[brreclark]

I know there is the option to password protect directories through the cPanel, I'm just not sure which ones should be/ could be protected? I suspect I don't want to do the public_html folder, but I'm unsure which other folders should be.

[Nabeel]

You can do the lib/skins, lib/signatures, lib/avatars folders, images, core, I think those would suffice

[skymx]

Nabeel, on 08 July 2010 - 09:08 AM, said:

You can do the lib/skins, lib/signatures, lib/avatars folders, images, core, I think those would suffice

hmmmm I am not so sure about that...

by default you can access the /lib, avatars, skins, and many other folders, from the internet in most phpvms installations.
if there was a "Bad Guy" a hacker, could easily steal your hard work and/or destroy all your efforts, this is something I have been trying to explain to you Nabeel, but had no time. If you can tell us (Whats is the best way to protect those folders) from not being available to see or copy from the internet.?

This could be an issue related to the hosting service more likely than a phpvms problem. BUT I suggest making this (flaw) PUBLIC, before having a hacker cracking all phpvms sites.

I use several tricks to "protect" our contents, but sometimes they are not enough, but I will share with you all what I have found so far.

SK

Note: This problem is in no way related to fivedev hosting service.
I guess I posted in the wrong place, oops sorry. Different topic.

Attached File(s)

•  phpvms folders in the Open.jpg (25.05K)
  Number of downloads: 59

[Nabeel]

Right, it's not a flaw, it's just how most servers are setup - they're setup to allow browing of directories. So you would add a .htaccess file in the root (in public_html) to block access, like this:

(create a file called .htaccess - note the period in front)

<Files ~ "\.tpl{:content:}quot;>
Order allow,deny
Deny from all
</Files>

<File "layout.tpl">
Order allow,deny
Deny from all
</File>

<File "header.tpl">
 Order allow,deny
 Deny from all
 </File>

<File "footer.tpl">
 Order allow,deny
 Deny from all
 </File>

That'll keep .tpl files from being allowed.

In cPanel, under Index Manager, I'd select your folders, and say "No Indexing" (that's the default I have set on fivedev). That way they can't browse the list of files. You can also use "Hotlink Protection" and add tpl files into that, and any other files.

Another thing is putting a blank index.php file in the folder, that'll prevent browsing.

[skymx]

Nabeel, on 08 July 2010 - 07:36 PM, said:

Right, it's not a flaw, it's just how most servers are setup - they're setup to allow browing of directories. So you would add a .htaccess file in the root (in public_html) to block access, like this:

(create a file called .htaccess - note the period in front)

<Files ~ "\.tpl{:content:}quot;>
Order allow,deny
Deny from all
</Files>

<File "layout.tpl">
Order allow,deny
Deny from all
</File>

<File "header.tpl">
 Order allow,deny
 Deny from all
 </File>

<File "footer.tpl">
 Order allow,deny
 Deny from all
 </File>

That'll keep .tpl files from being allowed.

In cPanel, under Index Manager, I'd select your folders, and say "No Indexing" (that's the default I have set on fivedev). That way they can't browse the list of files. You can also use "Hotlink Protection" and add tpl files into that, and any other files.

Another thing is putting a blank index.php file in the folder, that'll prevent browsing.

That is one thing I do, but not an empty index.php file, instead I added some info: "You´re Not allowed to access this area, your IP address is: xxx.xxx.xxx.xxx and has been logged!"

But I will add the .htaccess file also. Besides I use a java script to deny the use of mouse right click. (to avoid checking the source_code)

a little late but, happy Birthday Nabeel!

SK

[Nabeel]

Thanks!

I wouldn't do the blocking right click, that mostly just annoys people. You can just goto the menu and view source anyway. The htaccess is probably the best protection

[TAV1702]

I normally add a index.html page to mine as well as use a .hta just incase. On my current live site I have not done that at all. If it gets hacked, I got a daily backup so no worries on my end, but I have had great success just using a html page to keep my directories from being browsed.

[brreclark]

Thanks for the info guys, I'll add this into my ever growing "Stuff that needs done" list!

[Nabeel]

Let me know how that htaccess goes to block downloading of .tpl files (if someone just goes straight to the file). I will write an announcement out on how to secure it and all that

[skymx]

I have been reading a lot about .htacces files, and what they can prevent and how to use them.

1.- First prevent access to your .htaccess file (.htaccess security) just in case.

<Files .htaccess>
order allow,deny
deny from all
</Files>

2.- Then restrict directory listing/browsing:

When directory browsing is on, people accessing a URL from your site with no index page or no pages at all, will see a list of files and folders. To prevent such directory access, just place the following line in your .htaccess file.

IndexIgnore */*

3.- Preventing hot linking of images from your website:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?your-domain.com/.*$ [NC]
RewriteRule .(gif|jpg)$ – [F]

In the above code, replace [your-domain] with your actual domain name [without www].

5.- Allow/Deny certain IP addresses:

order allow,deny
deny from 123.45.6.7
deny from 012.34.5.
allow from all

SK

[skymx]

Nabeel, on 12 July 2010 - 10:20 AM, said:

Let me know how that htaccess goes to block downloading of .tpl files (if someone just goes straight to the file). I will write an announcement out on how to secure it and all that

I tryied the .htacces file, and lock up everything! hehe
so I am going back to my old methods.

I gained access to the remote server via FTP, to be able to remove the file.
so, you have to be very carefull when using this file.

Thanks!

[mark1million]

OK so i came across this and cringed quite badly..... You can go direct to a file .tpl and download it. bad bad bad.

Solution in the root of your site add the below to your .htaccess file.

<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh|tpl)$">
 Order Allow,Deny
 Deny from all
</FilesMatch>

As you can see this will produce access denied for the following extensions in brackets ()

[Nabeel]

Mark, is that working?

[lorathon]

Yes it works. Thanks Mark.

[mark1million]

Hi Nabeel yes this blocks access, i must admit my blood ran cold there, wow thinking its as easy as that to go direct to a tpl and you have the file.

I would urge all to implement this asap.

It would take less than 2 minutes and save a lot of heartache,

[Nabeel]

Do you have rules to block directory browsing as well? I'm writing up a quick article and I'll post an announcement as well.
Thanks!

[mark1million]

This is it,

# disable directory browsing
Options All -Indexes

[CPC900]

Ok, I added this to my .htaccess file:


<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh|tpl)$">
Order Allow,Deny
Deny from all
</FilesMatch>

# disable directory browsing
Options All -Indexes


Why do some directories show just a blank white screen, while others say "forbidden"?

[mark1million]

CPC900, on 13 July 2010 - 09:26 PM, said:

Ok, I added this to my .htaccess file:


<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh|tpl)$">
Order Allow,Deny
Deny from all
</FilesMatch>

# disable directory browsing
Options All -Indexes


Why do some directories show just a blank white screen, while others say "forbidden"?

Hi that could be to do with your server setup.

[Nabeel]

I've also implemented this on the server-level for fivedev.