Joomla community powered logo

Site Slogan

Details

Server hardening - Apache

If your website runs on Apache (as is the case for almost 60% of all sites worldwide known - See http://w3techs.com/technologies/details/ws-apache/all/all), we have found a couple of interesting configuration adaptations which can help you harden the Apache part. Other servers can have equal configurations, but we will limit ourselves to Apache only.

  1. Protect your site against known Joomla attacks by using the .htaccess file included in the Joomla distribution

    With any distribution of Joomla 2.5 and Joomla 3.x, a file name htaccess.txt is included. At the end of this file, a couple of rules that help to protect against known frequent attacks are included, so they can immediately protect your site from this kind of attacks. Rename this file to .htaccess and immediately Apache will start using these rules and protect your site.

    ## Begin - Rewrite rules to block out some common exploits.
# If you experience problems on your site block out the operations listed below
# This attempts to block the most common type of exploit `attempts` to Joomla!
#
# Block out any script trying to base64_encode data within the URL.
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
# Block out any script that includes a <script> tag in URL.
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL.
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL.
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show the content of the root homepage
RewriteRule .* index.php [F]
#
## End - Rewrite rules to block out some common exploits.

  2. Remove the Apache signature from your webserver responses

    If something goes wrong or if you know the trics to explicitely "ask" for it, the Apache webserver returns the full signature so your visitor knows exactly what webserver your site is running on. Even if I don't believe in security by obscurity, it's a good idea to make it not too easy for visitors - especially the maliscious ones - to find out the complete configuration of your website. Your first line of defense can be not to show your Apache signature and it's quite easy to avoid that information throughout your website by adding 1 single line of code somewhere in your .htaccess file. Simple adding the line beneath will do the trick.

    # Disable server signature
ServerSignature Off

  3. Protect your administrator directory

    You won't be able to prevent this detection completely, but by protecting your administrator directory with an extra password you can make this a lot more difficult for less experienced and would be hackers. In a separate article about how to protect your joomla administrator loginprotect your joomla administrator login, I already described how to password protect this directory so it's impossible for any user to see your real backend without knowing a correct username and the accompanying password.

  4. Restrict access to your directories and files once your site is stable and the configuration will not change

    Once your site has been set up, you have installed everything you need for your site and you think you only have to add content, then you can protect your site better by restricting access to critical directories and files. BEWARE: if you want to change your configuration after you have changed the default access or you want to install additional plugins/modules, you will have to revert your changes and after you have done the additions to your website you have to apply these hardening tricks again.

    Once your site is configured, you should write protect all your directories and files by using CHMOD (755 for directories, 644 for files). CHMOD is a command which is part of the Unix/Linux core commands and it is the command you use to set the directory and file access rights. Every directory and every file can have 3 different kinds of access rights: you can read it, you can write it or you can execute it (for a directory, meaning you are allowed to execute files with execute access inside the directory). Because we're in computerland, everything is translated in bits & bytes in the following way:

    Read = 4
    Write = 2
    Execute = 1

    On the other hand, the users are also divided in 3 groups:

    Owner Permissions = 1st figure
    Group Permissions (with special rights to the directory or file) = 2nd figure
    Public Permissions = 3rd figure

    Which means that the first figure you have in the list indicates the Owner Permissions, the second figure indicates the Group Permissions and the third figure indicates the Public Permissions. If we translate that to our 755 and 644 it means that

    • the Owner has Read, Write and Execute rights on the directories (4+2+1 = 7 - first figure) and that the Owner has Read and Write rights on the files (4+2 = 6 - first figure)
    • the Group has Read and Execute rights on the directories (4+1 = 5 - second figure) and that the Group has Read rights on the files (4 - second figure)
    • the Public has Read and Execute rights on the directories (4+1 = 5 - third figure) and that the Public has Read rights on the files (4 - third figure)

    For more explanation on CHMOD and permissions, you can check on Wikipedia

    Any good FTP client should be able to help you do the trick: log in through the FPT client to your site.

    For directories:

    Go to the directory for which you want to change the access rights, right click and choose the "file permission" menu item (in FileZilla this will be the last one). Then set the Owner permissions to Read/Write/Execute (7), the Group permissions to Read/Execute (5) and the Public permissions also to Read/Execute (5). If you don't allow Execute for Public, a problem will arise when a specific file somehwere needs to be executed on your server. There is no problem in leaving the Execute access open on a directory, as long as you make sure that you don't allow Execute rights on files which don't need execute rights (eg php files normally don't need Execute rights!).

     FileZilla755dirs

    You can recurse the new access rights to all subdirectories of the one you're setting access for by ticking the "Recurse into subdirectories". In order to make sure you don't change the access rights of all your files at the same time, make sure to select the "Apply to directories only" option before clicking OK.

    For files:

    Go to the file for which you want to change the access rights, right click and choose the "file permission" menu item (in FileZilla this will be the last one). Then set the Owner permissions to Read/Write (6), the Group permissions to Read (4) and the Public permissions also to Read (4).

    FileZilla644files

    Contrary to the directories, you won't be able to change all files in one go, as there is no recursive option. The best thing you can do in your FTP client is to select all files in one directory, right click and then apply your new access rights to all the selected files.

    Make sure your public directories are not writeable for visitors of your site

    As you manage your folders mainly through an FTP client, you can use the built in possibility to set the access to your directories to read and execute for everybody, only for the owner of the directory (which is you - through your FTP user) you can have read, write and execute rights. It's not possible to use your .htaccess file specifically for this, as you cannot make a distinction between read and write using .htaccess.

    So give all of your public directories 755 access rights.

    Make sure your public files are not writeable for visitors of your site

    All public files can be accessed by all of your visitors. So it's quite obvious you don't let them open to possible attacks by allowing your visitors to write on them. That's why you have to make them read-only for all of your visitors. Normally, there won't be any executable file in your public directories, so it's safe to make them read-only, only the owner of the files (which is again you - through your FTP user) also must have write rights. Same applies as for the directories if you think about using .htaccess: you cannot make a distinction between read and write, so .htaccess is no option.

    So give all of your public files 644 access rights.

© Edoozeh 2023

Edoozeh is not affiliated with or endorsed by the Joomla Project or Open Source Matters. The Joomla logo is used under a limited license granted by Open Source Matters the trademark holder in the United States and other countries.

↑ Top

NOTE! This site uses cookies.

If you do not change browser settings, you agree to it. Learn more

I understand

Cookies

To make this site work properly, we sometimes place small data files called cookies on your device. Most big websites do this too.

What are cookies?

A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, so you don’t have to keep re-entering them whenever you come back to the site or browse from one page to another.

How do we use cookies?

A number of our pages use cookies to remember:

Also, some videos embedded in our pages use a cookie to anonymously gather statistics on how you got there and what videos you visited.

Enabling these cookies is not strictly necessary for the website to work but it will provide you with a better browsing experience. You can delete or block these cookies, but if you do that some features of this site may not work as intended.

The cookie-related information is not used to identify you personally and the pattern data is fully under our control. These cookies are not used for any purpose other than those described here.

How to control cookies

You can control and/or delete cookies as you wish – for details, see aboutcookies.org. You can delete all cookies that are already on your computer and you can set most browsers to prevent them from being placed. If you do this, however, you may have to manually adjust some preferences every time you visit a site and some services and functionalities may not work.

You can find the full EU privacy guideline by clicking on this link