

########## Begin - File execution order, by Komra.de
DirectoryIndex index.php index.html

########## Begin - Common hacking tools and bandwidth hoggers block
SetEnvIf user-agent "Indy Library" stayout=1
#SetEnvIf user-agent "Wget" stayout=1
SetEnvIf user-agent "libwww-perl" stayout=1
SetEnvIf user-agent "Download Demon" stayout=1
SetEnvIf user-agent "GetRight" stayout=1
SetEnvIf user-agent "GetWeb!" stayout=1
SetEnvIf user-agent "Go!Zilla" stayout=1
SetEnvIf user-agent "Go-Ahead-Got-It" stayout=1
SetEnvIf user-agent "GrabNet" stayout=1
SetEnvIf user-agent "TurnitinBot" stayout=1

deny from env=stayout

########## Begin - Rewrite rules to block out some common exploits
# If the request query string contains /proc/self/environ (by SigSiu.net)
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
# Block out any script trying to base64_encode or base64_decode data within the URL
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [OR]
## IMPORTANT: If the above line throws an HTTP 500 error, replace it with these 2 lines:
# RewriteCond %{QUERY_STRING} base64_encode\(.*\) [OR]
# RewriteCond %{QUERY_STRING} base64_decode\(.*\) [OR]

# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show the content of the root homepage
RewriteRule .* index.php [F]
#
########## End - Rewrite rules to block out some common exploits

########## Begin - File injection protection, by SigSiu.net
RewriteCond %{REQUEST_METHOD} GET
# to put some exceptions
#RewriteCond %{QUERY_STRING} ![a-zA-Z0-9_]=http://yoursite\.ru/
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=https:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=ftp:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
# CustomLog insert-path-and-name-of-log common env=bad-range
RewriteRule .* - [F]

########## Begin - Basic antispam Filter, by SigSiu.net
## This code will NOT work with Apache 1.x servers.

# RewriteCond %{QUERY_STRING} \b(ambien|blue\spill|cialis|cocaine|ejaculation|er ectile)\b [NC,OR]
# RewriteCond %{QUERY_STRING} \b(erections|hoodia|huronriveracres|impotence|levi tra|libido)\b [NC,OR]
# RewriteCond %{QUERY_STRING} \b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b [NC,OR]
# RewriteCond %{QUERY_STRING} \b(ultram|unicauca|valium|viagra|vicodin|xanax|ypx aieo)\b [NC]

# RewriteRule .* - [F]

########## Begin - Advanced server protection - query strings, referrer and config
## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine
## your PHP version). See http://www.0php.com/php_easter_egg.php and
## http://osvdb.org/12184 for more information
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]
RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteCond %{QUERY_STRING} ^(%2d|\-)[^=]+$ [NC]
RewriteRule .* - [F]

## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @
## http://www.sigsiu.net/presentations/...a_website.html
## May cause problems on legitimate requests
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC]
# CustomLog insert-path-and-name-of-log common env=bad-range
RewriteRule .* - [F]

#### More
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
RewriteCond %{THE_REQUEST} (\\r|\\n|%0A|%0D) [NC,OR]

#RewriteCond %{HTTP_REFERER} (<|>|-|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
#RewriteCond %{HTTP_COOKIE} (<|>|-|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
#RewriteCond %{HTTP_USER_AGENT} (<|>|-|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]


RewriteCond %{HTTP_REFERER} ^(.*)(<|>|’|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{HTTP_COOKIE} ^.*(<|>|’|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|”>|”<|/|\\\.\.\\).{0,9999}.* [NC,OR]

RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (winhttp|HTTrack|clshttp|archiver|loader|email|har vest|extract|grab|miner) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|curl|wget|python|nikto|scan) [NC,OR]


RewriteCond %{QUERY_STRING} proc\/self\/environ [NC,OR]
RewriteCond %{QUERY_STRING} etc\/passwd [NC,OR]

#Block mySQL injects
RewriteCond %{QUERY_STRING} (;|<|>|-|¦|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|information_schema|union|delete|select|insert|c ast|set|concat_ws|file_priv|load_file|aes_decrypt| unhex|aes_encrypt|declare|drop|update|md5|benchmar k) [NC,OR]
RewriteCond %{QUERY_STRING} \.\./\.\. [OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|-|%0A|%0D|%27|%3C|%3E|%00) [NC]
# CustomLog insert-path-and-name-of-log common env=bad-range
RewriteRule .* - [F]

# drop Range header when more than 5 ranges.
#SetEnvIf Range (,.*?){5,} bad-range=1
#RequestHeader unset Range env=bad-range
# CustomLog insert-path-and-name-of-log common env=bad-range

# XSS Protection
#Header set X-Frame-Options DENY
#Header set X-XSS-Protection "1; mode=block"
#Header set X-Content-Security-Policy "allow 'self';"
#Header set X-Content-Type-Options "nosniff"

# multiple file types
<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh|sql) $">
Order Allow,Deny
Deny from all
</FilesMatch>
########################## END ######################################

