Theft Prevention

[CrashGordon]

I just caught someone rummaging around in my /phpvms/lib directory. One can assume someone wanted the code from one of my templates. Does anyone know of a way to prevent access to the directories without hampering the operation of the site?

As for the person who did it, he or she was probably unaware that I log every access to the site and have their IP address, country, browser and system information. If that kind of activity continues, I will gladly publish it all over the internet.

[Tom]

Make a new text file, rename it "index.html" or "index.php", write whatever you want in it and upload it too all the directories that previously would show the directory listing (don't have an index.html or index.php). Make sure you don't replace any files.

[CrashGordon]

Thanks, Tom.

That was far too simple a solution for me to ever have thought of it.

[Nabeel]

You can also use an .htaccess file

http://www.thejackol.com/htaccess-cheatsheet/

What you do is create a file called .htaccess and throw that stuff in

[CrashGordon]

Very interesting. I was already in the process of adding things to .htaccess. Thanks

[Txmmy83]

CrashGordon,

was that a human or a bot searching for content on your VA site ?

BR

Thomas

[CrashGordon]

Unless bots have started using dialup networks, it was definitely human. I'll be kind and not say where.

[CrashGordon]

Sometimes, incidents like this serve a useful purpose. I hadn't paid too much attention to securing certain things. After all, it's a VA, not the CIA or Mi6. However, I spent most of yesterday, taking care of business. I adjusted my .htaccess file so it is no longer possible to browse directories. I also added index.php pages to those directories that might be tempting. Those pages contain a script that provides me with information on who is attempting to view those directories.

Then, I went a bit further. I blocked a few countries I'm not on good terms with, I blocked anonymous proxy servers and so-called "bad" bots. (I didn't know there was such a thing as good bots.) And, to tidy things up, configured things so the server will not show what is in my .htaccess or other configuration files.

All in all, it was a fun day.

[CPC900]

I am new to this .htaccess thing. Can you post an example of what you have added?! Thanks.

[CrashGordon]

There are a number of sites, that describe all the options available in .htaccess, including the one Nabeel posted in this thread. Google is your friend. They will probably describe things better than I would. If you want to block whole countries, Country IP Blocks has a nice way of preparing the entries you will need to deny access.

[CPC900]

Thanks for the country link thing. So this 'code' literrally just gets enterred as text and all works fine? I have never used it before, so that is why I was wondering from someone who has. I am just not used to doing something "without" code, as it were.

[Kyle]

One time i got someone was sneeking my files, and i IP banned him and i taught him a lesson how to not go inside the files.

[CrashGordon]

Thanks for the country link thing. So this 'code' literrally just gets enterred as text and all works fine? I have never used it before, so that is why I was wondering from someone who has. I am just not used to doing something "without" code, as it were.

Yep. Make sure the radio button for deny access is selected before you generate the code.

Just so you know what it looks like, here is a sample.

## Country: CONGO, THE DEMOCRATIC REPUBLIC OF THE

# ISO Code: CD

# Total Networks: 10

# Total Subnets: 16,896

deny from 41.78.104.0/22

deny from 41.79.232.0/22

deny from 41.189.192.0/19

deny from 41.190.80.0/22

deny from 41.215.252.0/22

deny from 41.222.196.0/22

deny from 41.222.216.0/22

deny from 41.223.104.0/22

deny from 193.110.104.0/23

deny from 196.22.8.0/22

It is all plain text and the .htaccess file goes in your root HTML folder.

[flyalaska]

Somewhere in the cpanel you can prevent others from viewing your directories. That's what I do

Example: http://www.flyaka.com/lib/skins/

[CrashGordon]

In .htaccess, one little line takes care of disallowing directory browsing.

Options All -Indexes

[Tom]

Somewhere in the cpanel you can prevent others from viewing your directories. That's what I do

Example: http://www.flyaka.com/lib/skins/

Unforunately not all panels have such features...