XOOPS Brasil


Appendix A

Security Tools, Port Vulnerabilities, and Apache Tips

This appendix examines a collection of tools, backdoor Trojan horse port listings, and tips for the Apache user.

Security Tools

This section provides an overview of common security tools.


The GNU/GPL tool Network Mapper (Nmap) from http://insecure.org is one of the best security tools available today. It can operate on a single machine or on a very large network. It discovers what services are running and what operating system is being used. It also reveals a lot about a firewall or packet filters in place. In essence, it's very effective in mapping your network.

You should become familiar with this tool and learn to use it.


Never scan networks you do not own or have permission to scan. It can be considered a hostile act. In other words, use this tool for your administrative purposes only, and do not use it to hack or attack any other networks or servers.

After you install Nmap on Windows machines, it runs via the graphical user interface (GUI). To begin using Nmap, enter your host name or IP address in the Target box. Next, select the type of scan from the Profile drop-down.

Using the drop-down box in the GUI, you may select from among popular combinations of scanning. These preconfigured options are only a handful of the many combinations. They represent many of the normal commands you'll use. When you make a selection, a command is entered in the Command box. For example, if you select the Intense Scan option, the following command is entered:

nmap -sS -sU -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 domainname.com

This command breaks down as follows:

  • -sS/sT/sA/sW/sM—TCP SYN/Connect()/ACK/Window/Maimon scans
  • -sU—UDP scan
  • -T4-T<0-5>—Set timing template (higher number is faster)
  • -A—Enable OS detection, version detection, script scanning, and traceroute
  • -v—Increase verbosity level (use -vv or more for greater effect)
  • -PE/PP/PM—ICMP echo, timestamp, and netmask request discovery probes
  • -PS/PA/PU/PY[portlist]—TCP SYN/ACK, UDP, or SCTP discovery to given ports (scans the ports)

Following is a description of the other Profile options:

  • Intense Scan plus UDP—This produces the following command:

-sS -sU -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389

  • Intense Scan, all TCP ports—This produces the following command:

-p 1-65535 -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389

  • Intense Scan, no ping—This produces the following command:

-T4 -A -v -PN

  • Ping scan—This produces the following command:

-sP -PE -PA21,23,80,3389

  • Quick scan—This produces the following command:

-T4 -F

  • Quick scan plus—This produces the following command:

-sV -T4 -O -F --version-light

  • Quick traceroute—This produces the following command:

-sP -PE -PS22,25,80 -PA21,23,80,3389 -PU -PO

  • Regular Scan—This conducts a default Nmap scan
  • Slow comprehensive scan—This produces the following command:

-sS -sU -T4 -A -v -PE -PP -PS21,22,23,25,80,113,31339

     -PA80,113,443,10042 -PO --script all


For more information on these options, see http://nmap.org/svn/docs/nmap.usage.txt.


Although Telnet should be removed from your server, it's great as a testing tool and still the norm for connecting to specific types of network gear. Telnet is a very old protocol that allows you to connect to a machine and issue commands. By default, Telnet runs on port 23.

To start using Telnet on a Windows 7 machine, click Start ⇒ Accessories ⇒ Command Prompt. At the command prompt, type telnet. The TELNET> prompt appears.

To Telnet to another machine, enter the following:

machine name port

Replace the machine name with the IP or hostname and the port number.

Telnet can be used to connect and send e-mail on misconfigured servers. For example, the following command will attempt to connect you to the Mail Services:

telnet machine name 25

If you are successful in connecting, you can often send unauthorized e-mail through the server. This is also a means to check for open relays in your mail system.

Following is a list of common parameters used with the Windows version of Telnet:

  • c—Close the connection.
  • d—Display operating parameters.
  • O—Connect to hostname (defaults to port 23).
  • q—Exit (quit) Telnet.
  • set—Set options (see set ? for more information).
  • sen—Send strings (commands) to server.
  • st—Print status information.
  • u—Unset options.
  • ?/h—Help.


Netstat is a very valuable tool for troubleshooting and observing what is going on with your network. You can use this tool any time to view network connections, routing tables, the statistics of an interface, and more.

