Apache Security - Pros and Cons of htaccess?

[bobross419]

I've been doing quite a bit of reading lately on how to harden my server. One of the things that I've come across is that you should disable htaccess completely; however, I've also seen quite a few different places advising to use htaccess settings to increase security (password protecting directories for example). There is also at least one Wordpress security plugin that comes highly recommended that requires htaccess enabled to prevent certain things.

I'm leaning towards enabling htaccess and taking advantage of some of the extra security features, but wanted to get some feedback before going this direction. Mainly, does anyone have any experience with this and which option gives better security?

Thanks,
Bob

 

[KillerBee]

Lots of depends but mainly if it's only a one-time change then placing the directives in the main server config file is better for security and performance

 

[Nothinman]

I would say it depends on your server's usage and user's access. It's been a while but I believe you can change a significant number of Apache settings via .htaccess files and not just authentication so if you have users that you don't trust much it would make sense to restrict access. If it's just you and you're confident in the rest of your setup's security it probably shouldn't be a problem.

 

[VinDSL]

I've run web sites since the last century, and couldn't live without .htaccess

Really, the best way to harden your site is to try to hack it yourself.

Whatever software your decide to use, pretend you're a blackhat, go to all the hacker sites, pick up the latest vulns, and run them against yourself.

If one (or more) of them work, figure out how to harden your site against these exploits.

.htaccess is essential for protecting your site(s) against attack.

If someone sneaks past the protection, and defaces your server, pour over your logs line-by-line. I usually get 75k-100k page views a day. Going over the logs can take a couple of days, but eventually you'll figure out exactly how they did the deed. Logs provide a beautiful paper trail. Then, patch against the weak spots.

Anyway, yes, run .htaccess, by all means. And, keep after the perps. It's a never-ending battle! My .htaccess files are several 100 lines long.

 

[sourceninja]

The main issue with .htaccess is that typically those files have different permissions than your main apache config files.

This means it may be possible for non-admins to write these files and thus 'undo' all of your security. If you need to do something that is temporary, .htaccess is a good place to do it, if you need to do something more permeant, just put it in your /etc/apache/sites-avaliable/sitename (or httpd.conf or whatever your server calls it).

Personally I don't use .htaccess files on production systems, but we use then on all development systems (to let devs write their own rules).

 

[Red Squirrel]

If you are offering hosting and block .htaccess you'll have lot of unhappy customers. There are many things you can do such as error documents, forcing a file to act as another mime type (ex: I have a file with no extension I force to act as php, so it's like a virtual folder, its good for SEO). If you want to block htaccess then find out what type of things people are using them for and make sure those options are in the user's control panel and can be backed up easily.

 

[beginner99]

I've run web sites since the last century, and couldn't live without .htaccess

Really, the best way to harden your site is to try to hack it yourself.

Whatever software your decide to use, pretend you're a blackhat, go to all the hacker sites, pick up the latest vulns, and run them against yourself.

If one (or more) of them work, figure out how to harden your site against these exploits.

.htaccess is essential for protecting your site(s) against attack.

If someone sneaks past the protection, and defaces your server, pour over your logs line-by-line. I usually get 75k-100k page views a day. Going over the logs can take a couple of days, but eventually you'll figure out exactly how they did the deed. Logs provide a beautiful paper trail. Then, patch against the weak spots.

Anyway, yes, run .htaccess, by all means. And, keep after the perps. It's a never-ending battle! My .htaccess files are several 100 lines long.

What's the advantage vs. putting config in apache config? I don't see the point outside of shared hosting and my common sense tells me that a site is more secure without .htaccess (eg. stuff in main config) than with them. AFAIK it is normally recommended to put all config in apache config and not htaccess.

 

[Red Squirrel]

What's the advantage vs. putting config in apache config? I don't see the point outside of shared hosting and my common sense tells me that a site is more secure without .htaccess (eg. stuff in main config) than with them. AFAIK it is normally recommended to put all config in apache config and not htaccess.

Static config should be in the config file, but user config or config that is specific to a folder can be in .htaccess.

Yes it's more secure to run without .htaccess. It's even more secure if you close port 80.

One thing to watch for though is anything that allows a user to upload files, make sure they cannot create a file called .htaccess (ex: a picture upload site or something). Normally when I code a system like that I give my own file name and don't use the user supplied one.

 

[rahult]

Is there anybody Here??
Why Https not properly working on page that we are using htacess ?

 

[John Connor]

Remember that anything with .ht in front of it means it will load that file first. It's great for shared accounts where your host more than likely uses FS Cage anyway. For dedicated server or VPS, you could opt for the httpd config. It's not all that necessary so long as you have necessary security. Like blocking traversal attacks, SQL injection, XSS, arbitrary file uploads that you don't specify, etc. In PHP I highly recommend Ninjafirewall, CIDRAM and PHPMussel. Ninjafirewall is hooked to your htaccess file. CIDRAM is alos hooked to your htaccess file and so is PHPMussel.


https://nintechnet.com/ninjafirewall/

https://github.com/Maikuolan/CIDRAM

https://github.com/Maikuolan/phpMussel

I know the author of both CIDRAM and PHPMussel. They are both actively being developed. I tried to use PHPMussel in phpBB, but we figured AJAX was preventinig the proper block page and thus needs an extension to make it work.

CloudFlare can go a long way too. If you use Ninjafirewall you don't even need the $20/month account for the WAF. Try visiting my site in the sig with a VPN once. I have blocked many hosting provider's ASN's in CloudFlare and CIDRAM will do this as well. I can tell you right now Azure and Amazon are two very bad hosters where hackers try to do crap on your site from their VPS. Azure has to be the worst. I even seen them try to get into my home network. But one huge vector are people's hacked routers. I constantly see access attempts to my WordPress site from infected routers all around the world trying to pull XMLRPC, WP-Login, admin, etc. all are 403ed. WP-login is renamed so I can effectively kill it's access in htaccess. Even then I have WordPress security plugins. I operate in layers.

Keep in mind you don't want to fill the htaccess file up either. You will slow down your website and if you have cpanel you will see lots of errors. Keep it at least 20k or less.

Anywho...

 

[John Connor]

Is there anybody Here??
Why Https not properly working on page that we are using htacess ?

Create your own damn thread you noob. And when you do, try to be more specific.