ANTI-HOTLINKING tutorial

[SmokeyTheBear]

- FOR VIDEOS -
ok as requested i will post source here.. you are welcome to clean up the code.

I have posted the easiest method here as an example , there are quite a few additional things you can add to provide more security..

ok here goes

for this example were assuming you have a folder called protected on your server EXAMPLE yourserver.com/protected/

so lets start off with making a folder called "protected" on your server.

Inside that folder should be 2 folders , one we will call "videos" and another we will call "secret"

paths should look like this
yourserver.com/protected/videos
and
yourserver.com/protected/secret

ok save the following as ".htaccess" and upload to the folder called "videos"

Code:

rewriteengine on
 rewriterule ^(.*)\.wmv$ http://www.yoursite.com/protected/?in=$1 [nc]
rewriterule ^(.*)\.jpg$ http://www.yoursite.com/protected/img.php?in=$1 [nc]

nothing else should be in the folder videos. " you could upload a blank index if you want "

ok now copy the following code and save as index.php in the folder "protected"

Code:

<?php
$in = $_GET['in'];
$sip = getenv("REMOTE_ADDR");
$fol = "log.dat";
$sc = file_get_contents($fol);
if (preg_match ("/$sip/", $sc)) {
header("Location: http://yourserver.com/protected/secret/$in.wmv");
}  else
{
header("Location: http://yourserver.com/protected/x.wmv");
}
?>

ok now copy the following code and save as img.php in the folder "protected"

Code:

<?php
$sip = getenv("REMOTE_ADDR");
$in = $_GET['in'];

$fol = "log.dat";
$sc = file_get_contents($fol);
$wrt = "$sip\n$sc";
$wrt = substr($wrt, 0, 10000);
if (preg_match ("/$sip/", $sc)) {
// access granted already
} else {


$hn = fopen($fol, 'w+');
fwrite($hn, $wrt);
fclose($hn);
}

$ft = "http://www.united.com/ual/asset/green_check_12x12.gif";
header("Location: $ft");

?>

finally , place a txt file called log.dat in the "protected" folder and chmod it to be writeable.

ok now all your video links should now point to yourserver.com/protected/videos/example.wmv

in order for the videos to work the surfer will have to have seen the following image
yourserver.com/protected/videos/access.jpg

so if your doing fhg's you should put that image on every page somehwere , doesnt matter the size so if you just wanna make it a hidden image you could zero the width/height.

Or you could tie the forward in the img.php to a banner

you should put a file called x.wmv in the "protected" directory to represent the default BAD VIDEO or you can simply modify the link to a website " ps i recommend using a flash file here because if the user is trying to hotlink your video in a website it would just show a dead video , wheras if you use a flash file as the link it would play your flash video when they try and hotlink it

In the img.php you should point to a small picture or you can tie this into a banner.

what the img.php is for is a security check to make sure the user has viewed the picture first. , when the image is viewed it logs your ip to the log.dat file , when a user attempts to view the video it checks the log.dat to make sure your ip is found. if not it sends to the x.wmv , if it is found it sends you to the proper videos

The REAL videos should go in the "secret" folder as pointed in index.php.

The real video url could be detected so its essential you rename this every now and then in the index.php and the actual folder.. you wont have to change your existing links on your pages at all , just the folder and the pointer in the index.php

p.s. as i mentioned , there are quite a few things you can do to make this more dynamic, i'm more than happy to help anyone with specific customization.

for ease of use i have posted the easiest method for fastest load

If you have any q's ask

If you make a cool mod to this please share / post

[CaptainHowdy]

I Heart You Smokey!

[TheDoc]

Good tip Smokey.. While I know this protects from direct linking, do you feel doing it this way creates less .htaccess / video playing problems?

I use a script to create symlinks with a random dir name, that can only be called by the root domain. However if your way makes videos work without any issues related to the .htaccess files - then this is better way to link the videos for serps.

[Doctor Dre]

Gotta bookmark this and try it when I get back home.