Following are common options for Netstat:

  • -a—Displays all active Transmission Control Protocol (TCP) connections, as well as the TCP and User Datagram Protocol (UDP) ports on which the computer is listening.
  • -e—Displays Ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with -s.
  • -i—Displays network interfaces and their statistics.
  • -n—Displays active TCP connections. However, addresses and port numbers are expressed numerically, and no attempt is made to determine names.
  • -p—Shows which processes are using which sockets.
  • -r—Displays the contents of the IP routing table.
  • -s—Displays statistics by protocol. By default, statistics are shown for the TCP, UDP, Internet Control Message Protocol (ICMP), and IP protocols. If the IPv6 protocol for Windows XP is installed, statistics are shown for the TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6 protocols. The -p parameter can be used to specify a set of protocols.
  • -v—Sets verbose mode.
  • -V (uppercase)—Displays the version information.
  • -h—Displays help.


WireShark is known as a sniffer. It listens in on the network connection and captures each packet. According to the website www.wireshark.org/about.html, “Wireshark is the world's foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions.”

You should become familiar with this powerful tool. It is an excellent tool for network and server administrators to use to troubleshoot issues.


Only use WireShark on a corporate network if you have permission. Never use this tool for any illegal or unethical tasks (such as capturing passwords). Only use it for the proper administrative needs.

Currently, WireShark is available for the following platforms:

  • Windows Installer (32-bit)
  • Windows Installer (64-bit)
  • Windows U3 (32-bit)
  • Windows PortableApps (32-bit)
  • OS X 10.5 (Leopard) Intel 32-bit .dmg
  • OS X 10.6 (Snow Leopard) Intel 64-bit .dmg
  • OS X 10.5 (Leopard) PPC 32-bit .dmg

After you download it, follow the installation instructions for your platform. For Windows, you must install WinPcap (included with the installer) or the captures will not work.

The Windows installation is a fairly simple point-and-click process. Unless you have other reasons to do so, you should choose the defaults.

On a Windows machine, you start WireShark by clicking its corresponding icon.

Open the Capture ⇒ Interface selection from the toolbar. This will provide a list of installed network interface cards (NICs) on the machine. Your machine may have a wired NIC and a WIRELESS NIC, and each will be listed. Choose the NIC from which you want to collect packets and click Start.

As the collection process starts, you will see the collection window filling up with packets. These listings show the IP source, IP destination, protocol, and other information about the packet. Using this information can enable you to locate all kinds of problems on your network, such as bad NICs and illegal traffic (hackers).

WireShark can capture many protocols that are used for various devices. For example, the most common packet you would be TCP/IP for your normal Internet traffic. Voice over IP (VoIP) would have a different protocol. Select or deselect the protocols for which you want to capture information.

After you collect enough packets, you can review errors, warnings, and other information WireShark has found. Errors can indicate software or configuration issues. For example, if you're troubleshooting a network storm, the noted errors can be used to track down the offending device. WireShark can also detect problems such as bad patch cables that could be causing network issues such as slow performance.

One very powerful feature is the capability to search for specific information. For example, you could search for all the traffic from a network that was bound to or from mail.google.com.

Backdoor Intruders

Table A.1 shows a list of known (as of this writing) ports and the backdoor viruses and Trojans that try to use these ports. Many of these may be old, but given that virus writers tend to reuse each other's code, tracking the historical viruses is important. This compiled list from www.sans.org/security-resources/idfaq/oddports.php and other sources is one you can cross reference if you believe you have been hacked.

