Protecting .user.ini file using .htaccess rule

  • Resolved ziegel

    (@ziegel)


    3 years, 7 months ago

    Hi @nintechnet,
    Good morning!

    May I ask what would be a recommended way to secure the access to the “.user.ini” type files, as below, using .htaccess?
    And, should such rule exist for each of the .user.ini files according to their specific name?

    .user.ini type files:
    1) .user.ini.ninja1618237526
    2) .user.ini

    Such way may include excluding rules for fixed IPs used.

    Possibly it would look of the kind:

    
# Wordfence WAF
<Files ".user.ini">
<IfModule mod_authz_core.c>
Require all denied
 RewriteCond %{REMOTE_ADDR} !^63\.33\.119\.0$
 RewriteCond %{REMOTE_ADDR} !^52\.213\.31\.160$
 RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.1$
 RewriteCond %{REMOTE_ADDR} !^fixed_ip1
 RewriteCond %{REMOTE_ADDR} !^ fixed_ip2
 RewriteCond %{REMOTE_ADDR} !^ fixed_ip3
 RewriteCond %{REMOTE_ADDR} !^ fixed_ip4
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
 RewriteCond %{REMOTE_ADDR} !^63\.33\.119\.0$
 RewriteCond %{REMOTE_ADDR} !^52\.213\.31\.160$
RewriteCond %{REMOTE_ADDR} !^fixed_ip1
 RewriteCond %{REMOTE_ADDR} !^ fixed_ip2
 RewriteCond %{REMOTE_ADDR} !^ fixed_ip3
 RewriteCond %{REMOTE_ADDR} !^ fixed_ip4
</IfModule>
Allow from 63.33.119.0
Allow from 52.213.31.160
Allow from fixed_ip1
Allow from fixed_ip2
Allow from fixed_ip3
Allow from fixed_ip4
</Files>

    Where fixed_ip1, fixed_ip2… are fixed IPs used by the site owner to access its server instance?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter ziegel

    (@ziegel)

    Ok. I have found the way to protect .user.ini and .user.ini.ninja55555 and allow for certain fixed IPs / CIDR IP. It goes like this:

    
<Files .user.ini>
order deny,allow
Deny from all
Allow from IP1
Allow from IP2
</Files>

<Files .user.ini>
<IfModule mod_authz_core.c>
    Require ip IP1 IP2
</IfModule>
<IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
    # Only allow IP address and some IP subnet
    Allow from IP1 IP2
</IfModule>
</Files>

<Files .user.ini.ninja555555>
order deny,allow
Deny from all
Allow from IP1
Allow from IP2
</Files>

<Files .user.ini.ninja555555>
<IfModule mod_authz_core.c>
    Require ip IP1 IP2
</IfModule>
<IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
    # Only allow IP address and some IP subnet
    Allow from IP1 IP2
</IfModule>
</Files>
    Plugin Author nintechnet

    (@nintechnet)

    All “.user.ini.ninjaXXXXXXXXXX” are backup INI files created by NinjaFirewall during the installation, they are not used. There’s no need to protect them because nobody should be able to guess their name. You can also delete them if you want.

    Regarding “.user.ini”, why do you want to allow access to it to some IP addresses? Only the PHP interpreter will read them. You can simply use mod_rewrite to block access to it as described here:
    https://blog.nintechnet.com/protecting-ninjafirewalls-php-ini-file/

    Thread Starter ziegel

    (@ziegel)

    Hi @nintechnet,

    On the instance log files, I saw 403 deny error code for server’s own IP failing to access the “.user.ini”

    This is why I wanted to create .htaccess rule preventing all others from accessing the “.user.ini” file, while allowing few fixed IPs to access it.

    Plugin Author nintechnet

    (@nintechnet)

    There’s no need for it, no one should access it.
    Maybe your server checks if it accessible or not, for security reason. Some applications do that also with some sensitive files (e.g., Magento etc).

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Protecting .user.ini file using .htaccess rule’ is closed to new replies.