[SmokeyTheBear]

Quote:

Originally Posted by TheDoc

Good tip Smokey.. While I know this protects from direct linking, do you feel doing it this way creates less .htaccess / video playing problems?

I use a script to create symlinks with a random dir name, that can only be called by the root domain. However if your way makes videos work without any issues related to the .htaccess files - then this is better way to link the videos for serps.

well in the example posted i forgot to mention it only covers .wmv if you wanted it to cover multiple filetypes in the same folder you might have problems, gotta make a few mods for that

[Boobs]

thread bookmarked trhanks

[Altheon]

This is very cool. I'm looking forward to your modifactions to protect the other videos.

So far I've been embedding my videos in flash files to stave off hotlinkers this looks like it will be far less labor intensive.

-A

[woj]

you have to remove ips at some point from the log files? otherwise it will keep growing till it kills apache?

[kirstenlara_19]

very nice tutorials.


*bookmarked!*

[woj]

Quote:

Originally Posted by woj

you have to remove ips at some point from the log files? otherwise it will keep growing till it kills apache?

nm, I see how it works now

[SmokeyTheBear]

Quote:

Originally Posted by woj

you have to remove ips at some point from the log files? otherwise it will keep growing till it kills apache?

it does that by trimming the file when it saves it . to 10k

edit lol i see your reply now whoops

[SmokeyTheBear]

ok heres how you modify it to do multiple filetypes

the htacess should look like this

notice how it has a line for wmv and mpg, just copy that line and modify for the filetypes you need to add

Code:

rewriteengine on 
rewriterule ^(.*)\.wmv$ http://www.yoursite.com/protected/?end=wmv&in=$1 [nc]
 rewriterule ^(.*)\.mpg$ http://www.yoursite.com/protected/?end=mpg&in=$1 [nc]
rewriterule ^(.*)\.jpg$ http://www.yoursite.com/protected/img.php?in=$1 [nc]

then in the index.php

Code:

<?php
$in = $_GET['in'];
$end = $_GET['end'];
$sip = getenv("REMOTE_ADDR");
$fol = "log.dat";
$sc = file_get_contents($fol);
if (preg_match ("/$sip/", $sc)) {
header("Location: http://yourserver.com/protected/secret/$in.$end");
}  else
{
header("Location: http://yourserver.com/protected/x.wmv");
}
?>

[The Sultan Of Smut]

Once again kick ass work Smokey!!!

[UniqueMovies]

I need AHL installed on my server but they dont exist anymore.

How does this compare to AHL?

I really enjoyed the feature that would allow cheaters to hotlink my movies for a certain set time and after that time as passed it would redirect their traffic to wherever I wanted.

[The Sultan Of Smut]

Had to bump this thread since it's a good one! For those that want to use it for gallery submitting it may not be ideal since some TGP scripts will get sent to the hotlink video.

[d-null]

nice, like to see programming that solves a problem simply and by thinking out of the box

[ExLust]

Great tutorials. Very helpful.

[Big E]

You do realize that you can access the videos directly (bypassing the PHP scripts):

http://www.yoursite.com/protected/secret/video1.wmv
etc.

And you do realize that all the redirections will reveal the "secret" directory, right?

It would take someone reasonably technical about 7 seconds to figure this all out, and then they would hot link directly to the "secret" videos and you'd continue on thinking you're "protected". (sigh)

One suggestion - you could serve up the thumbs/videos through the PHP script, but that's got its own problems.

You need to look into a token system that's built into Apache -- *not* PHP, which only protects HTML/PHP files, does not protect content. Note: this does not require any special software to do.

(hint: mod_rewrite and cookies)

[tranza]

Hey Smokey, we <3 u

[LoveSandra]

Quote:

Originally Posted by SmokeyTheBear

- FOR VIDEOS -
ok as requested i will post source here.. you are welcome to clean up the code.

I have posted the easiest method here as an example , there are quite a few additional things you can add to provide more security..

ok here goes

for this example were assuming you have a folder called protected on your server EXAMPLE yourserver.com/protected/

so lets start off with making a folder called "protected" on your server.

