@Ninety-one Maro
In 2.3.1 installation you will have renamed the admin folder to something else. Basically it is the folder where all the admin files live.
Latest News: (loading..)
83 replies to this topic
#82
Posted 11 April 2012 - 08:54 PM
Hi
can someone point me to the definitive list of things I should do to secure a brand new 2.3.1 installation?
which addons, things i should change?
i Tried oscommerce about 4 years back but that table layout almost made me kill myself. I see that the new version is CSS ready, so hopefully I can try again, but the contributions thing is also a problem.
I found it really annoying going through all them coded files replacing so many bits, i hope i don't have to do so many again
Please advise of the 2.3.1 security procedures to make it strong and safe from hackers.
thanks
can someone point me to the definitive list of things I should do to secure a brand new 2.3.1 installation?
which addons, things i should change?
i Tried oscommerce about 4 years back but that table layout almost made me kill myself. I see that the new version is CSS ready, so hopefully I can try again, but the contributions thing is also a problem.
I found it really annoying going through all them coded files replacing so many bits, i hope i don't have to do so many again
Please advise of the 2.3.1 security procedures to make it strong and safe from hackers.
thanks
#83
Posted 19 April 2012 - 02:23 PM
I'm a little bit of a newby with osc 2.3.1, so I have a few security questions.
About '5. Rename /admin/ and htpasswd it' :
So is it enough to just rename the /admin/ directory name, and put this new name into the configure.php file within this new admin directory /includes/ ? Or are there more places to set the new admin directory name?
Also, my configure.php files (both in catalog and in admin) are set to 644 in stead of 444, should I change this immediately?
About '6. Remove references to (newly renamed) admin area in outgoing emails' :
I have tried to find out where in the emails this directory is mentioned, but no matter what I try, I can't see a reference to the admin directory. I've looked to the email's source with an OSX mail client. Is this issue still active in 2.3.1?
But what I do see is something like; (envelope-from <deb3900000@xxxxx.nl>) which contains my FTP login name. Can this be a vulnerability?
Some things I do have already are:
- .htaccess files in most directories
- .htpasswd_osc file in the admin dir (but rights set to 664 because the rest is giving errors)
- adding "if (strpos($_SERVER['REQUEST_URI'], ".php/login.php") !== false) something something" to application_top.php in the admin dir
- set all directories to 755 instead of 777
- made sure the $PHP_SELF fix from this topic is added
Besides some IP / anti brute force filtering, what more can I secure??
About '5. Rename /admin/ and htpasswd it' :
Xpajun, on 28 May 2011 - 02:29 PM, said:
Have you changed the admin name in catalog/your_new_admin_folder/includes/configure.php
define('HTTP_SERVER', ''); // eg, http://localhost or - https://localhost should not be NULL for productive servers
define('HTTP_CATALOG_SERVER', '');
define('HTTPS_CATALOG_SERVER', '');
define('ENABLE_SSL_CATALOG', 'false'); // secure webserver for catalog module
define('DIR_FS_DOCUMENT_ROOT', $DOCUMENT_ROOT); // where your pages are located on the server. if $DOCUMENT_ROOT doesnt suit you, replace with your local path. (eg, /usr/local/apache/htdocs)
define('DIR_WS_ADMIN', '/admin/');
define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);
define('DIR_WS_CATALOG', '/catalog/');
change this to the new name of your admin folder
define('HTTP_SERVER', ''); // eg, http://localhost or - https://localhost should not be NULL for productive servers
define('HTTP_CATALOG_SERVER', '');
define('HTTPS_CATALOG_SERVER', '');
define('ENABLE_SSL_CATALOG', 'false'); // secure webserver for catalog module
define('DIR_FS_DOCUMENT_ROOT', $DOCUMENT_ROOT); // where your pages are located on the server. if $DOCUMENT_ROOT doesnt suit you, replace with your local path. (eg, /usr/local/apache/htdocs)
define('DIR_WS_ADMIN', '/admin/');
define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);
define('DIR_WS_CATALOG', '/catalog/');
change this to the new name of your admin folder
So is it enough to just rename the /admin/ directory name, and put this new name into the configure.php file within this new admin directory /includes/ ? Or are there more places to set the new admin directory name?
Also, my configure.php files (both in catalog and in admin) are set to 644 in stead of 444, should I change this immediately?
About '6. Remove references to (newly renamed) admin area in outgoing emails' :
I have tried to find out where in the emails this directory is mentioned, but no matter what I try, I can't see a reference to the admin directory. I've looked to the email's source with an OSX mail client. Is this issue still active in 2.3.1?
But what I do see is something like; (envelope-from <deb3900000@xxxxx.nl>) which contains my FTP login name. Can this be a vulnerability?
Some things I do have already are:
- .htaccess files in most directories
- .htpasswd_osc file in the admin dir (but rights set to 664 because the rest is giving errors)
- adding "if (strpos($_SERVER['REQUEST_URI'], ".php/login.php") !== false) something something" to application_top.php in the admin dir
- set all directories to 755 instead of 777
- made sure the $PHP_SELF fix from this topic is added
Besides some IP / anti brute force filtering, what more can I secure??
#84
Posted 20 April 2012 - 10:39 AM
Last night I changed the admin's folder name, also made the change in configure.php and .htaccess, all runs well right now!
Also set permissions of the two configure.php to 444.
Step-by-step getting closer to a well-secured osc install
Now I have an additional question, my shop is not installed in the root, but in a subdir called something like root/webshop/
Do I need to secure the root directory extra somehow? There are just a few files there, like 404.shtml (also 400, 401, 500 and so on), an index.html (for my start page before entering the shop), some images for index.html, a google-site-verification html and a robot.txt, no .htaccess though.
Also set permissions of the two configure.php to 444.
Step-by-step getting closer to a well-secured osc install
Now I have an additional question, my shop is not installed in the root, but in a subdir called something like root/webshop/
Do I need to secure the root directory extra somehow? There are just a few files there, like 404.shtml (also 400, 401, 500 and so on), an index.html (for my start page before entering the shop), some images for index.html, a google-site-verification html and a robot.txt, no .htaccess though.
Edited by ShopAdminNL, 20 April 2012 - 10:40 AM.
