83 replies to this topic

[burt]

The other security thread is good, but times have moved on.  Here are my base suggestions (in no particualr order) for securing a unhacked site;

1.  Security Pro from FWR Media
2.  OSC SEC from Taipo
3.  Filesafe from FWR Media
4.  Add htaccess to all public folders
5.  Rename /admin/ and htpasswd it
6.  Remove references to (newly renamed) admin area in outgoing emails
7.  Add extra login parameter (JanZ)
8.  Fix $PHP_SELF spoofability

Bad Conduct from Debs (undecided on this, I am still "road-testing" it).

I am not in favour of IP trapping, as most hackers don't use their own IP addresses.

If anyone has any extra thoughts on this, please post.

For securing a hacked site - exactly the same, but make sure that the hack is cleaned out first.  This can be done by manually inspecting the files and removing any files/code that is not supposed to be there.  Or by re-installing from a known unhacked backup.  Or of course, starting from scratch with a brand new install of oscommerce.

Edited by burt, 16 May 2011 - 11:59 AM.

[Taipo]

8. Fix $PHP_SELF spoofability

This is fixed in osC_Sec.

[Xpajun]

Gary,

It would be nice if you added links to your above post - Add extra login parameter (JanZ) is what add-on / forum post for instance


Also, are you referring your post to 2.2 or are you including 2.3 and if the latter which of you list does not apply to 2.3?

Edited by Xpajun, 17 May 2011 - 06:53 PM.

[burt]

I'll probably make it into a blog post in the coming days Juls.

[modelspecialist]

Quote

6. Remove references to (newly renamed) admin area in outgoing emails

how to you do this?

[burt]

I got 3/4 the way through a more detailed update to this, then the laptop died

[burt]

1. Security Pro from FWR Media {
2.3.1 and lower.
a.  Addon
b.  Support
}

2. OSC SEC from Taipo {
2.2rc2a and lower.
a.  Addon
b.  Support
}

3. Filesafe from FWR Media {
2.3.1 and lower
a.  Addon
b.  Support
Filesafe replaces "Site Monitor".  Site Monitor is old and tired.
}

4. Add htaccess to all public folders {
2.2rc2a and lower
a.  If you still run pre 2.3.1 cart, use the .htaccess files from a 2.3.1 installation.
Example: https://github.com/osCommerce/oscommerce2/blob/master/catalog/images/.htaccess
}

5. Rename /admin/ and htpasswd it {
2.3.1 and lower
a.  if your admin area is located at /admin/ change it now by renaming it to something randomly hard to guess, eg:  /d9fne3ufvurjes%kep/
b.  amend the file /includes/configure.php (in the newly renamed admin area) to reflect the new name (it should be very obvious where to amend that file!)
}

6. Remove references to (newly renamed) admin area in outgoing emails {
2.3.1 and lower
a.  renaming your admin area is great, but it is still possible to find out where it is, by placing an order, as outgoing emails contain the admin address.  More.
}

7. Add extra login parameter (JanZ) {
2.3.1 and lower
a.  link - scroll down to "admin/includes/application_top.php Line 146-151" and start reading.
}

8. Fix $PHP_SELF spoofability {
2.2rc2a and lower
a.  Use the PHP_SELF line of code from 2.3.1
a1. Admin: https://github.com/osCommerce/oscommerce2/blob/master/catalog/admin/includes/application_top.php#L38
a2. Catalog: https://github.com/osCommerce/oscommerce2/blob/master/catalog/includes/application_top.php#L47
b.  Note that SOME contributions update PHP_SELF so you MIGHT not need to change this, example: FWR Media USU5.
b1.  The Osc Sec module does not make changes to PHP_SELF, however, Taipo correctly advises in the installation instructions to change this.
}

More thoughts

i. IP Trapping - pointless.  Any "hacker" worth more than a penny is not using his own IP address.

ii.  Removal of File Manager - not needed.  There never was a problem with this file, other than the fact it could be accessed thru an insecure admin area.  If you have renamed and secured your admin, no problem to leave it as is, if you want to.  Personally I would still remove it as it mangles code when used.

iii.  Bad Conduct Banning - I am road testing this.  Will update the thread when I have some conclusions.

Edited by burt, 24 May 2011 - 11:16 AM.

[modelspecialist]

Sweet post! I suggest someone of the staff sticky this.

[Xpajun]

burt, on 24 May 2011 - 11:15 AM, said:

5. Rename /admin/ and htpasswd it {
2.3.1 and lower
a.  if your admin area is located at /admin/ change it now by renaming it to something randomly hard to guess, eg:  /d9fne3ufvurjes%kep/
b.  amend the file /includes/configure.php (in the newly renamed admin area) to reflect the new name (it should be very obvious where to amend that file!)
}

2.3.1 installation gives you the option to rename your admin, doing it at this time also saves the problem of not getting the configure.php change right.

htpasswd on 2.3 is a bit of a problem causer - the user name and password MUST be the same as admin login details otherwise the login won't work

burt, on 24 May 2011 - 11:15 AM, said:

iii.  Bad Conduct Banning - I am road testing this.  Will update the thread when I have some conclusions.

I've been using Bad Behavior Block for some time, I like it for the following:

• It provides a first line of defence against hackers
  
• It protects your whole website not just osC
  
• It is easily adaptable to include other hack attempt conditions
  
• It bans the hacking IP address - there is much discussion on this principle but I would say that the ban stops that IP from continuous attempts to hack your store (sometimes in the region of 240 attempts per minute) thus easing server load.
  