Table A.1 Common Ports and Backdoor Intruder

Port Number Trojan Name
2 Death
20 Senna Spy FTP server
21 Back Construction, Blade Runner, Doly Trojan, fore, Invisible FTP, Juggernaut 42, Larva, MotIv FTP, Net Administrator, Senna Spy FTP server, Traitor 21, WebEx, WinCrash
22 Shaft
23 Fire, HacKer, Tiny, Telnet, Server, TTS, Truva, Atl
25 Ajan, Antigen, Email, Password, Sender, EPS, EPS II, Gip, Gris, Happy99, Hpteam, mail, I love you, Kuang2, Magic, Horse, MBT
31 Agent 31, Hackers, Paradise, MastersParadise
41 Deep Throat, Foreplay or Reduced Foreplay
59 DMSetup
79 CDK, Firehotcker
80 AckCmd, BackEnd, CGI, Backdoor, Executor, Hooker, RingZero
81 RemoConChubo
99 Hidden Port
110 ProMail trojan
113 Identd, Invisible, Deamon, Kazimas
119 Happy99
121 JammerKillah
123 Net, Controller
133 Farnaz
142 NetTaxi
146 Infector
146 (UDP) Infector
170 A-trojan
180 (TCP/UDP) amanda
334 Backage
420 Breach
421 TCP Wrappers, trojan
456 Hackers Paradise
513 Grlogin
514 RPC Backdoor
531 Rasmin
559 (TCP/UDP) teedtap
605 Secret Service
666 Attack FTP, Back Construction, Cain & Abel, NokNok, Satans Back Door, SBD, ServU, Shadow Phyre
667 SniperNet
669 DP trojan
692 GayOL
777 AimSpy, Undetected
808 WinHole
911 Dark Shadow
999 Deep Throat, Foreplay, Reduced Foreplay, WinSatan
1000 Der Späher / Der Spaeher
1001 Der Späher, Der Spaeher, Le
1010 Doly Trojan
1011 Doly Trojan
1012 Doly Trojan
1015 Doly Trojan
1016 Doly Trojan
1020 Vampire
1024 NetSpy
1026 nterm
1042 BLA, trojan
1045 Rasmin
1049 /sbin/initd
1050 MiniCommand
1054 AckCmd
1080 WinHole
1081 WinHole
1082 WinHole
1083 WinHole
1090 Xtreme
1095 Remote Administration Tool - RAT
1097 Remote Administration Tool - RAT
1098 Remote Administration Tool - RAT
1099 Blood Fest Evolution, Remote Administration Tool, RAT
1170 Psyber, Stream Server, PSS
1200 (UDP) NoBackO
1201 (UDP) NoBackO
1207 SoftWAR
1212 Kaos
1234 Ultors Trojan
1243 BackDoor-G, SubSeven, Apocalypse, Tiles
1245 VooDoo Doll
1255 Scarab
1256 Project, nEXT
1269 Matrix
1313 NETrojan
1338 Millenium Worm
1349 Bo dll
1434 (UDP) MS-SQL
1492 FTP99CMP
1524 Trinoo
1600 Shivka-Burka
1777 Scarab
1807 SpySender
1966 Fake FTP
1969 OpC BO
1981 Bowl, Shockrave
1999 Back Door, TransScout
2000 Der Späher, Der Spaeher, Insane Network
2001 Der Späher, Der Spaeher, Trojan Cow
2023 Ripper Pro
2080 WinHole
2115 Bugs
2140 The Invasor
2140 (UDP) Deep Throat, Foreplay-Reduced Foreplay
2155 Illusion Mailer
2234 (TCP/UDP) directplay
2255 Nirvana
2283 Hvl RAT
2300 Xplorer
2339 Voice Spy, OBS!!! namnen, har, bytt, plats
2339 (UDP) Voice Spy, OBS!!!, namnen, har, bytt, plats
2345 Doly Trojan
2565 Striker trojan
2583 WinCrash
2600 Digital RootBeer
2716 The Prayer
2773 SubSeven, SubSeven 2.1, Gold
2801 Phineas, Phucker
2989 (UDP) Remote Administration Tool, RAT
3000 Remote Shut
3024 WinCrash
3127 mydoom
3128 Squid Proxy
3129 Masters Paradise
3150 The Invasor
3150 (UDP) Deep Throat, Foreplay, Reduced Foreplay
3456 Terror trojan
3459 Eclipse 2000, Sanctuary
3700 Portal of Doom, POD
3791 Total Solar Eclypse
3801 Total Solar Eclypse
4000 Skydance
4092 WinCrash
4242 Virtual Hacking Machine, VHM
4321 BoBo
4444 Prosiak, Swift Remote
4567 File Nail
4590 ICQ Trojan
4950 ICQTrogen (Lm)
5000 Back Door Setup, Blazer5, Bubbel, ICKiller, Sockets des Troie
5001 Back Door Setup, Sockets des Troie
5002 cd00r, Shaft
5010 Solo
5025 WM Remote KeyLogger
5031 Net Metropolitan
5032 Net Metropolitan
5321 Firehotcker
5343 wCrat Remote Administration Tool
5400 Back Construction, Blade Runner
5401 Back Construction, Blade Runner
5402 Back Construction, Blade Runner
5512 Illusion Mailer
5550 Xtcp
5555 ServeMe
5556 BO Facil
5557 BO Facil
5569 Robo-Hack
5637 PC Crasher
5638 PC Crasher
5742 WinCrash
5760 Portmap Remote Root Linux Exploit
5882 (UDP) Y3K RAT
5888 Y3K RAT
6000 The Thing
6006 Bad Blood
6272 Secret Service
6346 (TCP/UDP) BearShare
6400 The Thing
6666 Dark Connection Inside, NetBus worm
6667 ScheduleAgent, Trinity, WinSatan
6669 HostControl, Vampire
6670 BackWebServer, Deep Throat, Foreplay
6711 BackDoor-G, SubSeven, VP Killer
6712 Funny trojan, SubSeven
6713 SubSeven
6723 Mstream
6771 Deep Throat, Foreplay, Reduced Foreplay
