Updated Security Thread
Posted 15 March 2012 - 13:54
In 2.3.1 installation you will have renamed the admin folder to something else. Basically it is the folder where all the admin files live.
Now running on a fully modded 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.
Posted 11 April 2012 - 20:54
can someone point me to the definitive list of things I should do to secure a brand new 2.3.1 installation?
which addons, things i should change?
i Tried oscommerce about 4 years back but that table layout almost made me kill myself. I see that the new version is CSS ready, so hopefully I can try again, but the contributions thing is also a problem.
I found it really annoying going through all them coded files replacing so many bits, i hope i don't have to do so many again
Please advise of the 2.3.1 security procedures to make it strong and safe from hackers.
Posted 19 April 2012 - 14:23
About '5. Rename /admin/ and htpasswd it' :
Have you changed the admin name in catalog/your_new_admin_folder/includes/configure.php
define('HTTP_SERVER', ''); // eg, http://localhost or - https://localhost should not be NULL for productive servers
define('ENABLE_SSL_CATALOG', 'false'); // secure webserver for catalog module
define('DIR_FS_DOCUMENT_ROOT', $DOCUMENT_ROOT); // where your pages are located on the server. if $DOCUMENT_ROOT doesnt suit you, replace with your local path. (eg, /usr/local/apache/htdocs)
define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);
change this to the new name of your admin folder
So is it enough to just rename the /admin/ directory name, and put this new name into the configure.php file within this new admin directory /includes/ ? Or are there more places to set the new admin directory name?
Also, my configure.php files (both in catalog and in admin) are set to 644 in stead of 444, should I change this immediately?
About '6. Remove references to (newly renamed) admin area in outgoing emails' :
I have tried to find out where in the emails this directory is mentioned, but no matter what I try, I can't see a reference to the admin directory. I've looked to the email's source with an OSX mail client. Is this issue still active in 2.3.1?
But what I do see is something like; (envelope-from <firstname.lastname@example.org>) which contains my FTP login name. Can this be a vulnerability?
Some things I do have already are:
- .htaccess files in most directories
- .htpasswd_osc file in the admin dir (but rights set to 664 because the rest is giving errors)
- adding "if (strpos($_SERVER['REQUEST_URI'], ".php/login.php") !== false) something something" to application_top.php in the admin dir
- set all directories to 755 instead of 777
- made sure the $PHP_SELF fix from this topic is added
Besides some IP / anti brute force filtering, what more can I secure??
Posted 20 April 2012 - 10:39
Also set permissions of the two configure.php to 444.
Step-by-step getting closer to a well-secured osc install
Now I have an additional question, my shop is not installed in the root, but in a subdir called something like root/webshop/
Do I need to secure the root directory extra somehow? There are just a few files there, like 404.shtml (also 400, 401, 500 and so on), an index.html (for my start page before entering the shop), some images for index.html, a google-site-verification html and a robot.txt, no .htaccess though.
Edited by ShopAdminNL, 20 April 2012 - 10:40.