Latest News: (loading..)
burt

Updated Security Thread

84 posts in this topic

The other security thread is good, but times have moved on. Here are my base suggestions (in no particualr order) for securing a unhacked site;

 

1. Security Pro from FWR Media

2. OSC SEC from Taipo

3. Filesafe from FWR Media

4. Add htaccess to all public folders

5. Rename /admin/ and htpasswd it

6. Remove references to (newly renamed) admin area in outgoing emails

7. Add extra login parameter (JanZ)

8. Fix $PHP_SELF spoofability

 

Bad Conduct from Debs (undecided on this, I am still "road-testing" it).

 

I am not in favour of IP trapping, as most hackers don't use their own IP addresses.

 

If anyone has any extra thoughts on this, please post.

 

For securing a hacked site - exactly the same, but make sure that the hack is cleaned out first. This can be done by manually inspecting the files and removing any files/code that is not supposed to be there. Or by re-installing from a known unhacked backup. Or of course, starting from scratch with a brand new install of oscommerce.

Edited by burt
Afkkkuannt likes this

Share this post


Link to post
Share on other sites

Gary,

 

It would be nice if you added links to your above post - Add extra login parameter (JanZ) is what add-on / forum post for instance

 

 

Also, are you referring your post to 2.2 or are you including 2.3 and if the latter which of you list does not apply to 2.3?

Edited by Xpajun

Share this post


Link to post
Share on other sites

I'll probably make it into a blog post in the coming days Juls.

Share this post


Link to post
Share on other sites

I got 3/4 the way through a more detailed update to this, then the laptop died :(

Share this post


Link to post
Share on other sites

1. Security Pro from FWR Media {

2.3.1 and lower.

a. Addon

b. Support

}

 

2. OSC SEC from Taipo {

2.2rc2a and lower.

a. Addon

b. Support

}

 

3. Filesafe from FWR Media {

2.3.1 and lower

a. Addon

b. Support

Filesafe replaces "Site Monitor". Site Monitor is old and tired.

}

 

4. Add htaccess to all public folders {

2.2rc2a and lower

a. If you still run pre 2.3.1 cart, use the .htaccess files from a 2.3.1 installation.

Example: https://github.com/osCommerce/oscommerce2/blob/master/catalog/images/.htaccess

}

 

5. Rename /admin/ and htpasswd it {

2.3.1 and lower

a. if your admin area is located at /admin/ change it now by renaming it to something randomly hard to guess, eg: /d9fne3ufvurjes%kep/

b. amend the file /includes/configure.php (in the newly renamed admin area) to reflect the new name (it should be very obvious where to amend that file!)

}

 

6. Remove references to (newly renamed) admin area in outgoing emails {

2.3.1 and lower

a. renaming your admin area is great, but it is still possible to find out where it is, by placing an order, as outgoing emails contain the admin address. More.

}

 

7. Add extra login parameter (JanZ) {

2.3.1 and lower

a. link - scroll down to "admin/includes/application_top.php Line 146-151" and start reading.

}

 

8. Fix $PHP_SELF spoofability {

2.2rc2a and lower

a. Use the PHP_SELF line of code from 2.3.1

a1. Admin: https://github.com/osCommerce/oscommerce2/blob/master/catalog/admin/includes/application_top.php#L38

a2. Catalog: https://github.com/osCommerce/oscommerce2/blob/master/catalog/includes/application_top.php#L47

b. Note that SOME contributions update PHP_SELF so you MIGHT not need to change this, example: FWR Media USU5.

b1. The Osc Sec module does not make changes to PHP_SELF, however, Taipo correctly advises in the installation instructions to change this.

}

 

More thoughts

 

i. IP Trapping - pointless. Any "hacker" worth more than a penny is not using his own IP address.

 

ii. Removal of File Manager - not needed. There never was a problem with this file, other than the fact it could be accessed thru an insecure admin area. If you have renamed and secured your admin, no problem to leave it as is, if you want to. Personally I would still remove it as it mangles code when used.

