Support

Admin Tools

#14730 htaccess rules

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Tuesday, 29 January 2013 07:13 CST

Monday, 21 January 2013 07:22 CST

hellodesign

Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: (2.5.8)
PHP version: (5.3.3)
MySQL version: (5.1.39)
Host: (optional, but it helps us help you)
Admin Tools version: (2.4.4)

Description of my issue:

We have a particularly obnoxious attacker trying to force admin entry in a number of sites we administer. They use different IP addresses, but they all originate from kimsufi.com in France. This is typical: http://screencast.com/t/aMLCZhAqerSN So far we have been blocking individual IPs using the security exceptions log, but we get up to 10 attacks a day on several sites, and this is time consuming. I am a newbie to htaccess, and my question is:

Can I set a custom htaccess rule like this:

<Limit GET HEAD POST>
order allow,deny
deny from kimsufi.com
allow from all
</LIMIT>

Would I put this at the end of the htaccess file in the htaccessmaker?

Many thanks
George

Monday, 21 January 2013 07:26 CST

nicholas

As far as I know, the "allow" and "deny" rules only work with IP addresses, not domain names. Your web server would have to do a reverse DNS lookup for each request to enforce this kind of blocking, slowing down page load times to a crawl.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 25 January 2013 05:20 CST

hellodesign

This rule works at the bottom of the .htaccess:

# RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} nastyURL\.com [NC]
RewriteRule .* - [F]

Remember to use the \ in front of the period in the URL.

Uncomment the RewriteEngine or FollowSymlinks as required.

To block more than one, use this:

# RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} nastyURL\.com [NC, OR]
RewriteCond %{HTTP_REFERER} peskyURL\.com [NC]
RewriteRule .* - [F]

Friday, 25 January 2013 05:24 CST

nicholas

I am aware of the HTTP Referer filtering, but I've seen that it's nowhere as useful as you might think it is. This trick relies on the attacker's user agent (browser, script, ...) kindly providing your server with a Referer header in the HTTP request. Any semi-serious attacker –including most script kiddies– has by now figured out how to use an anonymising proxy or a custom script which doesn't send this header. Moreover, this doesn't do reverse DNS lookup for the IPs accessing your server, i.e. you are solving a completely different problem than what you set out to solve in the first place :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 25 January 2013 05:47 CST

hellodesign

This solved a very specific problem for me, in that someone had gained control of a web server, and was attempting to force administrator access to a number of different sites we administer, using an entire galaxy of different IP addresses, but were kind enough to provide their domain name in the whois info. This solution has saved me from dealing with the 30-40 emails per day I had to deal with previously.

Friday, 25 January 2013 05:55 CST

nicholas

A hacker good enough to hijack a server to attack you but naïve enough to leave the Referer HTTP header intact: priceless :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 29 January 2013 06:18 CST

hellodesign

Surprisingly Nicholas, I would say that almost half the query strings in the exceptions logs show the referrer. Just a poor class of hackers operating these days, I guess.

BTW: When we install a fresh Joomla! site, we kickstart a backup from MAMP with a common suite of extensions already installed and updated. AT Pro and Backup Pro are at the top of the list. They should be "Desert Island" components for any Joomla! site!

Many thanks for your hard work!

Tuesday, 29 January 2013 07:13 CST

nicholas

You're welcome :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!