Inside that folder should be 2 folders , one we will call "videos" and another we will call "secret"

paths should look like this
yourserver.com/protected/videos
and
yourserver.com/protected/secret

ok save the following as ".htaccess" and upload to the folder called "videos"

Code:

rewriteengine on
 rewriterule ^(.*)\.wmv$ http://www.yoursite.com/protected/?in=$1 [nc]
rewriterule ^(.*)\.jpg$ http://www.yoursite.com/protected/img.php?in=$1 [nc]

nothing else should be in the folder videos. " you could upload a blank index if you want "

ok now copy the following code and save as index.php in the folder "protected"

Code:

<?php
$in = $_GET['in'];
$sip = getenv("REMOTE_ADDR");
$fol = "log.dat";
$sc = file_get_contents($fol);
if (preg_match ("/$sip/", $sc)) {
header("Location: http://yourserver.com/protected/secret/$in.wmv");
}  else
{
header("Location: http://yourserver.com/protected/x.wmv");
}
?>

ok now copy the following code and save as img.php in the folder "protected"

Code:

<?php
$sip = getenv("REMOTE_ADDR");
$in = $_GET['in'];

$fol = "log.dat";
$sc = file_get_contents($fol);
$wrt = "$sip\n$sc";
$wrt = substr($wrt, 0, 10000);
if (preg_match ("/$sip/", $sc)) {
// access granted already
} else {


$hn = fopen($fol, 'w+');
fwrite($hn, $wrt);
fclose($hn);
}

$ft = "http://www.united.com/ual/asset/green_check_12x12.gif";
header("Location: $ft");

?>

finally , place a txt file called log.dat in the "protected" folder and chmod it to be writeable.

ok now all your video links should now point to yourserver.com/protected/videos/example.wmv

in order for the videos to work the surfer will have to have seen the following image
yourserver.com/protected/videos/access.jpg

so if your doing fhg's you should put that image on every page somehwere , doesnt matter the size so if you just wanna make it a hidden image you could zero the width/height.

Or you could tie the forward in the img.php to a banner

you should put a file called x.wmv in the "protected" directory to represent the default BAD VIDEO or you can simply modify the link to a website " ps i recommend using a flash file here because if the user is trying to hotlink your video in a website it would just show a dead video , wheras if you use a flash file as the link it would play your flash video when they try and hotlink it

In the img.php you should point to a small picture or you can tie this into a banner.

what the img.php is for is a security check to make sure the user has viewed the picture first. , when the image is viewed it logs your ip to the log.dat file , when a user attempts to view the video it checks the log.dat to make sure your ip is found. if not it sends to the x.wmv , if it is found it sends you to the proper videos

The REAL videos should go in the "secret" folder as pointed in index.php.

The real video url could be detected so its essential you rename this every now and then in the index.php and the actual folder.. you wont have to change your existing links on your pages at all , just the folder and the pointer in the index.php

p.s. as i mentioned , there are quite a few things you can do to make this more dynamic, i'm more than happy to help anyone with specific customization.

for ease of use i have posted the easiest method for fastest load

If you have any q's ask

If you make a cool mod to this please share / post

wget -m http://yoursite.com/
All I need to make a full mirror from every shitty site

[fatfoo]

Thanks for nice tutorial...

[jollyperv]

Smokey, do you know of a way to block these Russian bastards that are doing shit like this:

http://www.redlips.ru/cat/anal/2.htm

normal htaccess shit doesn't work, has my host stumped as well...they're using java or some kind of frame.

[SmokeyTheBear]

Quote:

Originally Posted by Big E

You do realize that you can access the videos directly (bypassing the PHP scripts):

http://www.yoursite.com/protected/secret/video1.wmv
etc.

And you do realize that all the redirections will reveal the "secret" directory, right?

It would take someone reasonably technical about 7 seconds to figure this all out, and then they would hot link directly to the "secret" videos and you'd continue on thinking you're "protected". (sigh)

One suggestion - you could serve up the thumbs/videos through the PHP script, but that's got its own problems.

