Author Topic: Blocking .htaccess for PCI Compliance  (Read 3177 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Blocking .htaccess for PCI Compliance
« on: December 07, 2020, 05:49:25 PM »
So, I recently scanned my server for PCI compliance, and it failed.  One of the reasons that it failed was due to a bunch of htaccess files that contain authentication information.

Here is what the scan results state:

THREAT:
.htaccess contains authentication information.

IMPACT:
Unauthorized users can gather authentication information from this file.

SOLUTION:
Change the Apache configuration so the .htaccess file cannot be accessed via the Internet.

When I visit one of the urls they claim is giving access to .htaccess ( hn.myserver.com:2095/.htaccess ), I can access the file.

I have tried everything that I can think of to prevent this.

In httpd.conf I have this code (which was already there):

<Files ".ht*">
    Require all denied
</Files>

That was in there by default, but it doesn't block access.  So, I tried adding this code, as per a suggection I found, to httpd.conf:

<Files .htaccess>
   <IfModule mod_authz_core.c>
      Require all denied
   </IfModule>
   <IfModule !mod_authz_core.c>
      Deny from all
   </IfModule>
</Files>

That also didn't block access.  I read something where someone said put the above code into the .htaccess file. So, I did a search for all .htaccess file via ssh, and found the one I was pretty sure is the one hn.myserver.com:2095/.htaccess downloads at ./usr/local/cwpsrv/var/services/roundcube/. I added the code, and it still downloads.  I check the file, and it did have the new code in it, so I know I found the correct one.

I also read that I can just disable .htaccess by having AllowOverride None in my httpd.conf, but it was already in my httpd.conf file, and it doesn't do anything.

So, how do I block access to these?  Nothing makes sense to me!

I should also note, that I am using just straight apache 2.4.39.  No Varnish or NGINX