6776 2000Cracks, BackDoor-G, SubSeven, VP Killer
6838 (UDP) Mstream
6883 Delta Source DarkStar
6912 Shit Heep
6939 Indoctrination
6969 GateCrasher, IRC 3, Net Controller, Priority
6970 GateCrasher
7000 Exploit Translation Server, Kazimas, Remote Grab, SubSeven 2.1 Gold
7001 Freak88
7215 SubSeven, SubSeven 2.1 Gold
7300 NetMonitor
7301 NetMonitor
7306 NetMonitor
7307 NetMonitor
7308 NetMonitor
7424 Host Control
7424 (UDP) Host Control
7597 Qaz
7777 Tini
7789 BackDoor Setup, ICKiller
7983 Mstream
8080 Brown Orifice, RemoConChubo, RingZero
8787 BackOrifice 2000
8988 BacHack
8989 Rcon, Recon, Xcon
9000 Netministrator
9325 (UDP) Mstream
9400 InCommand
9872 Portal of Doom, POD
9873 Portal of Doom, POD
9874 Portal of Doom, POD
9875 Portal of Doom, POD
9876 Cyber Attacker, Rux
9878 TransScout
9989 Ini-Killer
9999 The Prayer
10067 (UDP) Portal of Doom, POD
10085 Syphillis
10086 Syphillis
10101 BrainSpy
10167 (UDP) Portal of Doom, POD
10520 Acid Shivers
10528 Host Control
10607 Coma
10666 (UDP) Ambush
11000 Senna Spy Trojan Generator
11050 Host Control
11051 Host Control
11223 Progenic trojan, Secret Agent
12076 Gjamer
12223 Hack´99 KeyLogger
12345 cron/crontab, trojan, GabanBus, icmp_pipe.c, Mypic, NetBus, NetBus Toy, NetBus worm, Pie Bill Gates, Whack Job, X-bill
12346 GabanBus, NetBus, X-bill
12349 BioNet
12361 Whack-a-mole
12362 Whack-a-mole
12623 (UDP) DUN Control
12624 ButtMan
12631 Whack Job
12754 Mstream
13000 Senna Spy Trojan Generator
13010 Hacker Brasil HBR
14500 PC Invader
15092 Host Control
15104 Mstream
15858 CDK
16484 Mosucker
16660 Stacheldraht
16772 ICQ Revenge
16969 Priority
17166 Mosaic
17300 Kuang2 the virus
17449 Kid Terror
17499 CrazzyNet
17777 Nephron
18753 (UDP) Shaft
19864 ICQ Revenge
20000 Millenium
20001 Millenium Millenium (Lm)
20002 AcidkoR
20023 VP Killer
20034 NetBus 2.0, Pro NetRex, Whack Job
20203 Chupacabra
20331 BLA trojan
20432 Shaft
20433 (UDP) Shaft
21544 GirlFriend, Kid Terror
21554 Exploiter, Kid Terror, Schwindler, Winsp00fer
22222 Donald Dick, Prosiak
23005 NetTrash
23023 Logged
23032 Amanda
23432 Asylum
23456 Evil FTP, Ugly FTP, Whack Job
23476 Donald Dick
23476 (UDP) Donald Dick
23477 Donald Dick
26274 (UDP) Delta Source
26681 Voice SpyOBS!!!, namnen, har, bytt, plats
27374 Bad Blood, SubSeven, SubSeven 2.1 Gold, Subseven 2.1.4, DefCon 8
27444 (UDP) Trinoo
27573 SubSeven
27665 Trinoo
29104 NetTrojan
29891 The Unexplained
30001 ErrOr32
30003 Lamers Death
30029 AOL trojan
30100 NetSphere
30101 NetSphere
30102 NetSphere
30103 NetSphere
30103 (UDP) NetSphere
30133 NetSphere
30303 Sockets des Troie
30947 Intruse
30999 Kuang2
31335 Trinoo
31336 BoWhack, Butt Funnel
31337 Back Fire, Back Orifice (Lm), Back Orifice, Russian Baron, Night, Beeone, BO client, BO Facil, BO spy, BO2 cron/crontab, Freak88, icmp_pipe.c
31337 (UDP) Back Orifice, Deep, BO
31338 Back Orifice, Butt Funnel, NetSpy, (DK)
31338 (UDP) Deep, BO
31339 NetSpy, (DK)
31666 BOWhack
31785 Hack ‘a’ Tack
31788 Hack ‘a’ Tack
31789 (UDP) Hack ‘a’ Tack
31790 Hack ‘a’ Tack
31791 (UDP) Hack ‘a’ Tack
31792 Hack ‘a’ Tack
32001 Donald Dick
32100 Peanut, Brittle, Project, nEXT
32418 Acid Battery
33270 Trinity
33333 Blakharaz, Prosiak
33577 PsychWard
33777 PsychWard
33911 Spirit 2000, Spirit 2001
34324 Big Gluck, TN
34444 Donald Dick
34555 (UDP) Trinoo (for Windows)
35555 (UDP) Trinoo (for Windows)
37651 Yet Another, TrojanYAT
40412 The Spy
40421 Agent 40421, Masters Paradise
40422 Masters Paradise
40423 Masters Paradise
40426 Masters Paradise
41666 Remote Boot, ToolRBT, Remote Boot, ToolRBT
44444 Prosiak
47262 (UDP) Delta Source
50505 Sockets, des Troie
50766 Fore, Schwindler
51966 Cafeini
52317 Acid Battery 2000
53001 Remote Windows, ShutdownRWS
54283 SubSeven, SubSeven 2.1 Gold
54320 Back Orifice 2000
54321 Back Orifice 2000, School Bus
57341 NetRaider
58339 Butt Funnel
60000 Deep Throat, Foreplay or Reduced Foreplay, Sockets des Troie
60068 Xzip 6000068
60411 Connection
61348 Bunker-Hill
61466 TeleCommando
61603 Bunker-Hill
63485 Bunker-Hill
64101 Taskman, TaskManager
65000 Devil, Sockets, des Troie, Stacheldraht
65432 The Traitor, (=th3tr41t0r)
65432 (UDP) The Traitor, (=th3tr41t0r)
65534 /sbin/initd
65535 RC1 trojan

