Difference between revisions of "Securing Magento"
m |
m |
||
(6 intermediate revisions by the same user not shown) | |||
Line 12: | Line 12: | ||
# Clear the cache & login at the new URL. | # Clear the cache & login at the new URL. | ||
{{idea|Don't change this by editing the setting in the Magento config section - this can make it difficult to log into your site}} | {{idea|Don't change this by editing the setting in the Magento config section - this can make it difficult to log into your site}} | ||
+ | |||
+ | ===Restrict access to your un-used store RSS feeds=== | ||
+ | If you're like 99% of Magento stores, you're not using your Magento rss feeds. | ||
+ | |||
+ | These have some security vulnerability, so if you're not using them, disable them: | ||
+ | |||
+ | <code>location ~* ^/?(index.php/?)?rss/(order/new|catalog/notifystock|catalog/review) { return 404; }</code> | ||
===Restrict access to the Magento Connect page=== | ===Restrict access to the Magento Connect page=== | ||
Line 20: | Line 27: | ||
# Just move it outside the web root. When you need it again move it back in. | # Just move it outside the web root. When you need it again move it back in. | ||
− | ====Restrict access to specific IPs | + | ===Check your admin logins=== |
+ | * Remove any that aren't in use (these easily build up with old team members, 3rd party access, etc) | ||
+ | * Check the usernames | ||
+ | :* remove or change any like 'admin','aheadworks','amasty','magestore','mirasvit' | ||
+ | :* remove or change any 'one word firstname' like 'John', 'Jane' | ||
+ | * Change the passwords on a regular basis, if possible (by regular, at least once every 6 months or so). | ||
+ | |||
+ | ===Restrict access to specific IPs=== | ||
#'''If you're using Nginx:''' | #'''If you're using Nginx:''' | ||
##Edit your /conf.d files, inside the <code>server {</code> block, to include this: | ##Edit your /conf.d files, inside the <code>server {</code> block, to include this: | ||
Line 58: | Line 72: | ||
This is a pretty standard set of file permission resets: | This is a pretty standard set of file permission resets: | ||
− | <code> | + | <code>find . -type f -exec chmod 400 {} \;</code> |
− | find . -type f -exec chmod 400 {} \; | + | |
− | find . -type d -exec chmod 500 {} \; | + | <code>find . -type d -exec chmod 500 {} \;</code> |
− | find var/ -type f -exec chmod 600 {} \; | + | |
− | find media/ -type f -exec chmod 600 {} \; | + | <code>find var/ -type f -exec chmod 600 {} \;</code> |
− | find var/ -type d -exec chmod 700 {} \; | + | |
− | find media/ -type d -exec chmod 700 {} \; | + | <code>find media/ -type f -exec chmod 600 {} \;</code> |
− | chmod 700 includes | + | |
− | chmod 600 includes/config.php | + | <code>find var/ -type d -exec chmod 700 {} \;</code> |
− | </code> | + | |
+ | <code>find media/ -type d -exec chmod 700 {} \;</code> | ||
+ | |||
+ | <code>chmod 700 includes</code> | ||
+ | |||
+ | <code>chmod 600 includes/config.php</code> | ||
{{idea|Top Tip: Install fail2ban and check it's working}} | {{idea|Top Tip: Install fail2ban and check it's working}} | ||
+ | |||
+ | ====Install Fail2Ban==== | ||
+ | This is an easy one - if you've not got this running, and then install it, it's not uncommon to see thousands of IPs immediately blocked. | ||
+ | |||
+ | There's a good guide to this over at [https://www.linode.com/docs/security/using-fail2ban-for-security Linode]. | ||
+ | |||
+ | ====Ban bad IPs==== | ||
+ | You might spot some IPs repeatedly having a pop at your admin logins. Probably best to show them the door. | ||
+ | |||
+ | #'''If you're using Nginx:''' | ||
+ | ##Edit your /conf.d files, inside the <code>server {</code> block, to include this: | ||
+ | ##:<code>location / {</code> | ||
+ | ##:<code> deny 11.22.33.44;</code> | ||
+ | ##:<code> deny 22.33.44.55;</code> | ||
+ | ##:<code>{</code> | ||
+ | |||
+ | (Change 11.22.33.44 etc. to the IPs that are keep trying to get in) | ||
+ | |||
+ | How to see which IPs are trying to get in? Easiest way is with slackCommerce: | ||
===Install [https://www.moogento.com/slackcommerce slackCommerce]=== | ===Install [https://www.moogento.com/slackcommerce slackCommerce]=== |
Latest revision as of 09:16, 1 April 2017
Contents
Overview
Magento has a few basic things to keep an eye on to keep you and your customers safe.
