Using Mod Rewrite to Increase Joomla Security

Written by The Joomla SEF Team
Sunday, 01 June 2008
Most installations of Apache should come with the mod_rewrite module already configured and active. For those of you that are hosting the Joomla CMS system on a shared hosting environment (ie: you've bought a generic web hosting package), then you are forced to edit a file named .HTACCESS in order to setup the securities for your website. In a dedicated hosting environment where you have full access to the server configuration HTTPD.CONF file, you can create global rules that will be INHERITED by each website ( also called a VirtualHost ) on your server. Most installations of Apache should come with the mod_rewrite module already configured and active. For those of you that are hosting the Joomla CMS system on a shared hosting environment (ie: you've bought a generic web hosting package), then you are forced to edit a file named .HTACCESS in order to setup the securities for your website. In a dedicated hosting environment where you have full access to the server configuration HTTPD.CONF file, you can create global rules that will be INHERITED by each website ( also called a VirtualHost ) on your server. If you are in control of a dedicated server, it should be considered a best practice to configure your apache server for best security, and then allow particular account to have more flexibility as the need arises. The following instructions will guide you through the process for setting up mod_rewrite security options that will prevent many common vulnerabilities from being exploited. How to setup RewriteCond Security on Shared Hosting Accounts Your Joomla CMS installation will come with a file named htaccess.txt. This file has several options included within it, and for many Joomla administrators, the need to rename (activate) this file only arises when the desire to use the SEF functionality of Joomla is desired. Fortunately, whether you are using the SEF features or not, you can activate this file ( or create your own ) and benefit from the advantages of the security protection. The quick and dirty method for using the HTACCESS file already included is to simply rename the file from "htaccess.txt" to ".htaccess". If you already have an htaccess file in your web folder, you will first need to rename the current file from ".htaccess" to ".htaccess.old" before you rename the "htacces.txt" file. If the htaccess file already exists, there may be some configuration options already setup that you will want to copy from the old file into the new file. In order to do any of this, you will need to have a basic understanding of either SHELL or FTP, which you will use to connect to your server and edit / rename the files. One thing to note about .htaccess usage is that all sub-folders will inherit the settings of the parent .htaccess file. If you place your .htaccess file in the root public folder of your website ( typically /home/{account}/public_html/.htaccess ) then all sub-folders like ( typically /home/{account_name}/public_html/components/ ) will inherit the settings / security. The following is an example of what you should have in your .htaccess file: # Default Pages ------------------------ # The DirectoryIndex command specifies what file should be run by default. # Multiple options are seperated by a (space) DirectoryIndex index.php # Prevent Folder Snooping ------------------------ # The following commands will prevent people from seeing the files that are within a folder # By default, most servers are setup to show a list of folder contents when the DirectoryIndex files are not found <Files .htaccess> order allow,deny deny from all </Files> IndexIgnore / Options +FollowSymLinks Options -Indexes # Turn on the mod_rewrite functionality ------------------------ # This command will activate the rewrite engine, allowing you to use the rewrite rules that will detect and many common Joomla exploits RewriteEngine On # Specify the Base Folder of your Joomla Installation ------------------------ # In most cases, your Joomla installation will be installed directly into your /public_html folder. # If you have installed the Joomla files under a sub-folder, then you will need to specify the location using this command. # ie: if Joomla is installed in the folder /home/{account}/public_html/web/, then the command should read "RewriteBase /web" # remove the "#" before the command if you are going to use it # RewriteBase /folder-name # SEF Rewrite Conditions ------------------------ # If you are going to use the SEF functionality built into the Joomla System (or a third party package like JoomlaSEF) # then you will need to uncomment (remove the "#" before each line) the commands below. # These commands will tell your server to redirect all incoming requests that are not images to the index.php file # where Joomla will interpret the command and determine the correct page to return # Many 3rd party SEF applications will come with their own version of these commands. # Always be a good boy and follow directions!! # RewriteCond %{REQUEST_FILENAME} !\.