| After
many frustrating months of learning
how to protect my web site I decided
to help some other webmasters
out as well. There's really only
one reason we need to worry about
this stuff: People like to steal.
Every increase in my site's security
has been brought on by someone
hacking into it and let me tell
you, there have been many increases.
:)
I
have separated this page into
several sections:
1)
Stopping hackers
2) Stopping site snagging (offline
viewing)
3) Stopping Hotlinking
4) Multiple Domain Names: Shared
Members Areas
Section
1) Stopping hackers
The
most common way of protecting
your members only area is with,
as I'm sure you know, a filed
named .htaccess sitting in your
server's member's folder. This
file is used by your server to
pop up a little box and force
people to enter a username and
password. It then checks that
against a password file located
on your server to see it the info
is valid. If it is, access is
given.
There
are, however, many lines that
you can add to your .htaccess
file that most webmasters don't
really know about. I'll go through
them one by one as well as show
you completed .htaccess files
that you can start using immediately.
NOTE:
You only need to copy the text
below that is in black. It is
also important that you use a
very basic text editor to save
the file. Use Notepad or NoteTab
to do it. DO NOT use MS Word!
The file will not save correctly!
You should also realize that an
.htaccess file is just plain text
file with a funny name. The complete
file name really is .htaccess,
period in front and all.
Here
is the basic .htaccess file that
most people use:
AuthUserFile
/server/path/to/your/password/file/.htpasswd
AuthGroupFile /dev/null
AuthName "Members Area"
AuthType Basic
<limit
GET PUT POST>
require valid-user
</limit>
This
file, when placed in your members
only folder will protect all of
the subfolders under it. There
are however some holes here. Once
inside the members area, they
can still poke around for things
you may not want them to see by
being creative and typing in URL's.
Most of the time this is no big
deal. However, they really don't
need to be poking around in there.
Another
problem is that some password
security programs have to be accessed
directly or in a very specific
way to work. An older version
of the security program I used
required a file called index.cgi
to be placed in the member's only
folder. When you linked to http://princessmandy.com/members/
it would do two things. First,
the .htaccess file would check
the username and password to see
if they were valid. Second, if
approved, it would run my security
program to see how many people
have used that username and password.
If that checked out, they would
be sent to the opening page of
my member's area which was actually
http://princessmandy.com/members/welcome.htm.
That
worked fine as long as no one
tried to go directly to the welcome.htm
page. Guess what, hackers are
smart. By posting a simple link
on a password trading site, they
could bypass the security program
and gain access in one easy step.
The link would look like this:
http://username:password@princessmandy.com/members/welcome.htm
Look
familiar? If you've ever been
password traded (and you will)
it should look familiar. After
that I learned of some code that
will stop this and force everyone
to use one page to gain access
to the member's area.
AuthUserFile
/server/path/to/your/password/file/.htpasswd
AuthGroupFile /dev/null
AuthName "Members Area"
AuthType Basic
<limit
GET PUT POST>
require valid-user
</limit>
RewriteEngine
On
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*yourdomain.com/
[NC]
RewriteRule /* http://www.yourdomain.com/login.htm
[L,R]
The
new section activated the RewriteEngine
feature of your .htaccess file.
This will now only allow access
to the member's area of your site
through a link on your page. If
they don't use an actual link
on your site they cannot get in.
Any URL that you manually type
into the address bar of your browser
will show up in your log file
as having no referrer and will
not pass. The only way to satisfy
the RewriteCond of this updated
.htaccess file is to use a link
on your site.
Using
this example, you will need a
new little web page named login.htm
in your free area. On that page
you will need a link to your member's
area. Whatever link will allow
your security program to work
right.
The
main thing I like about using
this is that it keeps people from
messing around inside the members
area. Since I update with new
pics every week, I can upload
several sets at a time to the
server and have them waiting.
I don't have to worry about anyone
finding them before I link to
them.
Now
remember, if you don't have any
software in place to monitor how
many times your usernames and
passwords are being used, this
won't help you at all. This method
won't stop shared usernames and
passwords from being used. It
is only here to channel people
into your password sharing software.
I personally recommend using Password
Sentry. It's a one time charge
and they give you lifetime upgrades
and support. It's also not very
expensive. I haven't found any
program out there that I liked
any better, at any price. You
can find them at http://www.monster-submit.com/sentry/
I
actually use their newest version
which can stop people from hammering
your site with username and password
combinations until they get one
that works. I was getting at least
one person a day running one of
those programs on my site trying
to get in. I still use an .htaccess
file in my members area, but it
no longer checks for a username
and password. It looks for a temporary
cookie that is placed on their
system is they are approved by
my security program. It's just
as secure but blocks those password
hammering programs completely.
--------------------------------------------------------------------------------
2) Stopping Site Snagging
This
one pisses me off. There are many
programs out there designed for
"offline viewing" of
web sites. These programs allow
a person to download everything
on your site to their computer.
