Apache Security - Pros and Cons of htaccess?

Discussion in '*nix Software' started by bobross419, Nov 19, 2012.

  1. bobross419

    bobross419 Golden Member

    Joined:
    Oct 25, 2007
    Messages:
    1,981
    Likes Received:
    0
    I've been doing quite a bit of reading lately on how to harden my server. One of the things that I've come across is that you should disable htaccess completely; however, I've also seen quite a few different places advising to use htaccess settings to increase security (password protecting directories for example). There is also at least one Wordpress security plugin that comes highly recommended that requires htaccess enabled to prevent certain things.

    I'm leaning towards enabling htaccess and taking advantage of some of the extra security features, but wanted to get some feedback before going this direction. Mainly, does anyone have any experience with this and which option gives better security?

    Thanks,
    Bob
     
  2. KillerBee

    KillerBee Golden Member

    Joined:
    Jul 2, 2010
    Messages:
    1,494
    Likes Received:
    8
    Lots of depends but mainly if it's only a one-time change then placing the directives in the main server config file is better for security and performance
     
  3. Nothinman

    Nothinman Elite Member

    Joined:
    Sep 14, 2001
    Messages:
    30,672
    Likes Received:
    0
    I would say it depends on your server's usage and user's access. It's been a while but I believe you can change a significant number of Apache settings via .htaccess files and not just authentication so if you have users that you don't trust much it would make sense to restrict access. If it's just you and you're confident in the rest of your setup's security it probably shouldn't be a problem.
     
  4. VinDSL

    VinDSL Diamond Member

    Joined:
    Apr 11, 2006
    Messages:
    4,868
    Likes Received:
    1
    I've run web sites since the last century, and couldn't live without .htaccess

    Really, the best way to harden your site is to try to hack it yourself.

    Whatever software your decide to use, pretend you're a blackhat, go to all the hacker sites, pick up the latest vulns, and run them against yourself.

    If one (or more) of them work, figure out how to harden your site against these exploits.

    .htaccess is essential for protecting your site(s) against attack.

    If someone sneaks past the protection, and defaces your server, pour over your logs line-by-line. I usually get 75k-100k page views a day. Going over the logs can take a couple of days, but eventually you'll figure out exactly how they did the deed. Logs provide a beautiful paper trail. Then, patch against the weak spots.

    Anyway, yes, run .htaccess, by all means. And, keep after the perps. It's a never-ending battle! My .htaccess files are several 100 lines long.
     
    #4 VinDSL, Nov 20, 2012
    Last edited: Nov 20, 2012
  5. sourceninja

    sourceninja Diamond Member

    Joined:
    Mar 8, 2005
    Messages:
    8,586
    Likes Received:
    4
    The main issue with .htaccess is that typically those files have different permissions than your main apache config files.

    This means it may be possible for non-admins to write these files and thus 'undo' all of your security. If you need to do something that is temporary, .htaccess is a good place to do it, if you need to do something more permeant, just put it in your /etc/apache/sites-avaliable/sitename (or httpd.conf or whatever your server calls it).

    Personally I don't use .htaccess files on production systems, but we use then on all development systems (to let devs write their own rules).
     
  6. Red Squirrel

    Red Squirrel Lifer

    Joined:
    May 24, 2003
    Messages:
    36,925
    Likes Received:
    632
    If you are offering hosting and block .htaccess you'll have lot of unhappy customers. There are many things you can do such as error documents, forcing a file to act as another mime type (ex: I have a file with no extension I force to act as php, so it's like a virtual folder, its good for SEO). If you want to block htaccess then find out what type of things people are using them for and make sure those options are in the user's control panel and can be backed up easily.
     
  7. beginner99

    beginner99 Platinum Member

    Joined:
    Jun 2, 2009
    Messages:
    2,832
    Likes Received:
    4
    What's the advantage vs. putting config in apache config? I don't see the point outside of shared hosting and my common sense tells me that a site is more secure without .htaccess (eg. stuff in main config) than with them. AFAIK it is normally recommended to put all config in apache config and not htaccess.
     
  8. Red Squirrel

    Red Squirrel Lifer

    Joined:
    May 24, 2003
    Messages:
    36,925
    Likes Received:
    632
    Static config should be in the config file, but user config or config that is specific to a folder can be in .htaccess.

    Yes it's more secure to run without .htaccess. It's even more secure if you close port 80. :p

    One thing to watch for though is anything that allows a user to upload files, make sure they cannot create a file called .htaccess (ex: a picture upload site or something). Normally when I code a system like that I give my own file name and don't use the user supplied one.
     
Loading...