Apache Security - Pros and Cons of htaccess?

Discussion in '*nix Software' started by bobross419, Nov 19, 2012.

  1. bobross419

    bobross419 Golden Member

    Joined:
    Oct 25, 2007
    Messages:
    1,981
    Likes Received:
    1
    I've been doing quite a bit of reading lately on how to harden my server. One of the things that I've come across is that you should disable htaccess completely; however, I've also seen quite a few different places advising to use htaccess settings to increase security (password protecting directories for example). There is also at least one Wordpress security plugin that comes highly recommended that requires htaccess enabled to prevent certain things.

    I'm leaning towards enabling htaccess and taking advantage of some of the extra security features, but wanted to get some feedback before going this direction. Mainly, does anyone have any experience with this and which option gives better security?

    Thanks,
    Bob
     
  2. Loading...

    Similar Threads - Apache Security Pros Forum Date
    Where can I find a good resource on properly securing tftp? *nix Software Jun 15, 2017
    Doh, anyone have Debian 7 apache config file? *nix Software Aug 30, 2014
    Apache Tuning -- ExtendedStatus *nix Software May 25, 2013
    Question/Help related to Ubuntu/Apache and local network web access. *nix Software Dec 10, 2012
    Is this possible to do with apache? *nix Software Jul 25, 2012

  3. KillerBee

    KillerBee Golden Member

    Joined:
    Jul 2, 2010
    Messages:
    1,637
    Likes Received:
    56
    Lots of depends but mainly if it's only a one-time change then placing the directives in the main server config file is better for security and performance
     
  4. Nothinman

    Nothinman Elite Member

    Joined:
    Sep 14, 2001
    Messages:
    30,672
    Likes Received:
    0
    I would say it depends on your server's usage and user's access. It's been a while but I believe you can change a significant number of Apache settings via .htaccess files and not just authentication so if you have users that you don't trust much it would make sense to restrict access. If it's just you and you're confident in the rest of your setup's security it probably shouldn't be a problem.
     
  5. VinDSL

    VinDSL Diamond Member

    Joined:
    Apr 11, 2006
    Messages:
    4,868
    Likes Received:
    1
    I've run web sites since the last century, and couldn't live without .htaccess

    Really, the best way to harden your site is to try to hack it yourself.

    Whatever software your decide to use, pretend you're a blackhat, go to all the hacker sites, pick up the latest vulns, and run them against yourself.

    If one (or more) of them work, figure out how to harden your site against these exploits.

    .htaccess is essential for protecting your site(s) against attack.

    If someone sneaks past the protection, and defaces your server, pour over your logs line-by-line. I usually get 75k-100k page views a day. Going over the logs can take a couple of days, but eventually you'll figure out exactly how they did the deed. Logs provide a beautiful paper trail. Then, patch against the weak spots.

    Anyway, yes, run .htaccess, by all means. And, keep after the perps. It's a never-ending battle! My .htaccess files are several 100 lines long.
     
    #4 VinDSL, Nov 20, 2012
    Last edited: Nov 20, 2012
  6. sourceninja

    sourceninja Diamond Member

    Joined:
    Mar 8, 2005
    Messages:
    8,669
    Likes Received:
    21
    The main issue with .htaccess is that typically those files have different permissions than your main apache config files.

    This means it may be possible for non-admins to write these files and thus 'undo' all of your security. If you need to do something that is temporary, .htaccess is a good place to do it, if you need to do something more permeant, just put it in your /etc/apache/sites-avaliable/sitename (or httpd.conf or whatever your server calls it).

    Personally I don't use .htaccess files on production systems, but we use then on all development systems (to let devs write their own rules).
     
  7. Red Squirrel

    Red Squirrel Lifer

    Joined:
    May 24, 2003
    Messages:
    42,744
    Likes Received:
    2,908
    If you are offering hosting and block .htaccess you'll have lot of unhappy customers. There are many things you can do such as error documents, forcing a file to act as another mime type (ex: I have a file with no extension I force to act as php, so it's like a virtual folder, its good for SEO). If you want to block htaccess then find out what type of things people are using them for and make sure those options are in the user's control panel and can be backed up easily.
     
  8. beginner99

    beginner99 Diamond Member

    Joined:
    Jun 2, 2009
    Messages:
    3,443
    Likes Received:
    207
    What's the advantage vs. putting config in apache config? I don't see the point outside of shared hosting and my common sense tells me that a site is more secure without .htaccess (eg. stuff in main config) than with them. AFAIK it is normally recommended to put all config in apache config and not htaccess.
     
  9. Red Squirrel

    Red Squirrel Lifer

    Joined:
    May 24, 2003
    Messages:
    42,744
    Likes Received:
    2,908
    Static config should be in the config file, but user config or config that is specific to a folder can be in .htaccess.

    Yes it's more secure to run without .htaccess. It's even more secure if you close port 80. :p

    One thing to watch for though is anything that allows a user to upload files, make sure they cannot create a file called .htaccess (ex: a picture upload site or something). Normally when I code a system like that I give my own file name and don't use the user supplied one.
     
  10. rahult

    rahult Junior Member

    Joined:
    Jan 22, 2017
    Messages:
    1
    Likes Received:
    0
    Is there anybody Here??
    Why Https not properly working on page that we are using htacess ?
     
  11. John Connor

    John Connor Lifer

    Joined:
    Nov 30, 2012
    Messages:
    20,996
    Likes Received:
    331
    Remember that anything with .ht in front of it means it will load that file first. It's great for shared accounts where your host more than likely uses FS Cage anyway. For dedicated server or VPS, you could opt for the httpd config. It's not all that necessary so long as you have necessary security. Like blocking traversal attacks, SQL injection, XSS, arbitrary file uploads that you don't specify, etc. In PHP I highly recommend Ninjafirewall, CIDRAM and PHPMussel. Ninjafirewall is hooked to your htaccess file. CIDRAM is alos hooked to your htaccess file and so is PHPMussel.


    https://nintechnet.com/ninjafirewall/

    https://github.com/Maikuolan/CIDRAM

    https://github.com/Maikuolan/phpMussel

    I know the author of both CIDRAM and PHPMussel. They are both actively being developed. I tried to use PHPMussel in phpBB, but we figured AJAX was preventinig the proper block page and thus needs an extension to make it work.

    CloudFlare can go a long way too. If you use Ninjafirewall you don't even need the $20/month account for the WAF. Try visiting my site in the sig with a VPN once. I have blocked many hosting provider's ASN's in CloudFlare and CIDRAM will do this as well. I can tell you right now Azure and Amazon are two very bad hosters where hackers try to do crap on your site from their VPS. Azure has to be the worst. I even seen them try to get into my home network. But one huge vector are people's hacked routers. I constantly see access attempts to my WordPress site from infected routers all around the world trying to pull XMLRPC, WP-Login, admin, etc. all are 403ed. WP-login is renamed so I can effectively kill it's access in htaccess. Even then I have WordPress security plugins. I operate in layers.

    Keep in mind you don't want to fill the htaccess file up either. You will slow down your website and if you have cpanel you will see lots of errors. Keep it at least 20k or less.

    Anywho...
     
  12. John Connor

    John Connor Lifer

    Joined:
    Nov 30, 2012
    Messages:
    20,996
    Likes Received:
    331

    Create your own damn thread you noob. And when you do, try to be more specific.