Siber Güvenlik Forumu
Httacces Güvenliği - Baskı Önizleme

+- Siber Güvenlik Forumu (https://forum.alikaanbashan.org)
+-- Forum: Siber Güvenlik (https://forum.alikaanbashan.org/forum-Siber-G%C3%BCvenlik-10)
+--- Forum: Güvenlik Önlemleri (https://forum.alikaanbashan.org/forum-G%C3%BCvenlik-%C3%96nlemleri-20)
+--- Konu Başlığı: Httacces Güvenliği (/konu-Httacces-G%C3%BCvenli%C4%9Fi-66)



Httacces Güvenliği - Codex - 09-30-2023

Kod:
Options +FollowSymLinks
RewriteEngine on
RewriteCond %{HTTPS} off

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

Options All -Indexes

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule ^Anasayfa$ index.php
RewriteRule ^sitemap.html$ sitemap.php
RewriteRule ^sitemap.xml$ sitemap.php


############SİTE BAKIM MODU URL###################
RewriteRule ^Gecici-olarak-hizmet-disi.*$  back/Kapali/index.php [L,QSA]
RewriteRule ^Uyeliginiz-Yasaklandi.*$      back/error/userbanned.php [L,QSA]




# Enable Compression
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE font/woff
AddOutputFilterByType DEFLATE font/woff2
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE image/webp
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
  BrowserMatch ^Mozilla/4 gzip-only-text/html
  BrowserMatch ^Mozilla/4\.0[678] no-gzip
  BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
</IfModule>

<IfModule mod_mime.c>
AddType font/opentype .otf
AddType application/font-woff .woff
AddType application/font-woff2 .woff2
AddType application/x-font-ttf .ttf
AddType application/vnd.ms-fontobject .eot
AddType image/svg+xml .svg
</IfModule>

<ifModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file \.(html?|txt|css|js|php|pl)$
mod_gzip_item_include mime ^application/x-javascript/
mod_gzip_item_include mime ^text//
mod_gzip_item_exclude rspheader ^Content-Encoding:/gzip/
mod_gzip_item_exclude mime ^image//
mod_gzip_item_include handler ^cgi-script$
</ifModule>

<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 seconds"
ExpiresByType application/javascript "access plus 1 years"
ExpiresByType application/vnd.ms-fontobject "access plus 1 years"
ExpiresByType application/xhtml+xml "access plus 10 minutes"
ExpiresByType application/x-javascript "access plus 1 years"
ExpiresByType application/x-shockwave-flash "access plus 1 years"
ExpiresByType application/x-woff "access plus 1 years"
ExpiresByType application/x-woff2 "access plus 1 years"
ExpiresByType font/otf "access plus 1 years"
ExpiresByType font/ttf "access plus 1 years"
ExpiresByType image/gif "access plus 1 years"
ExpiresByType image/jpeg "access plus 1 years"
ExpiresByType image/png "access plus 1 years"
ExpiresByType image/webp "access plus 1 years"
ExpiresByType image/svg+xml "access plus 1 years"
ExpiresByType image/x-icon "access plus 1 years"
ExpiresByType text/css "access plus 1 years"
ExpiresByType text/html "access plus 10 minutes"
ExpiresByType text/javascript "access plus 1 years"
ExpiresByType video/x-flv "access plus 1 years"
</IfModule>


<IfModule mod_headers.c>
    Header set Cross-Origin-Embedder-Policy: cross-origin
    Header set Cross-Origin-Opener-Policy: cross-origin
    Header set Cross-Origin-Resource-Policy: cross-origin
    


    Header set X-XSS-Protection "1; mode=block"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-Content-Type-Options "nosniff"
    ### Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" preload
    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    Header set Expect-CT enforce,max-age=2592000,report-uri="https://ajans.softyrapps.com/report"

    Header set Referrer-Policy "same-origin"

    Header always set Content-Security-Policy: "default-src 'none';"
    Header always set Content-Security-Policy: "script-src 'self' https://wa.me/ https://cdn.tiny.cloud/ https://www.google-analytics.com https://ajax.googleapis.com https://www.ajans.softyrapps.com/ https://www.google.com/recaptcha/ https://googleads.g.doubleclick.net/ https://static.doubleclick.net/ https://cdn.onesignal.com/sdks/ https://onesignal.com/sdks/;"
    Header always set Content-Security-Policy: "style-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com https://wa.me/ https://cdn.tiny.cloud/ https://www.ajans.softyrapps.com https://ajans.softyrapps.com https://fonts.googleapis.com https://cdnjs.cloudflare.com/ https://www.google.com/recaptcha/ https://fonts.gstatic.com/ https://cdn.onesignal.com/sdks/ https://onesignal.com/sdks/;"
    Header always set Permissions-Policy: fullscreen=(self "https://ajans.softyrapps.com"),geolocation=*, camera=()