Apache Status Codes

This section provides information about status codes used with Apache. The descriptions are grouped according to the numbers of the codes.

1xx Series

This class of status code indicates a provisional response, consisting only of the Status Line and optional headers, and is terminated by an empty line.

Following are specific codes in this series:

  • 100 Continue—HTTP_CONTINUE
  • 101 Switching Protocols—HTTP_SWITCHING_PROTOCOLS
  • 102 Processing—HTTP_PROCESSING

2xx Series

This class of status code indicates the action was successfully received, understood, and accepted.

Following are specific codes in this series:

  • 200 OK—HTTP_OK
  • 201 Created—HTTP_CREATED
  • 202 Accepted—HTTP_ACCEPTED
  • 203 Non-Authoritative Information—HTTP_NON_AUTHORITATIVE
  • 204 No Content—HTTP_NO_CONTENT
  • 205 Reset Content—HTTP_RESET_CONTENT
  • 206 Partial Content—HTTP_PARTIAL_CONTENT
  • 207 Multi-Status—HTTP_MULTI_STATUS

3xx Series

Codes in this series indicate that further action needs to be taken by the user-agent in order to fulfill the request. The action required may be carried out by the user-agent without interaction with the user if (and only if) the method used in the second request is GET or HEAD. A user-agent should not automatically redirect a request more than five times, because such redirections usually indicate an infinite loop.

