CrashGordon Posted June 15, 2010 Report Posted June 15, 2010 I just caught someone rummaging around in my /phpvms/lib directory. One can assume someone wanted the code from one of my templates. Does anyone know of a way to prevent access to the directories without hampering the operation of the site? As for the person who did it, he or she was probably unaware that I log every access to the site and have their IP address, country, browser and system information. If that kind of activity continues, I will gladly publish it all over the internet. Quote
Tom Posted June 15, 2010 Report Posted June 15, 2010 Make a new text file, rename it "index.html" or "index.php", write whatever you want in it and upload it too all the directories that previously would show the directory listing (don't have an index.html or index.php). Make sure you don't replace any files. Quote
CrashGordon Posted June 15, 2010 Author Report Posted June 15, 2010 Thanks, Tom. That was far too simple a solution for me to ever have thought of it. Quote
Administrators Nabeel Posted June 15, 2010 Administrators Report Posted June 15, 2010 You can also use an .htaccess file http://www.thejackol.com/htaccess-cheatsheet/ What you do is create a file called .htaccess and throw that stuff in Quote
CrashGordon Posted June 15, 2010 Author Report Posted June 15, 2010 Very interesting. I was already in the process of adding things to .htaccess. Thanks Quote
Txmmy83 Posted June 15, 2010 Report Posted June 15, 2010 CrashGordon, was that a human or a bot searching for content on your VA site ? BR Thomas Quote
CrashGordon Posted June 15, 2010 Author Report Posted June 15, 2010 Unless bots have started using dialup networks, it was definitely human. I'll be kind and not say where. Quote
CrashGordon Posted June 16, 2010 Author Report Posted June 16, 2010 Sometimes, incidents like this serve a useful purpose. I hadn't paid too much attention to securing certain things. After all, it's a VA, not the CIA or Mi6. However, I spent most of yesterday, taking care of business. I adjusted my .htaccess file so it is no longer possible to browse directories. I also added index.php pages to those directories that might be tempting. Those pages contain a script that provides me with information on who is attempting to view those directories. Then, I went a bit further. I blocked a few countries I'm not on good terms with, I blocked anonymous proxy servers and so-called "bad" bots. (I didn't know there was such a thing as good bots.) And, to tidy things up, configured things so the server will not show what is in my .htaccess or other configuration files. All in all, it was a fun day. Quote
CPC900 Posted June 16, 2010 Report Posted June 16, 2010 I am new to this .htaccess thing. Can you post an example of what you have added?! Thanks. Quote
CrashGordon Posted June 16, 2010 Author Report Posted June 16, 2010 There are a number of sites, that describe all the options available in .htaccess, including the one Nabeel posted in this thread. Google is your friend. They will probably describe things better than I would. If you want to block whole countries, Country IP Blocks has a nice way of preparing the entries you will need to deny access. Quote
CPC900 Posted June 16, 2010 Report Posted June 16, 2010 Thanks for the country link thing. So this 'code' literrally just gets enterred as text and all works fine? I have never used it before, so that is why I was wondering from someone who has. I am just not used to doing something "without" code, as it were. Quote
Moderators Kyle Posted June 16, 2010 Moderators Report Posted June 16, 2010 One time i got someone was sneeking my files, and i IP banned him and i taught him a lesson how to not go inside the files. Quote
CrashGordon Posted June 16, 2010 Author Report Posted June 16, 2010 Thanks for the country link thing. So this 'code' literrally just gets enterred as text and all works fine? I have never used it before, so that is why I was wondering from someone who has. I am just not used to doing something "without" code, as it were. Yep. Make sure the radio button for deny access is selected before you generate the code. Just so you know what it looks like, here is a sample. ## Country: CONGO, THE DEMOCRATIC REPUBLIC OF THE # ISO Code: CD # Total Networks: 10 # Total Subnets: 16,896 deny from 41.78.104.0/22 deny from 41.79.232.0/22 deny from 41.189.192.0/19 deny from 41.190.80.0/22 deny from 41.215.252.0/22 deny from 41.222.196.0/22 deny from 41.222.216.0/22 deny from 41.223.104.0/22 deny from 193.110.104.0/23 deny from 196.22.8.0/22 It is all plain text and the .htaccess file goes in your root HTML folder. Quote
flyalaska Posted June 17, 2010 Report Posted June 17, 2010 Somewhere in the cpanel you can prevent others from viewing your directories. That's what I do Example: http://www.flyaka.com/lib/skins/ Quote
CrashGordon Posted June 17, 2010 Author Report Posted June 17, 2010 In .htaccess, one little line takes care of disallowing directory browsing. Options All -Indexes Quote
Tom Posted June 17, 2010 Report Posted June 17, 2010 Somewhere in the cpanel you can prevent others from viewing your directories. That's what I do Example: http://www.flyaka.com/lib/skins/ Unforunately not all panels have such features... Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.