(jpg\|jpeg\|gif\|png\|css\|js\|pl\|txt)$ # RewriteCond %{REQUEST_FILENAME} !-f # RewriteCond %{REQUEST_FILENAME} !-d # RewriteRule ^(.) index.php # Rewrite rules to block out some common exploits ------------------------ # These are the magic security commands that attempt to block the most common # type of exploit `attempts` made on Joomla installations! # If you experience problems on your site, add a "#" before each of the following lines # to de-activate the commands from being included RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=\|\%3D) [OR] RewriteCond %{QUERY_STRING} base64_encode.$.$ [OR] RewriteCond %{QUERY_STRING} (\<\|%3C).script.(\>\|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=\|\[\|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=\|\[\|\%[0-9A-Z]{0,2}) RewriteRule ^(.)$ index.php?error=jInject [F,L] # Add the Missing "WWW" when the url is incomplete ------------------------ # Sometimes people will type "website.com" instead of "www.website.com", which can (sometimes) cause issues # with SSL Certificates, Cookies, Flash Scripts, or Javascripts that have strong security features and do not recognize # that both urls are the same. The following command will correct those problems by redirecting the visitor to # the "www.website.com" URL when they type in the url without the prefix. # This command can also be handy when you are directing people to a subdomain like "support.website.com" # To activate, remove the "#" before the following command lines and replace "website.com" with your domain name # RewriteCond %{HTTP_HOST} !^www\.website\.com$ [NC] # RewriteRule ^(.)$ http://www.website.com/$1 [R=301,L] How to setup Global RewriteCond rules on a Dedicated Apache Hosting Server running VirtualHosts / WHM / cPanel If you are a hosting provider, or you have purchased or lease a server that you have SHELL access to control the server configuration files with, then you may choose to setup the server so that all accounts on the server have the same security features active by default. This is a preferred solution, especially if you are hosting several installations of the Joomla system and do not want to micro-manage each installation. In order to setup your server for the global configuration to take effect, you will need to have access to edit the "httpd.conf" file that controls your Apache installation. The httpd.conf file is the core configuration file for your Apache web server, and if you are not comfortable editing this file (or if you have a lot of people that would be angry, should you screw up) then you may be better off requesting that your support administrators make the following changes for you. Step 1) Find the following files and make backup copies Before you go breaking things, make sure to make a backup of any file you are about to edit. Better Safe than Up Poop Creek! On many default installations of Red Hat / CentOS with Apache and cPanel, you will use the following file locations. If you cannot find the file in these locations, a great command to search with is the "FIND" command, which works like this: # Navigate to your root folder cd /* # Search for the file find . --name "httpd.conf" Ok, so here are the files you will need to MAKE A BACKUP and then prepare to edit: /usr/local/apache/conf/httpd.conf /usr/local/cpanel/etc/httptemplates/apache1/default /usr/local/cpanel/etc/httptemplates/apache1/ssldefault To make a backup copy, use the following command to make a COPY of the file with a suffix of todays date. cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.06012008 If you are already lost, then you need to spend some time reading up on the Linux Basics 101 - here's a good place to start: Google Search for Basic Commands OR ttp://www.ss64.com/bash/ Step 2) Create the RewriteCond rules in your HTTPD.CONF file Open the HTTPD.CONF file in your favorite text editor. If you are an old schooler like myself, then the VI editor is an option. vi /usr/local/apache/conf/httpd.conf Find the line that reads <IfModule mod_rewrite.c> and add the following in between the open / close tags ** After whatever is already there, add: RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=\|\%3D) [OR] RewriteCond %{QUERY_STRING} base64_encode.$.$ [OR] RewriteCond %{QUERY_STRING} (\<\|%3C).script.(\>\|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=\|\[\|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=\|\[\|\%[0-9A-Z]{0,2}) RewriteRule ^(.)