0
Currently there are some discussions going on here on the subject
of securing osCommerce against hackers. One of the things I replied
is it is always a good idea to have a delay on your logins (to disencourage people trying over and over / stress brute force attacks)
Elmo asked how this was done so I decided to post it in the TIPS forum, combined with some reporting on failed logins.
1.) How it works- The Basics
The first thing you immediately should do after an install is securing the Admin directory with a .htaccess file / password.
.htaccess is a technique where the webserver reads the .htaccess BEFORE doing anything else. That .htaccess file can contain
lots of what Apache (webserver most commonly used) calls 'Directives' ie. settings.
The most commonly used one is password protection, the second one is probably custom ErrorDocuments. We will use both for this tip.
I am not going to re-write info that is widely available on the net here, so
read this guide (please let me know if the link is no longer current)
Step 1: For securing directories:
http://www.cgiextremes.com/extras/Tips_Tut...htaccess.html#2
Step 2: For creating custom error pages:
http://www.cgiextremes.com/extras/Tips_Tut...htaccess.html#4
2.) The 401 Error Page
So you have setup your Admin .htaccess and password.
And you have setup your custom error pages in the .htaccess too?
Replace whatever 401 page you have with this code:
<?php
/*
401 HTTP HEADER (Auth Req) custom error page
specifically created for osCommerce but will
be used for your complete site once installed.
(c) 2003 osCommerce - mattice
http://www.oscommerce.com/about/team
*/
//---------------------------------
// C O N F I G U R A T I O N
//---------------------------------
$lb = "n"; // linebreak, either "n" (double quote!) or '<br>'
$secs = '5'; //time to delay, keep this between 5 and 20 I'd say
$email_address = 'you@yoursite.com'; // address to mail report to
$show_msg = 'Go away. This aint working.'; // message to show to person trying
//---------------------------end of config
// get the bastards IP
if (getenv(HTTP_X_FORWARDED_FOR)){
$fwd= ' (' . getenv(HTTP_X_FORWARDED_FOR) . ')';
$ip=getenv(REMOTE_ADDR);
} else {
$ip=getenv(REMOTE_ADDR);
}
$name = $_SERVER['PHP_AUTH_USER'];
$pass = $_SERVER['PHP_AUTH_PW'];
// create nice report
$msg = $lb . 'FAILED LOGIN ATTEMPT REPORT' . $lb . '---------------------------------------' . $lb;
$msg .= 'Remote Address: ' . $ip . $fwd . $lb;
$msg .= 'Referer : ' . $_SERVER["HTTP_REFERER"] . $lb;
$msg .= 'Requested : ' . $_SERVER["REQUEST_URI"] . "$lb;
$msg .= 'Used user name: ' . $_SERVER['PHP_AUTH_USER'] . $lb;
$msg .= 'Used password : ' . $_SERVER['PHP_AUTH_PW'] . $lb;
mail($email_address, '[Failed Login Attempt]', $msg);
// delay a bit to stress brute force attacks
sleep($secs);
?>
<html>
<body>
<center><p> <p>
<font face="verdana,tahoma,arial" size="5" color="red"><b><?php echo $show_msg; ?></b></font>
</center>
</body>
</html>
3.) Testing Your Setup
Make sure you have corrected the config to match your settings.
To test your setup simply type the wrong credentials in the login box that
pops up whenever you visit a secured directory.
By default you have 3 tries and then it will fail, e-mailing you the report and showing your message to the person trying to access the secured dir.
Please note the delay will ALSO be there if you have provided the CORRECT credentials
There's only one cure for that.. live with it.
Regards,
Mattice
) and I have no idea on how to implement this with Frontpage. 
