Jump to content

Archived

This topic is now archived and is closed to further replies.

Mort-lemur

Open Discussion on Additional Security for 2.3.3.4?

Recommended Posts

Hi,

 

Apart from the obvious (obscure admin name, .htaccess protect admin) what additional security measures are suggested for the latest release of OSC (2.3.3.4).

 

Previously I have used OSC Sec + Anti XSS + IP Trap + .htaccess ban countries + Security Pro + PHP Intrusion Prevention + spiders txt + site monitor on my 2.2 sites.

 

Are any / all of the above still required on 2.3.3.4? or is it deemed to be secure out of the box?

 

Many Thanks for any advice


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

Hi there and this is another good thread to get going for 2.3.3.4.

 

Site monitor is good to have keeping an eye on things. One of my 2.3.3 sites was hacked and it had nothing to do with the code. My hunch is somehow the hackers got the password I use on my host account and they placed a redirect from my site's index to another site. All part of a huge hack scheme effecting many other sites.

 

I caught the change almost immediately and restored my index because of the email cron I had set up for site monitor.

 

Anyway...Site monitor let's you know somethings up regardless of the source of the intrusion.

 

Thanks


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

Filesafe is the better option than Site Monitor.


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest Responsive osCommerce CE (community edition) here

Share this post


Link to post
Share on other sites

@@burt

 

Thanks Gary, Added Filesafe and modded how it is called with buttons from the admin page (detailed in my 2.3.3.4 Documented thread)

 

Is that all that is needed to make 2.3.3.4 secure?


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

Heather, I'd be interested in how filesafe works for you compared to site monitor. The admin buttons you created is a big plus. I looked into filesafe in the past but the activation without the buttons was a bit cumbersome so that's one reason I didn't follow through.

 

Thanks SK


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

@@altoid

 

Would you like me to pm you the code I used in the header.php?


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

@@altoid

 

Would you like me to pm you the code I used in the header.php?

 

Yes and thanks


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

@@altoid done


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

No Other comments or suggestions from anyone ?

 

Does 2.3.3.4 need OSC Sec ? Or anything else??

 

Thanks


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

"Trust in God and keep your powder dry"

 

Defend everything, Use htaccess layer, rename admin folder and apply this


:blink:
osCommerce based shop owner with minimal design and focused on background works. When the less is more.
Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store.

Share this post


Link to post
Share on other sites

@@Gergely

 

What does that do, and what can happen if its not done?


REMEMBER BACKUP, BACKUP AND BACKUP

Get the latest Responsive osCommerce CE (community edition) here

It's very easy to over complicate what are simple things in life

Share this post


Link to post
Share on other sites

csrf attack prevention. Admin can be infected with a click.


:blink:
osCommerce based shop owner with minimal design and focused on background works. When the less is more.
Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store.

Share this post


Link to post
Share on other sites

@@Gergely Thanks for that one - made the change on my admin/define_language.php.

 

Has this one been publicised on the security thread?

 

Any other suggestions anyone?


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

Any other suggestions anyone?

 

I'm sure you know about and already have the htaccess security concepts, but I'm throwing that out there just in case as a reminder.

 

There also some modifications you can make in htaccess to improve your gtmatrix scoring as well, but you probably know about these as well. That's more for site speed/efficiency than safety. http://gtmetrix.com/


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

@@altoid

 

Thanks steve - I have done all the .htaccess speed and security stuff and have used that speed test site (score 95/100) so Im quite happy at the moment with speed.

 

What I would really like to know is if 2.3.3.4 needs things like OSC Sec or PHP IDS .


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

I recall Taipo responded to someone asking that over in the osc_sec support forum with something like it won't hurt but with the security changes made in the 2.3 series not necessary. I don't use in on my 2.3 series shops, but wasn't there a slight modification in coding there he offered that would apply to 2.3+?. Looking............

 

yea..here it is. This is from his install instructions from a few versions back I had on file:

 

INSTALL:

 

Upload osc_sec.php and osc.php to your main catalogs /include/ folder. Then in both application_top.php files (one in catalog/include and the other in catalog/admin/include) find and add the following code:

 

Find:

 

// some code to solve compatibility issues

require(DIR_WS_FUNCTIONS . 'compatibility.php');

 

On the next line add:

 

require_once( DIR_FS_CATALOG . 'includes/osc_sec.php' );

Find: (line may be longer depending on which version of oscommerce you have. It also differs in both application_top.php files)

 

// set php_self in the local scope

if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 

IMPORTANT: Remove or comment out the above line from both application_top.php files and replace entire line with:

 

// set php_self in the local scope

if( !isset( $PHP_SELF ) ) {

if ( @phpversion() >= "5.0.0" && ( !ini_get("register_long_arrays" ) || @ini_get("register_long_arrays" ) == "0" || strtolower(@ini_get("register_long_arrays" ) ) == "off" ) ) $HTTP_SERVER_VARS = $_SERVER;

$PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] );

}

 

The rest he says is for pre 2.3.1 shops.

 

Regarding PHP IDS I used that a while ago but discontinued because it was more for someone who could technically evaluate the returns it gave, which was/is beyond my scope right now.

 

Maybe silence is golden in this case, whereas if there was something huge out there, the more skilled coders would have already chimed in. And we know they're watching. They're always watching..... :)


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites
And we know they're watching. They're always watching..... :)

 

And dont forget that they point and laugh at us as well.......... do you hear the voices as well..... (w00t)


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

Just for info I had a mcafee scan on my site today - I subscribed to their free service some time ago - and delighted to say that all the scans passed with only low priority info warnings - so looking good so far......


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

@@Mort-lemur

@@burt

 

Wondering if file safe would pick up changes in blog files that I'd install within the shop. Wordpress in something like myshop.com/blog? I.E. does file safe scan the entire shop directory for changes?

 

Thanks


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

@@altoid

 

You can exclude files / directories from being scanned, I have excluded the image thumbnailer directory, as it changes all the time.


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

One more thing that I have had to embody is adding reCaptcha to the contact us page after a spate of automated spamming - I looked for a simple maths questopn type mod or a simple question type one without success - so went with the reCaptcha which stopped the spamming dead in its tracks.


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest Responsive osCommerce CE (community edition) here

Share this post


Link to post
Share on other sites

×