Improving TNG security with htaccess

Steve
Posts: 119
Joined: Sun Oct 01, 2017 3:08 pm

Improving TNG security with htaccess

Post by Steve »

Although TNG is very secure there are a few things you can do to enhance security. For example, block query string exploits, indexing config files, prevent directory traversing (listing directories), and limit access to the config files. Additionally you can restrict or allow access to IP addresses. The codes below were tested with Apache 2.4. It is important to remember if the URL query contains a keyword matching anything in the string below, apache will respond with a 403 error.

Code: Select all

# BLOCK QUERY STRING EXPLOITS 
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR] 
RewriteCond %{QUERY_STRING} tag\= [NC,OR] 
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] 
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR] 
RewriteCond %{QUERY_STRING} ^.*(declare|drop|insert|passwd|request|select|waitfor).* [NC] 
RewriteRule ^(.*)$ - [F,L]

Code: Select all

# Stop directory Traversing
Options -Indexes

# Do not index config files
IndexIgnore *config*.*
This code will block access to ALL TNG config files except the IP address on the Require ip line. If you use a host and have a dynamic ip address that changes, you will be blocked from making any configuration changes if the IP addresses do not match. If this occurs modify .htaccess and enter the correct ip address or temporarily comment out the line by changing Require all denied to # Require all denied.

Code: Select all

# Block access to config files
<Files "*config.php">
	Require all denied
	Require ip 107.4.26.115
</Files>
The code below blocks website access using the host name, extension or IP address. Require not host can use a partial or complete name. While extensions block areas, organizations, countries etc. Enter one or more ip addresses using Require not ip by entering the complete IP address or the first three sections followed by 0/24 to block multiple addresses. The last entry blocks all ip addresses starting with 75.101. Use caution when blocking a large number of IPs, as registered users could be blocked.

Code: Select all

#Block access based on host name or ip address
<RequireAll>
	Require all granted
	Require not host badsite.com goofy.idiots anothersite.org
	Require not host .ca .cz .eu .gov .it .ru .vn
	Require not ip 60.60.60.60 5.101.156.0/24 20.185.49.0/24 75.101.
</RequireAll>
If you have private folder you want to protect use <Directory> containers. Directory paths must be quoted if the path contains spaces. If you protect folders such as photos add Require ip to allow TNG to access the folder. If the folder name has any spaces, enclose in quotation marks as shown below. Folders without spaces do not require quotation marks.

Code: Select all

#Block ALL access to any folder
<Directory "/private photos/">
	Require all denied
</Directory>