$ index.php?error=jInject [F,L] Save your file, and then restart apache using the command "httpd restart" to make sure you haven't broken anything already. * IMPORTANT Make Sure to include the ?error=jInject (or some other ?name=value parameter) or else the default redirect rule will apply the QUERY_STRING to the new redirect, flagging the same redirect again and forcing your server to go into an infinite redirect loop. - June 9, 2008 If everything works so far, then you have now created the default rules for Joomla security. The default rules ARE NOT YET active, but are ready to activate for any of your accounts. Next, we are going to INHERIT these rules for each account. You can do this in the .htaccess file for a particular account, or you can follow the next steps which will perform the inherit from the HTTPD.CONF file. Step 3) Inherit the RewriteCond rules for each VirtualHost Open the HTTPD.CONF file in your favorite editor Find each line that reads </VirtualHost> - this is the closing tag for each VirtualHost (website) that is setup on your server. Before the </VirtualHost> tag, add the following lines: <IfModule mod_rewrite.c> RewriteEngine On RewriteOptions Inherit </IfModule> TRY THIS ON ONE ACCOUNT FIRST, Save the File, Test the Settings before taking the time to edit every VirtualHost - Skip to Step 5 for Test Instructions These commands will turn on and inherit the rewrite rules that you setup as the defaults for the server. Unfortunately we have not found a method for applying this to all virtualhosts without the need to manually INHERIT the commands for each. If there is a method, it's not well documented. In the next step, you are going to setup your default config files so that all new accounts already have this - you won't have to edit the HTTPD.CONF file again Save your file, and then restart apache using the command "httpd restart" to make sure you haven't broken anything already. Step 4) Update your default virtualhost files so new accounts are already setup Now that you've setup all the currently active accounts, you are ready to update your default setup files so that all new accounts will already have the INHERIT options activated. If you are not using cPanel, you will need to find the appropriate method for your server. In WHM / cPanel, the files should be located here: /usr/local/cpanel/etc/httptemplates/ We are going to edit both the default and the ssldefault files (make backups first!!) In both files you will follow the same steps: Open the DEFAULT / SSLDEFAULT file in your favorite editor Find the line that reads </VirtualHost> Add the following lines before the </VirtualHost> tag: <IfModule mod_rewrite.c> RewriteEngine On RewriteOptions Inherit </IfModule> Save the files. Your are done and you can test this out by creating a new account and reviewing the HTTPD.CONF file to make sure it added the correct code. There are two other folders "apache2" and "apache2_2" in our test environment, but they don't seem to be used. They both contain the same files - if you find that the defaults are not applied, it may be that your server is using the default files found in one of those folders. Step 5) Test Everything and Toast to how much you Rock! Alrighty - you've made it this far (hopefully testing along the way) and now we're ready for the final tests. Restart your Apache: "httpd restart" -or- "service httpd restart" Using a browser, navigate to any of the sites on your server and try the following url: http://www.website.com/index.php?mosConfig_live_site=bananna You should receive a Failed Request error. If you do, then your done!! If not, then backtrack through your steps to see if you missed something. If you didn't miss anything, try using the local .htaccess instructions (from the shared section of this document above) to see if the commands work at all. Step 6) You want More? For bonus cool points, you can change the RewriteRule line from Step 1** to point to a custom error page. The page can even be setup with some tracking script (wink wink) so you can keep tabs on those pesky hackers. Maybe hack them back (if you have the time!!) Change This Line from Step 1: RewriteRule ^(.)$ index.php?error=jInject [F,L] To look something like this: RewriteRule ^(.)$ http://www,website.com/error_doc/custom_error_page.html?error=jInject [R=301,L] Restart your Apache and test it out - you can see an example here: http://www.joomlasef.org/index.php?mosConfig_live_site=bananna Take your Time, you're doing Great!! Want to learn more about the mod_rewrite system aka the Swiss Army Knife of URL manipulation? Follow this link to learn more and let us know if you figure out something worth passing on! http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html#RewriteRule Good Luck and Happy Joomla Coding!! The Joomla SEF Team
Last Updated ( Tuesday, 10 June 2008 )

© 2009 Joomla SEF Organization, Webuddha.com, and The Holodyn Corporation :: All Rights Reserved Worldwide
This site is donated by Webuddha.com and LiquidSquidStudios.com, proud members of the Holodyn Network of solution providers.

The JoomlaSEF Component for Joomla, formerly known as OpenSEF, is a powerful Open-Source Search Engine Friendly URL management tool that boasts a suite of Search Engine Optimization tools and techiniques for managing Joomla website content.

How to setup RewriteCond Security on Shared Hosting Accounts

How to setup Global RewriteCond rules on a Dedicated Apache Hosting Server running VirtualHosts / WHM / cPanel

Step 1) Find the following files and make backup copies

Step 2) Create the RewriteCond rules in your HTTPD.CONF file

Step 3) Inherit the RewriteCond rules for each VirtualHost

Step 4) Update your default virtualhost files so new accounts are already setup

Step 5) Test Everything and Toast to how much you Rock!

Step 6) You want More?