 

iii. Bad Conduct Banning - I am road testing this. Will update the thread when I have some conclusions.

Edited by burt
multimixer likes this

Share this post


Link to post
Share on other sites

 

 

5. Rename /admin/ and htpasswd it {

2.3.1 and lower

a. if your admin area is located at /admin/ change it now by renaming it to something randomly hard to guess, eg: /d9fne3ufvurjes%kep/

b. amend the file /includes/configure.php (in the newly renamed admin area) to reflect the new name (it should be very obvious where to amend that file!)

}

 

2.3.1 installation gives you the option to rename your admin, doing it at this time also saves the problem of not getting the configure.php change right.

 

htpasswd on 2.3 is a bit of a problem causer - the user name and password MUST be the same as admin login details otherwise the login won't work

 

 

 

iii. Bad Conduct Banning - I am road testing this. Will update the thread when I have some conclusions.

 

I've been using Bad Behavior Block for some time, I like it for the following:

 

  1. It provides a first line of defence against hackers
  2. It protects your whole website not just osC
  3. It is easily adaptable to include other hack attempt conditions
  4. It bans the hacking IP address - there is much discussion on this principle but I would say that the ban stops that IP from continuous attempts to hack your store (sometimes in the region of 240 attempts per minute) thus easing server load.
  5. The ban is only directed at an active hacker, so there is no need for ad-hock bans of complete countries thus allowing you to trade anywhere in the world
  6. At the end of the day you can always remove banned IP addresses from the list - after all if they attempt to hack your store again they will be banned

 

Thought you might like a list of reasons why I think it is useful with osC Gary - yes there are others that will say that their contribution makes it redundant but they should understand that this contribution, being first in line, makes their one redundant, but that doesn't stop me from using theirs as a second line of defence...

Share this post


Link to post
Share on other sites

Thanks Juls. Welcome more comments from anyone else too.

 

Bad Conduct would I think be better if it added IP addresses for say 15 minutes. Thoughts?

Share this post


Link to post
Share on other sites

I will add some things that are not specific to osCommerce, but are very good to have to prevent attacks (in addition to all that was said):

 

 

1-Use strong passwords for the admin interface and FTP/SFTP/SSH. Sound obvious, but we see so many sites hacked through brute force attacks that it is not even funny.

 

 

2-If you have additional sites in the same FTP account (on shared hosts), make sure all of them are updated and secure too. Otherwise an attack in one of them can spread to the other sites...

 

 

3-If you are on a dedicated server (or VPS), monitor your server closely. A good tool is the open source OSSEC (free): http://www.ossec.net . It will check all your logs, files, etc for attacks and block them.

 

 

4-Daily offsite backups. If your site is compromised or you have a hosting error (or even by mistake), make sure you can easily recover your files and database. There are some many services that offer that (and they are cheap). Examples: http://gudado.com , site-vault.com, etc.

 

 

5-Check your site for malware/spam/etc. I am a bit biased on this, but I recommend checking your site for security issues. The earlier your know that something is happening, the earlier you can respond and fix things. A free checker: http://sitecheck.sucuri.net

 

 

Thanks,

Share this post


Link to post
Share on other sites
The Osc Sec module does not make changes to PHP_SELF, however, Taipo correctly advises in the installation instructions to change this

 

osC_Sec does change the $PHP_SELF, the 2.3.1 patched $PHP_SELF is in osC_Sec as well as a safeguard in case another addon is included after osC_Sec that causes the $PHP_SELF to report an empty result.

 

Scroll to the section headed by:

  /**
 * Reliably set $PHP_SELF
 * as a filename .. 
 * platform safe
 * Base of this is from Oscommerce ver 2.3.1
 **/

 

Also if someone is going to use both osC_Sec and Security Pro 2.0 together, then its best they set $GETcleanup = 1; to $GETcleanup = 0; in osC_Sec because there is no point in doing that cleanup twice.

