Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Can you share your security recommendations? 
 
John34
Member
 
Total Posts:  33
Joined:  2009-05-31
 

I’m looking to lockdown and provide the best security possible for my Magento install. I’ve read through every thread in the Security forum and am looking for more tips on locking down Magento.

I am an experienced WordPress user and here’s a great .htaccess set of rules for securing WordPress. I’ve pasted the code into my Magento root .htaccess folder and so far things look good (I removed Options +FollowSymLinks since the default Magento .htaccess file already has that there).
http://perishablepress.com/press/2009/03/16/the-perishable-press-4g-blacklist/

UPDATE: Noticed the set of rules from the link above makes it so in your admin area none of the links or dropdown menus work. Anyone know what line of code is affecting this?

Any other suggestions would be welcomed. Thanks.

 
Magento Community Magento Community
Magento Community
Magento Community
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 

Best advice re security: assume you will get hacked. Knowing you will, avoids a false sense of security and enables you to think things through properly. When you get hacked, how quickly will your host be able to assist you? Do you collect enough logs to find out how they entered? Is your back-up routine adequate and did you test rolling back a back-up? When your system in compromised, what do they get access to? Are credit card details stored? Passwords in plain text? Can they use your server to spam out a million unsollicited e-mails or are there caps in place? If they insert hidden links in your template, how will you find out? Are you comfortable on the command line, for blocking IPs, running tcpdump etc?

All these questions arise from assuming you will be hacked. The answers will tell you how deep in shit you will be. If well prepared, getting hacked won’t be a big deal.

 
Magento Community Magento Community
Magento Community
Magento Community
 
John34
Member
 
Total Posts:  33
Joined:  2009-05-31
 

Hi J.T., thanks for the response. All very good points and are things I take into consideration. As a WordPress guys, I know this topic of people getting hacked all too well.

Currently for backups, I use a program called SyncBackSE to backup all my hosting files with one click (and it automates backups once a week) and I log into phpMyAdmin and export my database to keep a current backup, typically once or twice a week.

I also posted a new forum thread which shows some .htaccess rules I use to help protect against things like SQL injection.
http://www.magentocommerce.com/boards/viewthread/45499/

I have 2 IP addresses blocked in my .htaccess file as well which came from two known hackers who try to hack WordPress sites, though they could have been using a Proxy.

What would really help with security is if someone could come up with a mod which customizes our database install some and then all we’d need to do is update what we did in a config file. For example, in WordPress, many hackers will try to gain access to the database because they know the default install of a WordPress database has a database prefix of wp_

So if they guess correctly that my prefix is wp_, then they can try some sql injection tactics because they know wp_users is the database table which contains my username and password. However, in WordPress there is a way to change wp_ to something else, like say 3lbLV_. In this way, the hacker won’t be able to guess how to use standard scripts to access my database.

Going back to what you said about assuming you’re going to be hacked, I assume if someone knows I’m using Magento (looking at my source code), then they know my database probably looks exactly like yours and his and hers. Once they crack one, they can crack all.

A nice mod to change our installs to be a little less cookie cutter would be great.

Any other suggestions out there on how to lockdown Magento?

Thanks

 
Magento Community Magento Community
Magento Community
Magento Community
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 

Magento already supports custom pre_fixes. You’re right, it should always be set. Magento also supports custom admin URLs, which is important too. And if you do rename the admin folder, keep the original one and make it look like you protected it well (htpasswd for example) so they stop looking further, hopefully.

I personally also think not using Magento Connect helps in this sense. It saves a lot of lose permissions and blocks a few ways in.

Mod-Evasive can also help, though i disabled it again recently. Firewall rules against unnatural browsing patterns can also help against vulnerability probers.

Anyway, Magento is pretty good and Zend are helping to make it better. With such top-notch teams on it and multi-million dollar merchants using it, I have full confidence in its long-term safety.

I’m also going to run Zend Server so I get near-instant PHP hotfixes etc. to keep things watertight at that level too.

 
Magento Community Magento Community
Magento Community
Magento Community
 
John34
Member
 
Total Posts:  33
Joined:  2009-05-31
 

Hi J.T.

Good point about staying away from Magento Connect as far as security is concerned. Using 3rd party programs is always risky because you don’t know how secure they make their software, how often the update it, etc.

About mod_Evasive, how would I go about installing this on my shared account? I Googled it but not sure where I should download it from and am still a bit confused on how to get it all set up. Any help would be appreciated.

Also, could you point me to an area on how to customize my database in Magento. I Googled it but came up empty handed.

Thanks J.T.

 
Magento Community Magento Community
Magento Community
Magento Community
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 

I meant avoiding Connect for the openness it requires, not necessarily for the sake of avoiding other people’s code, but yes, that is another consideration altogether.

Mod Evasice is probably already installed, just not enabled in your httpd.conf file. On a shared hosting account, that will be tricky though, ask your host.

 
Magento Community Magento Community
Magento Community
Magento Community
 
John34
Member
 
Total Posts:  33
Joined:  2009-05-31
 

Any ideas on how to customize the database prefixes?

Thanks

 
Magento Community Magento Community
Magento Community
Magento Community
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 

Not sure about post-install but in app/etc/local.xml I have:

<resources>
            <
db>
                <
table_prefix><![CDATA[sneaky_prefix_]]></table_prefix>
            </
db>
            <
default_setup>
                <
connection>
                    <
host><![CDATA[localhost]]></host>
                    <
username><![CDATA[magento_db_user]]></username>
                    <
password><![CDATA[supersecretpassword]]></password>
                    <
dbname><![CDATA[magento_database]]></dbname>
                    <
active>1</active>
                </
connection>
            </
default_setup>
         </
resources>

Change/add the prefix part, then amend your tables and see what happens. I don’t think I need to tell you about backups wink Note it will take flushing your caching and possibly logging and out and back in.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top