It works wonderfully in the free
area, however, if they have a
username and password to your
site, they can also download your
entire member's area.
If
you don't have any software protecting
you from password traders, this
one could be devastating. Not
only could everyone in the world
get into your members area for
free, they could download everything
in there in a hurry. If you have
200 MB of stuff in your site and
1000 people get in for free and
decide to use one of these programs,
your looking at 200 Gigabyte of
transfer in as short as one day.
Can you afford that? Those numbers
are kind too. Many of you have
much more than 200 MB of stuff.
I've also been traded in the past
and was receiving 4500 people
per hour into the members area
for free. That could put you out
of business in a hurry.
If
you don't think that these programs
are a problem check your stats.
Many stats programs will tell
you the different web browsers
that are visiting your site. I
have programs like Teleport Pro
and Offline Explorer in my top
10 web browsers every single day.
Since
we have to pay for bandwidth,
which can get expensive as your
site grows, this can turn into
a major problem. I was surprised
at how much bandwidth I saved
after adding these lines to an
.htaccess file.
Here's
the best part. You can place this
.htaccess file in your root public
directory. Put it in the same
folder as your site's opening
index file and it will protect
your entire site.
You'll
notice one major difference about
this file. It doesn't require
usernames and passwords to get
in. Those lines have simply been
removed from the file. It will
also not have any effect on the
.htaccess file in your member's
folder. That one will check passwords,
this one will stop people from
snagging your site.
There
are actually 3 sections to the
file below.
The
first section allows you to block
specific users' ip addresses.
I have two blocked here. There
were users that tried hammering
my site with around 20,000 username
and password combos. This part
is optional since most people
have a new ip each time they log
on. However, if they are using
a cable modem they will keep the
same ip all of the time like the
two in my example. If I were you
I would definitely leave that
guy in there.
The
second section related to error
404's. This works well with the
way many search engines work.
I don't know how many of them
are still linking to pages on
my site that no longer exist.
If someone clicks on a link from
that search engine that is no
longer any good, they just get
that blank error page. The errordocument
line below forwards those people
to another page. I forward them
to my opening page. That way,
if they come to my site using
a link that no longer is valid,
they end up at my opening page
never realizing that the link
was bad.
The
third section stops the programs
that will try and download your
site. Since I'm finding more all
the time the list keeps growing.
If you discover more, just add
them it. If the program is actually
two words, Teleport Pro for example,
you only need to include one word
to block them. Notice below that
I have a line including Teleport,
but not Teleport Pro. I've downloaded
the program and tested it. This
method works perfectly.
The
very last line, the RewriteRule,
is where violators will be sent
to. I have personally chosen a
site at geocities that features
sewing patterns for gay men's
swimwear. :)
<Limit
GET>
order allow,deny
deny from 24.128.16.113
allow from all
</Limit>
errordocument
404 http://www.princessmandy.com/index.htm
RewriteEngine
On
RewriteCond %{HTTP_USER_AGENT}
^.*WebZIP.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Stripper.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Offline.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Copier.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Crawler.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Snagger.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Teleport.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Reaper.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Wget.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Grabber.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Sucker.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Downloader.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Siphon.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Collector.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Mag-Net.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Widow.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Snake.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*BackWeb.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*gotit.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Vacuum.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Pump.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*HMView.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*HTTrack.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*JOC.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*likse.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Memo.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*pcBrowser.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*SuperBot.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*leech.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Mirror.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Recorder.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*GrabNet.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Likse.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Navroad.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*attach.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Magnet.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Surfbot.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Bandit.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Ants.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Buddy.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*Whacker.*$ [OR]
RewriteCond %{HTTP_USER_AGENT}
^.*FileHound.*$
RewriteRule /* http://www.geocities.com/WestHollywood/Heights/3204/1home.html
[L,R]
If
you decide to redirect them somewhere
else be sure to leave the "[L,R]"
at the end of the line. It's rather
important.
Remember
to always check your site immediately
after uploading a new .htaccess
file to your server. If there
are any errors in you file, your
site will most likely not load
at all. In that case, quickly
delete the file off of the server
until you figure out what went
wrong!
--------------------------------------------------------------------------------
3) Stopping Hotlinking
I
think I see some of you smiling
already. Yes, you can use an .htaccess
file to stop people from hotlinking
images off of your site. I recently
discovered several of my pictures
being posted on a messageboard.
They had a little message and
then my picture would pop up in
the message. It was loading directly
off of my server with absolutely
nothing pointing back to me. I
was pissed.
The
.htaccess file to prevent this
is very similar to some of the
ones above. It's just much shorter
since it only performs one function,
to stop hotlinking. It does this
by checking the referrer. In other
words, where the hit is coming
from.
I
have actually moved all of my
images, graphics, games, you name
it into a subfolder in the free
area. I then just place this .htaccess
file into that folder.