Share this post


Link to post
Share on other sites

Thanks Juls. Welcome more comments from anyone else too.

 

Bad Conduct would I think be better if it added IP addresses for say 15 minutes. Thoughts?

 

 

I would say 15 minutes is too short, 24 hours should be minimum but a month would be the optimum.

 

It is possible that Bad Conduct will ban an "innocent" that has an infected computer; a redirect to a 403 that explains what has happened and why would be a good thing.

 

 

 

Innocent - there is no such thing as an innocent with an infected computer that will try to hack your store they lose their right to innocence when they failed to take precautions and allowed their computer to become infected, however an explanation stating that their computer 'may' be infected would not come amiss

Share this post


Link to post
Share on other sites

Taipo - thanks, I stand corrected.

 

Juls - I see no value in banning fake IP addresses. Perhaps we are talking about different things?

Share this post


Link to post
Share on other sites

I managed to remove the X-PHP reference from the mail module in my admin folder by replacing

 

while ($mail = tep_db_fetch_array($mail_query)) {
     $mimemessage->send($mail['customers_firstname'] . ' ' . $mail['customers_lastname'], $mail['customers_email_address'], '', $from, $subject);
   }

 

with

 

// before sending mail, change PHP_SELF to hide admin dir from mail header
   $tempvar = $HTTP_SERVER_VARS['PHP_SELF'];
   $HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";
   while ($mail = tep_db_fetch_array($mail_query)) {
     $mimemessage->send($mail['customers_firstname'] . ' ' . $mail['customers_lastname'], $mail['customers_email_address'], '', $from, $subject);
   }
   $HTTP_SERVER_VARS['PHP_SELF'] = $tempvar;

 

however, I don't find this code in the Orders.php file. The only code I find is a tep_mail action but I don't have an idea on how to change/alter this to hide the x-php referencen my php knowledge doesn't reach that far. any help is appreciated, the linked topic above doesn't really specify this.

Share this post


Link to post
Share on other sites

apparently i can't edit my own posts on this forum; just to be clear the file I edited succesfully was [youradminfoldernamehere]\mail.php

Share this post


Link to post
Share on other sites

Same basis.

 

FROM THIS:

tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);

 

TO THIS:

$tempvar = $PHP_SELF;
$HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";
tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);
$PHP_SELF = $tempvar;

Share this post


Link to post
Share on other sites

Hi Burt and thanks for this thread :)

 

wondering is this Spooks addon obsolete now?

 

function clean_var ($vars) { 
 if (!is_array($vars)) {                               
 return preg_replace("/[^\p{L}\d\r@ :{}_.-]/i", "", urldecode($vars)); 
 } else {      
 return array_map('clean_var', $vars); 
 }
} 
  if (PHP_VERSION >= 4.1) $_POST =& $_POST; 
 reset($_POST);        
 while (list($key, $value) = each($_POST)) {                           
 $_POST[$key] = clean_var ($_POST[$key]);      
 }

Share this post


Link to post
Share on other sites

Hello there!

 

Loving all the security contributions and advice! Soaking it up like a wet sponge. Thanks Burt and Xpajun

 

Now, this is probably an easy answer for you guys but I am in the dark about this.

 

5. Rename /admin/ and htpasswd it

 

So I change the admin folder to my new name of choice, then when I go to my Admin page to log into OSCommerce I now get an Error 403. My catalog is still trying to locate the old folder name, admin/login.php

 

What steps do I also need to do after changing my admin folder name to access my Admin login page again with the new folder name?

 

Thank you for your help. Total noob with anything having to do with computers and code :rolleyes:

Share this post


Link to post
Share on other sites

if you change your shop's admin folder make sure you change the link in your browser as well;

say you change your 'admin' folder's name to 'administration'

 

instead of

http://www.yourwebsitelinkhere.com/catalog/admin/

 

type

http://www.yourwebsitelinkhere.com/catalog/administration/

 

to gain acces to the admin panel.