    <FilesMatch "\\.(ico|jpeg|jpg|png|gif|swf)$">
        Header set Cache-Control "max-age=31536000, public"
    </FilesMatch>
    <FilesMatch "\\.(css)$">
        Header set Cache-Control "max-age=31536000, public"
    </FilesMatch>
    <FilesMatch "\\.(js)$">
        Header set Cache-Control "max-age=31536000, public"
    </FilesMatch>
    <FilesMatch "\.(ttf|otf|eot|woff|woff2|svg)$">
        Header set Cache-Control "max-age=31536000, public"
    </FilesMatch>
    RewriteCond "%{HTTP:Accept-encoding}" "gzip"
    RewriteCond "%{REQUEST_FILENAME}\.gz" -s
    RewriteRule "^(/)\.css" "$1\.css\.gz" [QSA]

    RewriteCond "%{HTTP:Accept-encoding}" "gzip"
    RewriteCond "%{REQUEST_FILENAME}\.gz" -s
    RewriteRule "^(/)\.js" "$1\.js\.gz" [QSA]

    RewriteRule "\.css\.gz$" "-" [T=text/css,E=no-gzip:1]
    RewriteRule "\.js\.gz$" "-" [T=text/javascript,E=no-gzip:1]
</IfModule>

# MIME TYPES
<IfModule mod_mime.c>
    
    # DEFAULTS
    DefaultLanguage tr
    AddLanguage tr-TR .html .css .js
    AddCharset utf-8 .html .css .js .xml .json .rss .atom
    
    # JAVASCRIPT
    AddType application/javascript js jsonp
    AddType application/json json
    
    # FONTS
    AddType font/opentype otf
    AddType application/font-woff woff
    AddType application/x-font-woff woff
    AddType application/vnd.ms-fontobject eot
    AddType application/x-font-ttf ttc ttf
    AddType image/svg+xml svg svgz
    AddEncoding gzip svgz
    
    # AUDIO
    AddType audio/mp4 m4a f4a f4b
    AddType audio/ogg oga ogg
    
    # VIDEO
    AddType video/mp4 mp4 m4v f4v f4p
    AddType video/ogg ogv
    AddType video/webm webm
    AddType video/x-flv flv
    
    # OTHERS
    AddType application/octet-stream safariextz
    AddType application/x-chrome-extension crx
    AddType application/x-opera-extension oex
    AddType application/x-shockwave-flash swf
    AddType application/x-web-app-manifest+json webapp
    AddType application/x-xpinstall xpi
    AddType application/xml atom rdf rss xml
    AddType application/vnd.openxmlformats .docx .pptx .xlsx .xltx . xltm .dotx .potx .ppsx
    AddType text/cache-manifest appcache manifest
    AddType text/vtt vtt
    AddType text/x-component htc
    AddType text/x-vcard vcf
    AddType image/webp webp
    AddType image/x-icon ico
    
</IfModule>
#hata sayfalarını sabitlemek
    ErrorDocument 404 /back/error/404.php
    ErrorDocument 403 /back/error/403.php
    ErrorDocument 500 /back/error/500.php


