{"id":674,"date":"2020-12-29T21:22:27","date_gmt":"2020-12-29T21:22:27","guid":{"rendered":"https:\/\/dft.wiki\/?p=674"},"modified":"2026-04-21T13:35:27","modified_gmt":"2026-04-21T17:35:27","slug":"prevent-hot-links-on-apache","status":"publish","type":"post","link":"https:\/\/dft.wiki\/?p=674","title":{"rendered":"Increasing Security and Availability of Apache on Ubuntu"},"content":{"rendered":"

If you haven’t read it before check out the post WordPress Configuration and Security Tips [Link<\/a>]. It has security measures related to WordPress, but many of them are applicable to many other websites.<\/p>\n

\n

Preventing Hot-Links<\/strong><\/p>\n

Hot-Links are when one website developer copies the original link of an image, for example, from one site to their site. It reduces the data traffic on his server but increases the traffic on someone else’s server.<\/p>\n

Start setting up your Apache to use .htaccess<\/strong> files.<\/p>\n

sudo nano \/etc\/apache2\/sites-available\/000-default.conf<\/pre>\n
Make sure you have this type of configuration in the block of your website (also check if the full path matches your site root):<\/p>\n
<Directory \/var\/www\/html>\r\nAllowOverride All\r\n<\/Directory><\/pre>\n
Create or edit the .htaccess file at the root of your site:<\/p>\n
sudo nano \/var\/www\/html\/.htaccess<\/pre>\n
Include this content, but change example.com to your own domain:<\/p>\n
RewriteEngine on\r\nRewriteCond %{HTTP_REFERER} !^$\r\nRewriteCond %{HTTP_REFERER} !^http(s)?:\/\/(www\\.)?example.com<\/strong> [NC]\r\nRewriteRule \\.(gif|png|jpeg|jpg|svg)$ - [F]<\/pre>\n
Enable the module and restart your Apache.<\/p>\n
a2enmod rewrite\r\nsudo systemctl restart apache2<\/pre>\n
\n
Apache ModSecurity<\/strong><\/p>\n
It is an intrusion detection and prevention system.<\/p>\n
IMPORTANT<\/p>\n
This feature must be very well tested to prevent interruption of the web application functionalities. I do not recommend it for WordPress and many other applications.<\/p>\n
sudo apt install libapache2-mod-security2 -y\r\nsudo a2enmod headers\r\nsudo systemctl restart apache2<\/pre>\n
By default, it comes with a set of rules but for better performance replace it with the OWASP CoreRuleSet [Link<\/a>].<\/p>\n
sudo mv \/usr\/share\/modsecurity-crs\/ \/usr\/share\/modsecurity-crs.bkp\/\r\nsudo git clone https:\/\/github.com\/coreruleset\/coreruleset \/usr\/share\/modsecurity-crs\/\r\nsudo cp \/usr\/share\/modsecurity-crs\/crs-setup.conf.example \/usr\/share\/modsecurity-crs\/crs-setup.conf\r\nsudo cp \/etc\/modsecurity\/modsecurity.conf-recommended \/etc\/modsecurity\/modsecurity.conf\r\nsudo nano \/etc\/modsecurity\/modsecurity.conf<\/pre>\n
Edit:<\/p>\n
SecRuleEngine On<\/strong><\/pre>\n
For each of the enabled sites add the following lines:<\/p>\n
<VirtualHost *:443>\r\n...\r\n     SecRuleEngine On<\/strong>\r\n     <IfModule security2_module><\/strong>\r\n          Include \/usr\/share\/modsecurity-crs\/crs-setup.conf<\/strong>\r\n          Include \/usr\/share\/modsecurity-crs\/rules\/*.conf<\/strong>\r\n     <\/IfModule><\/strong>\r\n...\r\n<\/VirtualHost><\/pre>\n
Restart Apache<\/p>\n
sudo systemctl reload apache2<\/pre>\n
To test the security module try to access any link with an injection code:<\/p>\n
https:\/\/example.com\/?exec=\/bin\/bash<\/pre>\n
\n
Restrict Access using Basic Authentication<\/strong><\/p>\n
These techniques have similar functionality on NGINX.<\/p>\n
sudo apt-get install apache2-utils\r\nsudo htpasswd -c<\/strong><\/span> \/etc\/apache2\/.htpasswd user1<\/strong>\r\nsudo htpasswd \/etc\/apache2\/.htpasswd user2\r\n...\r\n<\/strong>sudo htpasswd -D<\/strong><\/span> \/etc\/apache2\/.htpasswd user1\r\n<\/strong><\/pre>\n
Create each user and set its password as shown above.<\/p>\n