I
DON"T recommend adding these
lines into the .htaccess file
above that protects your entire
site. Why? Well, when you sign
up on someone else's friends page
you have to enter in a URL of
your ID picture. If you block
everything than all of your ID
pictures on all of those friends
pages you signed up for will not
load. Your ID picture will be
a very sexy little red x.
You
can stop people from hotlinking
your id pictures if you want,
just think it through first. I
have my banner farm protected
to stop new sign ups from hotlinking.
However, I still have a few I
pictures in unprotected areas
too. That way I can sign up for
new friends and links pages. You
also don't want to block everything
if you purposely post pictures
at picpost pages. If you block
your entire site, none of those
picposts will load.
Similar
to some of the above files, this
one will allow the picture to
load if the referring site starts
with princessmandy.com/ only.
Do not include the www. in here.
That's what all of the crap in
front of princessmandy.com/ is
for. The referrer can end with
anything it likes, as long as
it has princessmandy.com/ in it.
RewriteEngine
On
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*princessmandy.com/
[NC]
RewriteRule /* http://www.princessmandy.com
[L,R]
--------------------------------------------------------------------------------
Multiple Domain Names: Shared
Members Areas
Here's
a fun one. Many of you may have
several web sites but only one
credit card account and one password
file. How do you get everyone
to have access to all of your
site's members areas but only
use one account? Easy. Use .htaccess
files. This can get a little bit
tricky so pay attention.
Let's
say you have three sites: monkeyone.com,
monkeytwo.com, and monkeythree.com
Let's
also say that you want anyone
joining one site to have access
to all three.
Pick
one site to house the main entry
page. Just like in the above examples,
create a page called http://www.monkeyone.com/login.htm
in the free area of that site.
You can call it whatever you want.
Use that page as the entry page
for all of your web sites. Just
put a link on there saying "click
here to enter the member's area"
or something.
Now
everywhere on monkeytwo.com and
monkeythree.com that says "member's
entrance" should point to
http://www.monkeyone.com/login.htm.
Understand? Only one entrance
page and only one password file.
Everyone must enter from the same
place.
Now,
you'll need to add the following
lines to your .htaccess file in
the member's only folder of monkeyone.com.
RewriteEngine
On
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*monkeyone.com/
[NC]
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*monkeytwo.com/members/
[NC]
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*monkeythree.com/members/
[NC]
RewriteRule /* http://www.monkeyone.com/login.htm
[L,R]
This
will allow entry only from either
your main page's entry page, or
from the member's area of your
other sites. Is part is tricky
to think about but very important.
Your
new monkeyone.com member's only
folder .htaccess file will most
likely look like this:
AuthUserFile /server/path/to/your/password/file/.htpasswd
AuthGroupFile /dev/null
AuthName "Members Area"
AuthType Basic
<limit
GET PUT POST>
require valid-user
</limit>
RewriteCond
%{HTTP_REFERER} !^http://([a-z0-9-]+\.)*monkeyone.com/
[NC]
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*monkeytwo.com/members/
[NC]
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*monkeythree.com/members/
[NC]
RewriteRule /* http://www.monkeyone.com/login.htm
[L,R]
Now
here's the fun part. The members
areas of monkeytwo.com and monkeythree.com
will no longer check for a valid
username and password. They will
only check out where the person
is coming from. If they aren't
coming from one of three places
they will be routed to the login.htm
page on monkeyone.com.
This
.htaccess file is very small and
should be placed in the members
only folder at monkeytwo.com and
monkeythree.com.
You
must include lines for all of
your sites in every .htaccess
file.
The
.htaccess files at monkeytwo.com/members
and monkeythree.com/members should
look like this:
RewriteCond
%{HTTP_REFERER} !^http://([a-z0-9-]+\.)*monkeyone.com/members/
[NC]
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*monkeytwo.com/members/
[NC]
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*monkeythree.com/members/
[NC]
RewriteRule /* http://www.monkeyone.com/login.htm
[L,R]
That's
it. They're very short files but
they will do the job. These new
.htaccess files at monkeytwo and
monkeythree will only allow people
access if they're coming from
the members only area of one of
the other sites. They don't need
to check usernames and passwords
too.
I
made a new page in my members
area that links to all three of
my sites. Once they are validated
at princessmandy.com they end
up on this one page. It's sort
of a "Welcome inside. What
site do you want to visit?"
type of thing. It works very,
very well and allows me to use
one password file for as many
sites as I want.
This
method can also be used to allow
two very different sites to share
a members. Each site can be owned
and operated by two different
people using two different login
pages, generating their own revenue,
but sharing a members area.
Just
allow access from either your
own site, or the members only
folder of the other site.
--------------------------------------------------------------------------------
Well, I hope this helped. It's
rather confusing at times but
can make things at your site run
much safer and much more smoothly.
If
you've found any of this helpful
let me know. :)
-Mandy
|
