TechTutorials - Free Computer Tutorials  

Configuring htaccess 

Added: 10/29/2003, Hits: 4,090, Rating: 0, Comments: 0, Votes: 0
Add To Favorites | Comment on this article
There is an interesting history behind this tutorial that is the reason for it's existence. was hacked twice in 10 days by the same person causing many lost hours spent repairing the damage, embarassment and potential lost revenue. "How did it happen", you ask? Well unfortunately, it was very easy for the hacker as we had not properly secured the site at that time. In this tutorial, we will show you how they got in and how you can prevent this type of attack from happening to you. Since there were 2 mistakes that we made, so we will show you how to correct both of these. This tutorial is directed at webmasters that have their site hosted on a Linux server with sensitive files that need to be protected.

Mistake #1
Are your directories browseable? Let's take a look at an example. You have a website called Polly's Crackers located at When you type this URL into a web browser it actually loads Why is this? Most webservers are configured to automatically find a file called index. So let's say you have a cgi-bin located at If you were to enter the URL into a browser, your webserver will look for a file called index and then 1 of 2 things will happen:

  • Scenario 1 - Your webserver does not have directory browsing enabled. This means that you will be returned with an error message that access is denied to the directory that you have tried to access.

  • Scenario 2 - Your webserver has directory browsing enabled. In this case, you will be presented with the contents of the cgi-bin. This is not a good thing and can provide a hacker the entry that they need to destroy your site. When TechTutorials was hacked, the hacker was able to find the admin script that essentially runs this site.

  • If your situation is the same as Scenario 1, then skip this next section and move along to "Mistake #2". You are still here? This means that you have a problem that needs to be fixed. Typically a cgi-bin will not have an index file located in it. An easy solution to this problem is to create an index.html file that can be composed of whatever you wish and place it in the root of any directory that you do not wish people to browse. Now, when someone enters they will be presented with your new index.html file instead of a list of the contents of your cgi-bin. Now, let's tackle the real problem - Mistake #2.

    Mistake #2

    Had mistake #1 not occurred, then Mistake #2 probably would not have occured, however, DO NOT rely solely on the previous information as your security blanket - it is not enough! There are many different types of PERL scripts available for free and for purchase. Some of these come with built in security and some do not. If you have a PERL script that includes any type of interface that allows you to make changes to the functionality of the script and does not have password protection, then you MUST read the following.

    Most Unix(and other Unix-like webservers) have a utility called htaccess that allows you to password protect directories that you would like to keep others from accessing. Getting back to our example, lets say that you have a Bulletin Board script that is controlled by an admin interface which is located at http://www.pollycracker/cgi-bin/bbs/admin/admin.cgi. If a hacker knows the location of the admin.cgi file, then they have just walked through a huge open door and can have a field day on your setup.

    So here is how to fix it (Please note that the following instructions will allow you to protect any directory that you do not wish people to have access to):

    Use your favorite text editor and enter the following lines:

    Code :

    AuthUserFile /path_to_directory/.htpasswd
    AuthGroupFile /dev/null
    AuthName "Whatever_you_want"
    AuthType Basic

    <Limit GET POST>
    require valid-user

    NOTE: The "/path_to_directory/ should be replaced with the server path(not URL) to the directory where the htaccess file will reside. In our example, this could be something like /web/guide/pollycracker/cgi-bin/bbs/admin/.htpasswd. If you are unsure of the server path, contact your ISP/Webhost for assistance. The AuthName variable can be named whatever you wish. Do not edit any of the other variables and save this file as ".htaccess". Next FTP this file to the directory on you webserver that you wish to protect.

    Now we need to create an .htpasswd file. From the shell prompt in a telnet or SSH session, type htpasswd -c .htpasswd username where the "username" is an account on your webserver. Try using the same username that you used to access your server via telnet. After entering this command, you will be prompted for a password(2x). Enter the password for the user that you have entered. If these steps were performed correctly, you will have created an .htpasswd file in the same directory as the .htaccess file that we created earlier. The preceding period in these filenames keeps them hidden as does a $ in Windows. If you wish to make sure that the files are there, open an FTP session and you should be able to see your new files.

    Now test it out. Try to access the directory that you have protected. You should be presented with a login box that looks similar to this:

    Remember that most destructive hackers are kids who really have no idea what they are doing. There are a wealth of programs available to anyone that can help even the most computer illiterate hack a site that is not properly protected. The above steps will not guarantee that you will not be victimized, but they do guarantee that you will not be hacked because of glaring oversights on your part.

    Banning Visitors
    So what can you do if there are specific visitors or domains that you wish to ban. I once ran into a situation on another site where a visitor was clicking on our banner ads over and over again and skewing the statistics that our advertisers received. The best thing to do in this situation is just ban the person using your htaccess file. Add the following to your htaccess file:

    Code :

    <Limit GET PUT POST>
    order allow,deny
    allow from all
    deny from name_or_IP_address_of_host
    deny from add_as_many_as_needed

    Note that you can use the host name or the IP address of the host that you wish to ban. An example would be "deny from". Now what if you do not want anyone from a particular domain visiting your site? Just replace the host name or IP address with the domain name. An example would be "deny from".

    A situation may arise where you would want to only allow a couple of people to access your site and deny everyone else. In this situation use:

    Code :

    <Limit GET PUT POST>
    order allow,deny
    deny from all
    allow from name_or_IP_address_of_host
    allow from add_as_many_as_needed

    Compare the 2 examples and the differences should make sense.

    Comments (0)

    Be the first to comment on this article

    Related Items

    7 Seconds Resources, Inc.