You need to look into a token system that's built into Apache -- *not* PHP, which only protects HTML/PHP files, does not protect content. Note: this does not require any special software to do.

(hint: mod_rewrite and cookies)

this allows you to change the directory of the video without changin the hardcoded url. so if some clever joe like yourself tries to copy the final video url then i change the directory structure i then get to steal all your traffic , unless you want to change all your hardcoded urls all the time

[SmokeyTheBear]

Quote:

Originally Posted by LoveSandra

wget -m http://yoursite.com/
All I need to make a full mirror from every shitty site

and what does that have to do with hotlinking ?

[SmokeyTheBear]

Quote:

Originally Posted by Big E

you'd continue on thinking you're "protected". (sigh)

its always better to ask questions than just assume you know all the answers.

Quote:

The real video url could be detected so its essential you rename this every now and then in the index.php and the actual folder.. you wont have to change your existing links on your pages at all , just the folder and the pointer in the index.php

[Spunky]

That Smokey is one smart cookie

[$5 submissions]

Resource post FTW. Good job, Smokey!

[Big E]

Quote:

Originally Posted by SmokeyTheBear

this allows you to change the directory of the video without changin the hardcoded url. so if some clever joe like yourself tries to copy the final video url then i change the directory structure i then get to steal all your traffic , unless you want to change all your hardcoded urls all the time

So you have to monitor your logs for hotlinkers? Isn't the point of the script to eliminate that need? And it would be trivially easy to write a script that follows all the Location redirects so any time you changed the directory, I could auto-change my links as well.

My point is, security through obscurity is not really security. Better to design the thing right the first time and not have to touch it again.

[Big E]

Quote:

Originally Posted by SmokeyTheBear

its always better to ask questions than just assume you know all the answers.

Pot - meet kettle.

[TheDoc]

Quote:

Originally Posted by Big E

So you have to monitor your logs for hotlinkers? Isn't the point of the script to eliminate that need? And it would be trivially easy to write a script that follows all the Location redirects so any time you changed the directory, I could auto-change my links as well.

My point is, security through obscurity is not really security. Better to design the thing right the first time and not have to touch it again.

You are just missing the point all together: "I have posted the easiest method here as an example , there are quite a few additional things you can add to provide more security."

[SmokeyTheBear]

Quote:

Originally Posted by Big E

So you have to monitor your logs for hotlinkers? Isn't the point of the script to eliminate that need?

no you just change the directory as i pointed out originally every so often

Quote:

Originally Posted by Big E

And it would be trivially easy to write a script that follows all the Location redirects so any time you changed the directory, I could auto-change my links as well.

not for most people. i would rather deal with that type of person on an individual basis

Quote:

Originally Posted by Big E

My point is, security through obscurity is not really security. Better to design the thing right the first time and not have to touch it again.

and kill all your profit from the average hotlinkers ? nah

the point was to think outside the box. you cant have it both ways. best for se, best for antihotlinking and the best for making money , go ahead show us the script on gfy for free and write a tutorial , i will say kudos to you.

I would rather give someone the plate and have them choose their own food, rather than give them a plate of food and tell them what to eat

[SmokeyTheBear]

Quote:

Originally Posted by Big E

Pot - meet kettle.

i would never presume i have all the answers, if you thought i implied it , then my bad.. i def don't know all the answers.

simple fact is most hotlinkers arent doing it on an individual basis , they arent going to write some crazy script to spider my site for auto rotating directory changing if they did i would simply cron job rotate the directory paths every 5 mins then pick you off like a cherry when i see your script doing the same.

The example was meant to be simple so people could modify at as they see fit, to either add additional security or not.. so sure yes some crazy script could allow someone to hotlink my videos if they use ip shifting crawlers that i somehow cant stop, right now most people use nothing, in my book something is one step ahead of nothing

and something that costs nothing , saves you money and makes you money at the same time, has to be better than the alternative of NOTHING.