Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

prevent hot linking of images Linux Centos

Posted on 2013-12-18
11
Medium Priority
?
932 Views
Last Modified: 2014-01-12
Hi,

I came across this bit of code to prevent hotlinking of my images on https://secure.myultratrust.com and
http://myultratrust.com

I put the following in my httpd.conf file:
SetEnvIfNoCase Referer "^https://secure\.myultratrust\.com/" banimages=1
SetEnvIfNoCase Referer "^http://myultratrust\.com/" banimages=1
SetEnvIfNoCase Referer "^http://www\.myultratrust\.com/" banimages=1
SetEnvIfNoCase Referer "^$" banimages=1
<FilesMatch "\.(gif|png|jpe?g)$">
  Order Allow,Deny
  Allow from env=banimages=1
</FilesMatch>

Open in new window


I then restarted apache. But the above prevents my images from displaying on my own site though.

Also, I tried this in my .htaccess file:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?cyberciti.biz/.*$ [NC]
RewriteRule ^.*\.(bmp|tif|gif|jpg|jpeg|jpe|png)$ - [F] 

Open in new window


I restarted apache. But I still see the image here:
http://tutorialref.com/test/temp/test_hotlinking.html

https://secure.myultratrust.com/diy/login/images/bottom-separator.png - that's an image to test.

Thank you,
Victor
0
Comment
Question by:Victor Kimura
  • 6
  • 5
11 Comments
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39728482
Your image link uses 'https' which isn't considered in your .htaccess file.  And why are you using 'cyberciti.biz' instead of "myultratrust\.com"?

http://www.javascriptkit.com/howto/htaccess10.shtml

Here are some suggestions from Dreamhost:
http://wiki.dreamhost.com/Preventing_hotlinking
0
 

Author Comment

by:Victor Kimura
ID: 39731439
Hi Dave,

Sorry, I posted the wrong code from the .htaccess file:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https://(secure\.)?myultratrust.com/.*$ [NC]
RewriteRule ^.*\.(bmp|tif|gif|jpg|jpeg|jpe|png)$ - [F]

Open in new window


I also tried this:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?myultratrust\.com(/.*)*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://myultratrust\.com(/.*)*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://(secure\.)?myultratrust\.com(/.*)*$ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule \.(jpeg|jpg|gif|png)$ - [F]

Open in new window


Both times I restarted apache.

But I can still see the image here:
http://tutorialref.com/test/temp/test_hotlinking.html

What am I doing wrong?
0
 
LVL 84

Accepted Solution

by:
Dave Baldwin earned 2000 total points
ID: 39734424
This works on two of my Linux web sites.
RewriteEngine on  
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mysite.com/.*$ [NC]
RewriteRule \.(gif|jpg|jpeg|js|css)$ - [F]

Open in new window

0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:Victor Kimura
ID: 39762725
it's strange. but I can still see this image on this page:
http://tutorialref.com/test/temp/test_hotlinking.html

Something else wrong:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https://(secure\.)?myultratrust.com/.*$ [NC]
RewriteRule \.(gif|jpg|jpeg|js|css)$ - [F]

Open in new window


Maybe a setting?
0
 
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 2000 total points
ID: 39762849
If you have 'redirection' setup before the attempt to block the images, then the image block will never be seen.  Try putting that .htaccess code above in the image directory.
0
 

Author Comment

by:Victor Kimura
ID: 39763035
hmm...I put the code above in an .htaccess file in the image directory at:

https://secure.myultratrust.com/diy/login/images/

restarted apache. Still image is showing up at:
http://tutorialref.com/test/temp/test_hotlinking.html

Is it because it's in a sub-domain and so perhaps I need something extra so the server knows where the images directory is precisely?
0
 

Assisted Solution

by:Victor Kimura
Victor Kimura earned 0 total points
ID: 39763040
I found this bit of code:
RewriteCond expr "! %{HTTP_REFERER} -strmatch '*://%{HTTP_HOST}/*'"
RewriteRule ^/images - [F]

on the apache site:
http://httpd.apache.org/docs/current/mod/mod_rewrite.html

But not quite sure how to change it to match my condition. I find the rewritecond a thing to be grasped still.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39763133
I don't know what to tell you.  'rewrite' has never been all that clear to me.
0
 

Assisted Solution

by:Victor Kimura
Victor Kimura earned 0 total points
ID: 39763179
Haha. Lol. My simple mistake. I'm getting over a cold so I didn't see that I didn't add .png to the line!

Thanks, Dave!

Here's the code for others to use. Works for all subs.

# ------------------------------------------------
# Stop hotlinking of images
# ------------------------------------------------
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https://(.+\.)?mydomain.com/.*$ [NC]
RewriteRule .*\.(gif|jpg|jpeg|js|css|png)$ - [F]

Open in new window


I'm just curious what is this line actually mean?
RewriteCond %{HTTP_REFERER} !^$
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39763557
Glad you found it, I didn't even notice that.
0
 

Author Closing Comment

by:Victor Kimura
ID: 39774469
Thanks, Dave! =)
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses
Course of the Month13 days, 7 hours left to enroll

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question