Jump to content

Archived

This topic is now archived and is closed to further replies.

dennish

Enhanced security for osC 2.3.1 - Which add-ons to use?

Recommended Posts

Hello,

 

As an non security expert I (have to) presume that osC 2.3.1 is a safe trading platform, able to deal with common hacking threads like SQL injection.

 

Going through the add-ons you encouter numerous extensions offering additional security. Most of them were developed for osC 2.2. Can anyone tell me which of the contribtions listed below should still be considered relevant for an osC 2.3.1 shop owner?

 

General

 

Security Pro http://addons.oscommerce.com/info/5752

Protect your site via htaccess http://addons.oscommerce.com/info/6066

ANTI Cross Site Scripting attacks http://addons.oscommerce.com/info/6044

SiteMonitor http://addons.oscommerce.com/info/4441

Check Permissions 1.0 http://addons.oscommerce.com/info/6134

 

FE

 

Secure your site with an IP trap http://addons.oscommerce.com/info/5914

"Anti Hacker Login (security) for osCommerce (AHL4osC)

" http://addons.oscommerce.com/info/7580

Activation Code http://addons.oscommerce.com/info/5241

 

BE

 

Auto mysql backup http://addons.oscommerce.com/info/3100

Admin Account with Access Level http://addons.oscommerce.com/info/1174

fatFrog Security http://addons.oscommerce.com/info/7825

 

Please feel free to add suggestions for other add-ons if you think some essential item is missing or you have a better alternative.

 

Kind regards,

 

Dennis

Share this post


Link to post
Share on other sites

@@dennish

 

NONE of the above are essential. As of right now, there are no known vulnerabilities in v2.3.1.

 

However, as a rule of thumb, I still install:

 

Security Pro http://addons.oscommerce.com/info/7708/v,23

ANTI Cross Site Scripting attacks http://addons.oscommerce.com/info/6044

Auto mysql backup http://addons.oscommerce.com/info/3100

 

JMO

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

There is a PHPIDS contrib that will help defend against SQLi and other attacks. http://www.oscommerce.com/community/contributions,8217/page,66

 

Possibly a great option you guys are overlooking. People that execute SQLi attacks actually use the PHPIDS demo as a smoke test for attacks before trying against systems they know to have IDS/IPS. The downside is there is no obscurity, the upside is that there is no obscurity.

 

Also recommend getting intimate with .htaccess and chmod, and give your logins strong passwords.

Share this post


Link to post
Share on other sites

I have a question related to htaccess....after my installation when I click on the "administration" tab, it recommends that I use htaccess, but then says if I do - I can't access the admin panel...

 

"

Enabling the htaccess/htpasswd security layer will automatically store administrator username and passwords in a htpasswd file when updating administrator password records.

Please note, if this additional security layer is enabled and you can no longer access the Administration Tool, please make the following changes and consult your hosting provider to enable htaccess/htpasswd protection:"

 

So how do you make all the changes to your store if you can't acces the admin panel anymore? Suggestions? Please advise, I have never used the .htaccess before -

 

thank you all

C>

Share this post


Link to post
Share on other sites

@ Chris

 

I have implemented Security Pro.

 

The documentation states:

 

The XSS .htaccess contributions in my opinion are worthless if this is installed as they simply replicate a small part of what Security Pro does. The only exeption to this that I could see was the REQUEST_METHOD and TRACE|TRACK.

 

Does this mean I can ignore the ANTI Cross Site Scripting attacks contribution?

 

 

Another contribution I find useful is:

 

Send eMail from admin-login when wrong provider http://addons.oscommerce.com/info/7323

 

to alert you of any unauthorised logins.

 

 

@ Charlene

 

Although the issue is strictly not part of this thread: The warning you're refering to is "in case of non-standard behavior". Normally, you can login to the admin section after enabling the htaccess/htpasswd security layer.

 

Kind regards,

 

Dennis

Share this post


Link to post
Share on other sites

just like to know does anyone know how to get access levels for different admins for oscommerce 2.3.1

 

thanks

andrew

Share this post


Link to post
Share on other sites

@@hopper91

 

You keep asking the same questions and receiving the same answer.....UPDATE the contribution to function with v2.3.1. If you can't update it yourself, find someone to do it for you, it may cost you some money, but it will be done and you can then use it.

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Have a look at os_sec

 

HTH

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

×