Quick Wins
Change the admin url
The default Magento admin URL is /admin - although it's not a perfect solution to change this, it will stop a lot of bots stressing your server.
- Edit the /app/etc/local.xml file.
- Look for
<frontName><![CDATA[admin]]></frontName>
- Change 'admin' to something else.
- Clear the cache & login at the new URL.
Don't change this by editing the setting in the Magento config section - this can make it difficult to log into your site
Restrict access to your un-used store RSS feeds
If you're like 99% of Magento stores, you're not using your Magento rss feeds.
These have some security vulnerability, so if you're not using them, disable them:
location ~* ^/?(index.php/?)?rss/(order/new|catalog/notifystock|catalog/review) { return 404; }
Restrict access to the Magento Connect page
The default URL for this is /downloader; this is a classic target for people trying to get in. Once in, people could install an extension which allows total access to the attacker. 2 different ways to protect this:
Move the /downloader folder
- Just move it outside the web root. When you need it again move it back in.
Check your admin logins
- Remove any that aren't in use (these easily build up with old team members, 3rd party access, etc)
- Check the usernames
- remove or change any like 'admin','aheadworks','amasty','magestore','mirasvit'
- remove or change any 'one word firstname' like 'John', 'Jane'
- Change the passwords on a regular basis, if possible (by regular, at least once every 6 months or so).
Restrict access to specific IPs
- If you're using Nginx:
- Edit your /conf.d files, inside the
server {
block, to include this:#block access to downloader
location /downloader/ {
allow 11.22.33.44;
deny all;
}
- Edit the 11.22.33.44 to match your IP. If you have multiples just add a new line for each.
- Remember to restart Nginx after editing this.
- Edit your /conf.d files, inside the
- If you're using Apache:
- Edit your /downloader/.htaccess file to include these lines:
Order deny,allow
Deny from all
Allow from 11.22.33.44
- Edit the 11.22.33.44 to match your IP. If you have multiples just add a new line for each.
- Edit your /downloader/.htaccess file to include these lines:
Check Your Server
If you're on a managed host, all good. If you're on a server that you're managing you'll want to check that you have secured the server inline with best practices for your specific server type. It's beyond the scope of this article as it's such a huge area, but couple of ideas:
Check File Ownership
If you get errors uploading files, especially when upgrading, you'll want to check the file permissions. If you're uploading via FTP and easy way is to create a file and check the ownership of that file.
Then go into the part of the server where Magento is located and set the recursive ownership:
chown -R {server user name} .
Replace {server user name} with the actual user name.
Check File Permissions
This is a pretty standard set of file permission resets:
find . -type f -exec chmod 400 {} \;
find . -type d -exec chmod 500 {} \;
find var/ -type f -exec chmod 600 {} \;
find media/ -type f -exec chmod 600 {} \;
find var/ -type d -exec chmod 700 {} \;
find media/ -type d -exec chmod 700 {} \;
chmod 700 includes
chmod 600 includes/config.php
Top Tip: Install fail2ban and check it's working
Install Fail2Ban
This is an easy one - if you've not got this running, and then install it, it's not uncommon to see thousands of IPs immediately blocked.
There's a good guide to this over at Linode.
Ban bad IPs
You might spot some IPs repeatedly having a pop at your admin logins. Probably best to show them the door.
- If you're using Nginx:
- Edit your /conf.d files, inside the
server {
block, to include this:location / {
deny 11.22.33.44;
deny 22.33.44.55;
{
- Edit your /conf.d files, inside the
(Change 11.22.33.44 etc. to the IPs that are keep trying to get in)
How to see which IPs are trying to get in? Easiest way is with slackCommerce:
Install slackCommerce
slackCommerce has an option to send an instant message whenever there is an admin login fail. This works for both attempts to the login page and to the downloader page. It's a free extension and will take the worry off needing to check emails constantly to see if there are any breach attempts.