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

######################################## START PROTECT ################################################## #

# Enable mod rewrite

RewriteEngine On

########## Begin - No directory listings

IndexIgnore *

Options -Indexes

########## Begin - File execution order, by Komra.de

DirectoryIndex index.php index.html

########## Begin - Common hacking tools and bandwidth hoggers block

SetEnvIf user-agent "Indy Library" stayout=1

#SetEnvIf user-agent "Wget" stayout=1

SetEnvIf user-agent "libwww-perl" stayout=1

SetEnvIf user-agent "Download Demon" stayout=1

SetEnvIf user-agent "GetRight" stayout=1

SetEnvIf user-agent "GetWeb!" stayout=1

SetEnvIf user-agent "Go!Zilla" stayout=1

SetEnvIf user-agent "Go-Ahead-Got-It" stayout=1

SetEnvIf user-agent "GrabNet" stayout=1

SetEnvIf user-agent "TurnitinBot" stayout=1

deny from env=stayout

########## Begin - Rewrite rules to block out some common exploits

# If the request query string contains /proc/self/environ (by SigSiu.net)

RewriteCond %{QUERY_STRING} proc/self/environ [OR]

# Block out any script trying to base64_encode or base64_decode data within the URL

RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*$[^)]*$ [OR]

## IMPORTANT: If the above line throws an HTTP 500 error, replace it with these 2 lines:

# RewriteCond %{QUERY_STRING} base64_encode$.*$ [OR]

# RewriteCond %{QUERY_STRING} base64_decode$.*$ [OR]

# Block out any script that includes a <script> tag in URL

RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]

# Block out any script trying to set a PHP GLOBALS variable via URL

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

# Block out any script trying to modify a _REQUEST variable via URL

RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})

# Return 403 Forbidden header and show the content of the root homepage

RewriteRule .* index.php [F]

########## End - Rewrite rules to block out some common exploits

########## Begin - File injection protection, by SigSiu.net

RewriteCond %{REQUEST_METHOD} GET

# to put some exceptions

#RewriteCond %{QUERY_STRING} ![a-zA-Z0-9_]=http://yoursite\.ru/

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=https:// [OR]

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=ftp:// [OR]

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]

# CustomLog insert-path-and-name-of-log common env=bad-range

RewriteRule .* - [F]

########## Begin - Basic antispam Filter, by SigSiu.net

## This code will NOT work with Apache 1.x servers.

# RewriteCond %{QUERY_STRING} \b(ambien|blue\spill|cialis|cocaine|ejaculation|er ectile)\b [NC,OR]

# RewriteCond %{QUERY_STRING} \b(erections|hoodia|huronriveracres|impotence|levi tra|libido)\b [NC,OR]

# RewriteCond %{QUERY_STRING} \b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b [NC,OR]

# RewriteCond %{QUERY_STRING} \b(ultram|unicauca|valium|viagra|vicodin|xanax|ypx aieo)\b [NC]

# RewriteRule .* - [F]

########## Begin - Advanced server protection - query strings, referrer and config

## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine

## your PHP version). See http://www.0php.com/php_easter_egg.php and

## http://osvdb.org/12184 for more information

RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]

RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]

RewriteCond %{QUERY_STRING} ^(%2d|\-)[^=]+$ [NC]

RewriteRule .* - [F]

## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @

## http://www.sigsiu.net/presentations/...a_website.html

## May cause problems on legitimate requests

RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]

RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]

RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC]

# CustomLog insert-path-and-name-of-log common env=bad-range

RewriteRule .* - [F]

#### More

RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]

RewriteCond %{THE_REQUEST} (\\r|\\n|%0A|%0D) [NC,OR]

#RewriteCond %{HTTP_REFERER} (<|>|-|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]

#RewriteCond %{HTTP_COOKIE} (<|>|-|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]

#RewriteCond %{HTTP_USER_AGENT} (<|>|-|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]

RewriteCond %{HTTP_REFERER} ^(.*)(<|>|’|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]

RewriteCond %{HTTP_COOKIE} ^.*(<|>|’|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]

RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|”>|”<|/|\\\.\.\\).{0,9999}.* [NC,OR]

RewriteCond %{HTTP_USER_AGENT} ^$ [OR]

RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (winhttp|HTTrack|clshttp|archiver|loader|email|har vest|extract|grab|miner) [NC,OR]

RewriteCond %{HTTP_USER_AGENT} (libwww-perl|curl|wget|python|nikto|scan) [NC,OR]

RewriteCond %{QUERY_STRING} proc\/self\/environ [NC,OR]

RewriteCond %{QUERY_STRING} etc\/passwd [NC,OR]

#Block mySQL injects

RewriteCond %{QUERY_STRING} (;|<|>|-|¦|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|information_schema|union|delete|select|insert|c ast|set|concat_ws|file_priv|load_file|aes_decrypt| unhex|aes_encrypt|declare|drop|update|md5|benchmar k) [NC,OR]

RewriteCond %{QUERY_STRING} \.\./\.\. [OR]

RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]

RewriteCond %{QUERY_STRING} (<|>|-|%0A|%0D|%27|%3C|%3E|%00) [NC]

# CustomLog insert-path-and-name-of-log common env=bad-range

RewriteRule .* - [F]

# drop Range header when more than 5 ranges.

#SetEnvIf Range (,.*?){5,} bad-range=1

#RequestHeader unset Range env=bad-range

# CustomLog insert-path-and-name-of-log common env=bad-range

# XSS Protection

#Header set X-Frame-Options DENY

#Header set X-XSS-Protection "1; mode=block"

#Header set X-Content-Security-Policy "allow 'self';"

#Header set X-Content-Type-Options "nosniff"

# multiple file types

Order Allow,Deny

Deny from all

</FilesMatch>

########################## END ######################################

Защита сайта от взлома .htaccess для сайта

ОтEduard Yamaltdinov

Section 1. Внимание, ниже не рабочий конфиг, не на всех Joomla работает.

Section 2. Related Posts:

От Eduard Yamaltdinov

Похожая запись

Как установить Django Web Framework на CentOS 7

Добавить комментарий Отменить ответ