Following are specific codes in this series:

  • 300 Multiple Choices—HTTP_MULTIPLE_CHOICES
  • 301 Moved Permanently—HTTP_MOVED_PERMANENTLY
  • 303 See Other—HTTP_SEE_OTHER
  • 304 Not Modified—HTTP_NOT_MODIFIED
  • 305 Use Proxy—HTTP_USE_PROXY
  • 306 unused—UNUSED
  • 307 Temporary Redirect—HTTP_TEMPORARY_REDIRECT

4xx Series

Codes in this series indicate that the request contains bad syntax or cannot be fulfilled. The codes indicate a case where the client seems to have erred. Except when responding to a HEAD request, the server should include an entity containing an explanation of the error situation, and whether it is a temporary or permanent condition.

Following are specific codes in this series:

  • 400 Bad Request—HTTP_BAD_REQUEST
  • 401 Authorization Required—HTTP_UNAUTHORIZED
  • 402 Payment Required—HTTP_PAYMENT_REQUIRED
  • 403 Forbidden—HTTP_FORBIDDEN
  • 404 Not Found—HTTP_NOT_FOUND
  • 405 Method Not Allowed—HTTP_METHOD_NOT_ALLOWED
  • 406 Not Acceptable—HTTP_NOT_ACCEPTABLE
  • 407 Proxy Authentication Required—HTTP_PROXY_AUTHENTICATION_REQUIRED
  • 408 Request Time-out—HTTP_REQUEST_TIME_OUT
  • 409 Conflict—HTTP_CONFLICT
  • 410 Gone—HTTP_GONE
  • 411 Length Required—HTTP_LENGTH_REQUIRED
  • 412 Precondition Failed—HTTP_PRECONDITION_FAILED
  • 413 Request Entity Too Large—HTTP_REQUEST_ENTITY_TOO_LARGE
  • 414 Request-URI Too Large—HTTP_REQUEST_URI_TOO_LARGE
  • 415 Unsupported Media Type—HTTP_UNSUPPORTED_MEDIA_TYPE
  • 416 Requested Range Not Satisfied—HTTP_RANGE_NOT_SATISFIABLE
  • 417 Expectation Failed—HTTP_EXPECTATION_FAILED
  • 418 I'm a teapot—UNUSED
  • 419 unused—UNUSED
  • 420 unused—UNUSED
  • 421 unused—UNUSED
  • 422 Unprocessable Entities—HTTP_UNPROCESSABLE_ENTITY
  • 423 Locked—HTTP_LOCKED
  • 424 Failed Dependency—HTTP_FAILED_DEPENDENCY
  • 425 No code—HTTP_NO_CODE
  • 426 Upgrade Required—HTTP_UPGRADE_REQUIRED

5XX Series

Codes in this series indicate that the server failed to fulfill an apparently valid request. The codes indicate cases in which the server is aware that it has erred, or is incapable of performing the request. Except when responding to a HEAD request, the server should include an entity containing an explanation of the error situation, and whether it is a temporary or permanent condition. These response codes are applicable to any request method.

Following are specific codes in this series:

  • 500 Internal Server Error —HTTP_INTERNAL_SERVER_ERROR
  • 501 Method Not Implemented—HTTP_NOT_IMPLEMENTED
  • 502 Bad Gateway—HTTP_BAD_GATEWAY
  • 503 Service Temporarily Unavailable—HTTP_SERVICE_UNAVAILABLE
  • 504 Gateway Time-out—HTTP_GATEWAY_TIME_OUT
  • 505 HTTP Version Not Supported—HTTP_VERSION_NOT_SUPPORTED
  • 506 Variant Also Negotiates—HTTP_VARIANT_ALSO_VARIES
  • 507 Insufficient Storage—HTTP_INSUFFICIENT_STORAGE
  • 508 unused—UNUSED
  • 509 unused—UNUSED
  • 510 Not Extended—HTTP_NOT_EXTENDED

.htaccess settings

The.htaccess file is a configuration file that can be placed on a per-directory level when you're running Apache Web Server software. Within this file, you can tweak and set very specific Apache directives.