Ofcourse, if you changed the name of the 'catalog' main folder, you should change that name in the link also.

Edited by modelspecialist

Share this post


Link to post
Share on other sites

if you change your shop's admin folder make sure you change the link in your browser as well;

say you change your 'admin' folder's name to 'administration'

 

instead of

http://www.yourwebsitelinkhere.com/catalog/admin/

 

type

http://www.yourwebsitelinkhere.com/catalog/administration/

 

to gain acces to the admin panel.

Ofcourse, if you changed the name of the 'catalog' main folder, you should change that name in the link also.

 

 

Thanks, I did that exactly and it doesn't work. Gives me an Error 404 and automatically reverts right back to putting admin/login.php

Edited by Annisse

Share this post


Link to post
Share on other sites

Hello there!

 

Loving all the security contributions and advice! Soaking it up like a wet sponge. Thanks Burt and Xpajun

 

Now, this is probably an easy answer for you guys but I am in the dark about this.

 

5. Rename /admin/ and htpasswd it

 

So I change the admin folder to my new name of choice, then when I go to my Admin page to log into OSCommerce I now get an Error 403. My catalog is still trying to locate the old folder name, admin/login.php

 

What steps do I also need to do after changing my admin folder name to access my Admin login page again with the new folder name?

 

Thank you for your help. Total noob with anything having to do with computers and code :rolleyes:

 

 

Have you changed the admin name in catalog/your_new_admin_folder/includes/configure.php

 

 

define('HTTP_SERVER', ''); // eg, http://localhost or - https://localhost should not be NULL for productive servers

define('HTTP_CATALOG_SERVER', '');

define('HTTPS_CATALOG_SERVER', '');

define('ENABLE_SSL_CATALOG', 'false'); // secure webserver for catalog module

define('DIR_FS_DOCUMENT_ROOT', $DOCUMENT_ROOT); // where your pages are located on the server. if $DOCUMENT_ROOT doesnt suit you, replace with your local path. (eg, /usr/local/apache/htdocs)

define('DIR_WS_ADMIN', '/admin/');

define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);

define('DIR_WS_CATALOG', '/catalog/');

 

 

change this to the new name of your admin folder

Share this post


Link to post
Share on other sites

Have you changed the admin name in catalog/your_new_admin_folder/includes/configure.php

 

 

define('HTTP_SERVER', ''); // eg, http://localhost or - https://localhost should not be NULL for productive servers

define('HTTP_CATALOG_SERVER', '');

define('HTTPS_CATALOG_SERVER', '');

define('ENABLE_SSL_CATALOG', 'false'); // secure webserver for catalog module

define('DIR_FS_DOCUMENT_ROOT', $DOCUMENT_ROOT); // where your pages are located on the server. if $DOCUMENT_ROOT doesnt suit you, replace with your local path. (eg, /usr/local/apache/htdocs)

define('DIR_WS_ADMIN', '/admin/');

define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);

define('DIR_WS_CATALOG', '/catalog/');

 

 

change this to the new name of your admin folder

 

 

Really strange. I just tried changing the admin in my configure.php to my new folder name, hit save, and there is an error message -

[a fatal error or timeout occurred while processing this directive]

 

it won't allow me to change it.

 

Could this be because of some of the security contributions I just installed?

Edited by Annisse

Share this post


Link to post
Share on other sites

OK got the the admin/includes/configure.php file all updated with my new admin folder name.

 

I had to delete it out completely. Get the configure.php file off my computer to edit it with my new admin name. Then reupload it again to work.

 

and from reading another user's post it was two lines I had to edit...

 

define('DIR_WS_ADMIN', '/changedadmin/');

define('DIR_FS_ADMIN', '/home/content/html/changedadmin/');

 

Thanks for your help! I am on my way to be hacker free!!! I hope! :thumbsup:

 

have a great weekend all!!!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now