#Php Shell engellemek
RewriteCond %{REQUEST_URI} /((php|my)?shell|remview/|phpremoteview/|sshphp/|pcom|nstview/|c99|r57|webadmin/|phpget/|phpwriter/|fileditor/|locus7/|storm7/)\.(p?s?x?htm?l?|txt|aspx?|cfml?|cgi|pl|php[3-9]{0,1}|jsp?|sql|xml) [NC,OR] RewriteCond %{REQUEST_METHOD} (GET|POST) [NC] RewriteCond %{QUERY_STRING} ^(/)=/home(.+)?/loginftp/(/)$ [OR] RewriteCond %{QUERY_STRING} ^work_dir=/$ [OR] RewriteCond %{QUERY_STRING} ^command=/&output/$ [OR] RewriteCond %{QUERY_STRING} ^nts_[a-z0-9_]{0,10}=/$ [OR] RewriteCond %{QUERY_STRING} ^(/)cmd=/$ [OR] ## BU KURALA DIKKAT EDIN SITENIZIN CALISMASINI ENGELLEYEBILIR##
RewriteCond %{QUERY_STRING} ^c=(t|setup|codes)$ [OR] RewriteCond %{QUERY_STRING} ^act=((about|cmd|selfremove|chbd|trojan|backc|massbrowsersploit|exploits|grablogins|upload/)|((chmod|f)&f=/))$ [OR] RewriteCond %{QUERY_STRING} ^act=(ls|search|fsbuff|encoder|tools|processes|ftpquickbrute|security|sql|eval|update|feedback|cmd|gofile|mkfile)&d=/$ [OR] RewriteCond %{QUERY_STRING} ^&?c=(l?v?i?&d=|v&fnot=|setup&ref=|l&r=|d&d=|tree&d|t&d=|e&d=|i&d=|codes|md5crack)/$ [OR] RewriteCond %{QUERY_STRING} ^(/)([-_a-z]{1,15})=(ls|cd|cat|rm|mv|vim|chmod|chdir|mkdir|rmdir|pwd|clear|whoami|uname|tar|zip|unzip|tar|gzip|gunzip|grep|more|ln|umask|telnet|ssh|ftp|head|tail|which|mkmode|touch|logname|edit_file|search_text|find_text|php_eval|download_file|ftp_file_down|ftp_file_up|ftp_brute|mail_file|mysql|mysql_dump|db_query)([^a-zA-Z0-9].+)*$ [OR] RewriteCond %{QUERY_STRING} ^(/)(wget|shell_exec|passthru|system|exec|popen|proc_open)(/)$


#Zararlı örümcekleri engellemek
RewriteCond %{HTTP_USER_AGENT} ^-?$ [OR] RewriteCond %{HTTP_USER_AGENT} ^[bcdfghjklmnpqrstvwxz\ ]{8,}|^[0-9a-z]{15,}|^[0-9A-Za-z]{19,} [OR] RewriteCond %{HTTP_USER_AGENT} Extractor|almaden|anonymous|autoemailspider|blogsearchbot-martin|CherryPicker|Digger|DirectUpdate|Download\ Accelerator|echo\ extense|Collector|EmailWolf|flashget|frontpage|Go!Zilla|grub\ crawler|HTTPConnect|httplib|HttpProxy|HTTP\ agent|HTTrack|Indy\ Library|Jakarta\ Commons|libWeb|libwww|Microsoft\ Data|Microsoft\ URL|MJ12bot|Movable\ Type|NICErsPRO|NutchCVS|Nutscrape/|OmniExplorer|psycheclone|PussyCat|PycURL|python|QuepasaCreep|SiteMapper|Download|sucker|SurveyBot|Teleport\ Pro|Telesoft|TrackBack|Turing|TurnitinBot|vobsub|webbandit|WebCapture|webcollage|WebCopier|WebDAV|WebEmailExtractor|WebReaper|WEBsaver|WebStripper|WebZIP|widows|Wysigot|Zeus|Zeus/Webster [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^

#zararlı örümceklerin ulasacağı dosyalar
RewriteCond %{REQUEST_URI} !^/robots.txt
RewriteCond %{REQUEST_URI} !^/sitemap.xml

 
#SQL injection engellemek
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR] RewriteCond %{HTTP_REFERER} ^(/)(<|>|’|%0A|%0D|’|<|>|%00)/ [NC,OR] RewriteCond %{REQUEST_URI} ^/(,|;|<|>|/{2,999})/ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget)/ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^/(winhttp|HTTrack|clshttp|archiver|loader|email| harvest|extract|grab|miner)/ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^/(libwww|curl|wget|python|scan)/ [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^/(<|>|’|%0A|%0D|’|<|>|%00)/ [NC,OR] RewriteCond %{HTTP_COOKIE} ^/(<|>|’|%0A|%0D|’|<|>|%00)/ [NC,OR] RewriteCond %{QUERY_STRING} ^/(localhost|loopback|127\\.0\\.0\\.1)/ [NC,OR] RewriteCond %{QUERY_STRING} ^/(<|>|’|%0A|%0D|’|<|>|%00)/ [NC,OR] RewriteCond %{QUERY_STRING} [^a-z](|order|union|declare|char|set|cast|convert|delete |drop|exec|insert|met*|script|select|truncate|upda te)[^a-z] [NC] RewriteRule (/) - [F]

#sunucu imzası kaldır
ServerSignature Off


#htaccess erişim engelleme
<Files .htaccess>
Order Allow,Deny
Deny from all
</Files>