• The ban is only directed at an active hacker, so there is no need for ad-hock bans of complete countries thus allowing you to trade anywhere in the world
  
• At the end of the day you can always remove banned IP addresses from the list - after all if they attempt to hack your store again they will be banned

Thought you might like a list of reasons why I think it is useful with osC Gary - yes there are others that will say that their contribution makes it redundant but they should understand that this contribution, being first in line, makes their one redundant, but that doesn't stop me from using theirs as a second line of defence...

[burt]

Thanks Juls.  Welcome more comments from anyone else too.

Bad Conduct would I think be better if it added IP addresses for say 15 minutes.  Thoughts?

[sucuri]

I will add some things that are not specific to osCommerce, but are very good to have to prevent attacks (in addition to all that was said):


1-Use strong passwords for the admin interface and FTP/SFTP/SSH. Sound obvious, but we see so many sites hacked through brute force attacks that it is not even funny.


2-If you have additional sites in the same FTP account (on shared hosts), make sure all of them are updated and secure too. Otherwise an attack in one of them can spread to the other sites...


3-If you are on a dedicated server (or VPS), monitor your server closely. A good tool is the open source OSSEC (free): http://www.ossec.net . It will check all your logs, files, etc for attacks and block them.


4-Daily offsite backups. If your site is compromised or you have a hosting error (or even by mistake), make sure you can easily recover your files and database. There are some many services that offer that (and they are cheap). Examples: http://gudado.com , site-vault.com, etc.


5-Check your site for malware/spam/etc. I am a bit biased on this, but I recommend checking your site for security issues. The earlier your know that something is happening, the earlier you can respond and fix things. A free checker: http://sitecheck.sucuri.net


Thanks,

[Taipo]

Quote

The Osc Sec module does not make changes to PHP_SELF, however, Taipo correctly advises in the installation instructions to change this

osC_Sec does change the $PHP_SELF, the 2.3.1 patched $PHP_SELF is in osC_Sec as well as a safeguard in case another addon is included after osC_Sec that causes the $PHP_SELF to report an empty result.

Scroll to the section headed by:

  /**
  * Reliably set $PHP_SELF
  * as a filename .. 
  * platform safe
  * Base of this is from Oscommerce ver 2.3.1
  **/

Also if someone is going to use both osC_Sec and Security Pro 2.0 together, then its best they set $GETcleanup = 1; to $GETcleanup = 0; in osC_Sec because there is no point in doing that cleanup twice.

[Xpajun]

burt, on 24 May 2011 - 08:30 PM, said:

Thanks Juls.  Welcome more comments from anyone else too.

Bad Conduct would I think be better if it added IP addresses for say 15 minutes.  Thoughts?

I would say 15 minutes is too short, 24 hours should be minimum but a month would be the optimum.

It is possible that Bad Conduct will ban an "innocent" that has an infected computer; a redirect to a 403 that explains what has happened and why would be a good thing.



Innocent - there is no such thing as an innocent with an infected computer that will try to hack your store they lose their right to innocence when they failed to take precautions and allowed their computer to become infected, however an explanation stating that their computer 'may' be infected would not come amiss

[burt]

Taipo - thanks, I stand corrected.

Juls - I see no value in banning fake IP addresses.  Perhaps we are talking about different things?

[modelspecialist]

I managed to remove the X-PHP reference from the mail module in my admin folder by replacing

while ($mail = tep_db_fetch_array($mail_query)) {
	  $mimemessage->send($mail['customers_firstname'] . ' ' . $mail['customers_lastname'], $mail['customers_email_address'], '', $from, $subject);
	}

with

// before sending mail, change PHP_SELF to hide admin dir from mail header
	$tempvar = $HTTP_SERVER_VARS['PHP_SELF'];
	$HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";
	while ($mail = tep_db_fetch_array($mail_query)) {
	  $mimemessage->send($mail['customers_firstname'] . ' ' . $mail['customers_lastname'], $mail['customers_email_address'], '', $from, $subject);
	}
	$HTTP_SERVER_VARS['PHP_SELF'] = $tempvar;

however, I don't find this code in the Orders.php file. The only code I find is a tep_mail action but I don't have an idea on how to change/alter this to hide the x-php referencen my php knowledge doesn't reach that far. any help is appreciated, the linked topic above doesn't really specify this.

[modelspecialist]

apparently i can't edit my own posts on this forum; just to be clear the file I edited succesfully was [youradminfoldernamehere]\mail.php

[burt]

Same basis.

FROM THIS:

tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);

TO THIS:

$tempvar = $PHP_SELF;
$HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";
tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);
$PHP_SELF = $tempvar;

[modelspecialist]

worked like a charm. thanks!

[Juto]

Hi Burt and thanks for this thread

wondering is this Spooks addon obsolete now?

function clean_var ($vars) { 
  if (!is_array($vars)) {							   
  return preg_replace("/[^\p{L}\d\r@ :{}_.-]/i", "", urldecode($vars)); 
  } else {	  
  return array_map('clean_var', $vars); 
  }
} 
   if (PHP_VERSION >= 4.1) $_POST =& $_POST; 
  reset($_POST);		
  while (list($key, $value) = each($_POST)) {						   
  $_POST[$key] = clean_var ($_POST[$key]);	  
  }

[Annisse]

Hello there!

Loving all the security contributions and advice! Soaking it up like a wet sponge. Thanks Burt and Xpajun

Now, this is probably an easy answer for you guys but I am in the dark about this.

5. Rename /admin/ and htpasswd it

So I change the admin folder to my new name of choice, then when I go to my Admin page to log into OSCommerce I now get an Error 403. My catalog is still trying to locate the old folder name, admin/login.php

What steps do I also need to do after changing my admin folder name to access my Admin login page again with the new folder name?

Thank you for your help. Total noob with anything having to do with computers and code