The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Prevent Hacks?

Discussion in 'Security' started by H4CK3R, Feb 19, 2012.

  1. H4CK3R

    H4CK3R Well-Known Member

    Joined:
    Oct 14, 2011
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Website Owner
    Hi,
    I got below codes from a site,
    RewriteEngine On

    # proc/self/environ? no way!
    RewriteCond %{QUERY_STRING} proc/self/environ [OR]

    # Block out any script trying to set a mosConfig value through the URL
    RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]

    # Block out any script trying to base64_encode crap to send via URL
    RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]

    # Block out any script that includes a <script> tag in URL
    RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]

    # Block out any script trying to set a PHP GLOBALS variable via URL
    RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]

    # Block out any script trying to modify a _REQUEST variable via URL
    RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})

    # Send all blocked request to homepage with 403 Forbidden error!
    RewriteRule ^(.*)$ index.php [F,L]

    They claim adding these to htaccess will prevent hacks. Is it true and safe to add these lines? What these lines will do?
    Please help.
    Thanks.
     
  2. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Friendly Moderator Note

    I moved your post to our Security section, for better visibility.
     
  3. H4CK3R

    H4CK3R Well-Known Member

    Joined:
    Oct 14, 2011
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Website Owner
    Thanks, But no help? :(
     
  4. Renato Merino

    Renato Merino Well-Known Member

    Joined:
    Jan 20, 2012
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Website Owner
    Hi everyone:

    Sign me in for this thread too, those htaccess are weird, I havent seen them before, i have just tested the hotlink htacces protection... hope someone answers soon...:(
     
  5. ChrisFirth

    ChrisFirth Active Member
    PartnerNOC

    Joined:
    Apr 10, 2008
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    Hi,

    In my experience I don't think these will be very effective in preventing many attacks. These only check the query string - things like post data and scripts running some of the below functions won't be caught.

    Code:
    RewriteCond %{QUERY_STRING} proc/self/environ [OR]
    
    This helps prevent LFI attacks, eg. Kaotic Creations: EXPLOITING LFI VULNERABILITIES via /PROC/SELF/ENVIRON

    Code:
    RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
    
    This prevents setting the mosConfig variable which appears to be a Joomla thing. I don't use Joomla, but I am not sure if this would actually be of any use if register_globals if off in PHP.

    Code:
    RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
    
    Again, I am not sure how effective this would be as most of the time the payloads I have seen are already base64 encoded, and they use base64_decode inside a script (usually with a combination of other obfuscation like gzipping, rot13 etc.). This should just prevent the function being passed around in URLs.

    Code:
    RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
    
    This is probably an attempt to stop XSS. There are numerous other methods to do this so I don't think it will be effective.

    Code:
    RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})
    
    These would be pointless with register_globals off in PHP. This just stops you setting global variables via the URL.

    I can't see any reason the above rules wouldn't be safe, but I don't think they would be very effective from blocking most attacks.
     
  6. H4CK3R

    H4CK3R Well-Known Member

    Joined:
    Oct 14, 2011
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Website Owner
    Thanks... :)
     
  7. Renato Merino

    Renato Merino Well-Known Member

    Joined:
    Jan 20, 2012
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Website Owner
    Hi ChrisFirth:

    Thanks for the explanation, still in your answer you wrote that you think that the rules above wouldn't be very effective blocking most hacker attacks, :confused: could you please recommend some good rules for htaccess that could prevent my website or cpanel from hacker attacks? Sorry about my english its not my native language

    Cheers
     
  8. LeadDogGraphics

    LeadDogGraphics Well-Known Member

    Joined:
    Feb 25, 2012
    Messages:
    97
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    West Palm Beach, FL
    cPanel Access Level:
    Root Administrator
    Please see the below site for some good htaccess tricks for security:
    /http://perishablepress.com/5g-blacklist-2012/
     
  9. Renato Merino

    Renato Merino Well-Known Member

    Joined:
    Jan 20, 2012
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Website Owner
    I`ll check them Paulieb81 thank you very much. :)
     
  10. ruzbehraja

    ruzbehraja Well-Known Member

    Joined:
    May 19, 2011
    Messages:
    383
    Likes Received:
    7
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I think mod_security covers almost everything given here.

    mod_security can be implemented for the entire server rather than individual accounts.
     
  11. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I agree with this.
     
  12. Renato Merino

    Renato Merino Well-Known Member

    Joined:
    Jan 20, 2012
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Website Owner
    Thanks for the answer ruzbehraja, i will ask my hosting provider if they have this mod_security on, but i believe that this mod_security is managed only by my hosting provider and dedicated i.p. hosting users, am I right?

    Cause I´m about to acquire my own dedicated hosting, but right now I´m using a shared hosting, is there any other recomendations for shared hosting users? so I can ask my hosting proovider to enable them ...

    Cheers :)
     
  13. ruzbehraja

    ruzbehraja Well-Known Member

    Joined:
    May 19, 2011
    Messages:
    383
    Likes Received:
    7
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Well, theres lots that can be done by the hosting provider through WHM.
    Its difficult to summarize and needs to be handled on a case to case basis.

    Firewall / Mod_Security / Setting appropriate user limits for various services / optimization / tuning are some of them.
     
  14. Renato Merino

    Renato Merino Well-Known Member

    Joined:
    Jan 20, 2012
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Website Owner
    Hi ruzbehrja:

    Thanks again for the info I will show your message to my hosting provider, if I buy my own dedicated i.p., will I be able to configure the WHM, right? :D



    Cheers
     
  15. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    No.

    If you have a shared hosting account, buying a dedicated IP address gets you nothing but that, a dedicated IP address for your account.

    The only way to have any access to the WHM at all is to have at least a reseller account, which gives you only limited access (the extent of which is determined by the hosting provider).

    The only way to have full access to the WHM is to be the server's administrator, which only happens if you have your own VPS or dedicated server.

    As a shared hosting customer, your access is very limited, and you really need to talk to your hosting provider for assistance with securing your site.
     
Loading...

Share This Page