This section describes a few of the more popular .htaccess settings. Many of these examples are courtesy of Perishablepress.com. For more information, see the following resources:

WordPress users should visit http://perishablepress.com/press/tag/security/ to see various .htaccess samples. Joomla! users should visit http://snipt.net/nikosdion/the-master-htaccess/ to learn about specifics for using .htaccess to better secure Joomla! sites.

Blocking IP Addresses

Following is an example of blocking IP addresses from visiting your site:


 Order Allow,Deny

 Allow from all

 Deny from xxx.xxx.xxx.xxx

 Deny from xxx.xxx.xxx.xxx

 Deny from xxx.xxx.xxx.xxx

 Deny from xxx.xxx.xxx.xxx


Blocking Bad Bots

A class of malware that attacks websites is bad bots. These malicious creatures either break in or gather information used to break in. Blocking them is a regular and frequent task. Fortunately, .htaccess provides a simple method to do it.

For a good example to use to block bad bots in .htaccess, see http://perishablepress.com/press/2010/08/09/2010-user-agent-blacklist and copy down the directives from 2010 User-Agent Blacklist.

Protecting a Specific File

The following example protects a specific file from all visitors except your IP:

Block all visitors except your IP or IPs


 Order Deny,Allow

 Deny from all

 Allow from first ip address

 Allow from second ip address


ErrorDocument 403 path/custom-message.html

<Files path/custom-message.html>

 Order Allow,Deny

 Allow from all


Requiring SSL on Your Site

The following example shows how to require SSL on your site:

SSLOptions +StrictRequire


SSLRequire %{HTTP_HOST} eq “domain.tld”

ErrorDocument 403 https://domain.tld


# require SSL without mod_ssl

RewriteCond %{HTTPS} !=on [NC]

RewriteRule ˆ.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

Deploying Custom Error Pages on Your Site

Replicate the following patterns to serve your own set of custom error pages. Simply replace the /errors/###.html with the correct path and filename. Also change the ### preceding the path to summon pages for other errors.


Your custom error pages must be larger than 512 bytes in size, or they will be completely ignored by Internet Explorer.

Use the following to serve custom error pages:

ErrorDocument 400 /errors/400.html

ErrorDocument 401 /errors/401.html

ErrorDocument 403 /errors/403.html

ErrorDocument 404 /errors/404.html

ErrorDocument 500 /errors/500.html

Provide a Universal Error Document

Use the following to provide a universal error document:

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule ˆ.*$ /dir/error.php [L]

Disable the Server Signature

Use the following to disable the server signature:

ServerSignature Off

Limit Server Request Methods to Get and Put

Use the following to limit server request methods to GET and PUT:

Options -ExecCGI -Indexes -All

RewriteEngine on


RewriteRule .* - [F]

Prevent Access to the .htaccess File

Add the following code block to your .htaccess file to add an extra layer of security. Any attempts to access the .htaccess file will result in a 403 error message. Of course, your first layer of defense to protect .htaccess files involves setting .htaccess file permissions via CHMOD to 644:

<Files .htaccess>

 order allow,deny

 deny from all


Prevent Access to Multiple File Types

To restrict access to a variety of file types, add the following code block and edit the file types within parentheses to match the extensions of any files that you want to protect:

<FilesMatch “\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh)$”>

 Order Allow,Deny

 Deny from all


Prevent Unauthorized Directory Browsing

Prevent unauthorized directory browsing by instructing the server to serve an xxx forbidden - Authorization Required message for any request to view a directory. For example, if your site is missing its default index page, everything within the root of your site will be accessible to all visitors. To prevent this, include the following .htaccess rule:

# Disables Directory Browsing

Options All -Indexes

Conversely, to enable directory browsing, use the following directive:

# Enables Directory Browsing

Options All +Indexes

Likewise, this rule will prevent the server from listing directory contents:

# Prevent Folder Listing

IndexIgnore *

Finally, you can use the IndexIgnore directive to prevent the display of select file types:

# Prevent display of select file types

IndexIgnore *.wmv *.mp4 *.avi *.etc

Security Guide