Jump to content

Archived

This topic is now archived and is closed to further replies.

greasemonkey

additional security general

Recommended Posts

My intention with this topic is to start a more general discussion for those likely myself who are not "IT professionals", but shop owners, about the other security treats we face on a day to day basis that have a direct impact on our e-commerce/osc businesses (example... having an email address hacked to send Viagra spam is not good for business).

 

Over the past couple days I having been dealing with a huge hack attempt on my hosted VPS server - where they succeeded in cracking the password on a old un-used email account(so old I forgot the address even existed) that had an insecure password. I caught it right away (when when received 2,500 un-deliverable msg's.... you can image how many thousands or millions got delivered) and shut it down... But now whoever it was seems to have a "problem" with me shutting them out and is making continued brute force attempts at the root/whm and another "known (or guessed at)" email address.

 

I have spent a lot of time to make sure my OsC site is secure as possible - by updating, using htaccess, using strong passwords, using SSL, not storing cc data, using recaptcha... etc etc. And of course, have always had strong passwords on my DB and cpannel, but here I find myself "hacked".

 

So, the learning lesson for me was to think about security based on every level of my business;

 

Hardware (computers) - we have 11 computers all have AVG and Malwarebytes installed and scheduled to run daily and run windows updates weekly

 

Hardware (LAN/WAN network) - I have a brother trained in cisco how helped me setup out physical warehouse and retail store with the bulletproof (ok, nothing is bulletproof) network

 

OsC - See above... I have followed all the previous treads to make sure I was secure

 

cPannel - I use the strongest password possible with built in password generator (18 digits uppercase/lowercase/numbers/symbols)

 

FTP - same as above

 

root/WHM - same as above plus learning more about cpHulk and the settings available to stop hackers before they get in (it is funny/scary watching them in the cphulk log, trying and trying just below the limits of the brute force protection kicking in).

 

Email - (oooops.....) obviously I wasn't on top of this one... See cPannel above - I have reviews all 36 email addresses to make sure I know which machine they go to, and if there aren't or haven't been used deleted them completely, and reset all passwords using the built in cpannel password generator.

 

So, what are you doing to secure your business... not just the admin on your store?

Share this post


Link to post
Share on other sites

1. Rename your osCommerce admin. This helps against automated attacks.

 

2. Move your renamed admin to a different domain. I put it under the hosting service's default account, with a splash page in the root of that (sub)domain with a link to the store. The real admin is down a level or two, with no links anywhere to that location. If you can't use the host's domain, use some other domain. Buy one if necessary. It's cheap insurance.

 

3. Protect the real admin with .htaccess/.htpasswd protection.

 

4. Set up an IP trap in a folder named admin in the store domain root. Add that folder to the denied list in your robots.txt. You'll have to check this periodically, as I've found Bingbot trying to get into that folder. Bad bot.

 

The rest of what the OP says.

 

Regards

Jim


See my profile for a list of my addons and ways to get support.

Share this post


Link to post
Share on other sites

Jim,

 

Might there be a tutorial somewhere on how to set up the admin directory on an alternate domain?

 

Rob

Share this post


Link to post
Share on other sites

Not that I'm aware of, but I'll take a quick shot at it while this upload is going:

  1. In whatever your web directory is named (I'm going to assume public_html), create a new directory. I'm going to name mine example.
     
  2. Install osCommerce in the example directory.
     
  3. Rename the admin to lxdskhgf in the install process. Don't actually use that name, but do pick something that will be hard to guess.
     
  4. Move the lxdskhgf directory (the one you created in the install process) to your public_html directory. Keep all of the files in that directory.
     
  5. Edit the lxdskhgf/includes/configure.php to reflect the new path.
     
  6. Point your store domain to the example directory, so that http:// example.com goes to public_html/example/.
     
  7. Your host will usually assign you a subdomain or subdirectory on their domain, something like http:// example.hostingservice.com or http:// hostingservice.com/~example. That should point to your public_html directory. If it does not, ask them to change it so it does.
     
  8. In your public_html directory, add a simple HTML file with a link to your store. You can make this a fancy splash page if you want, but very few people will ever see it.
     
  9. http:// example.hostingservice.com/lxdskhgf/ is now your admin. Don't tell anyone where it is. Now add .htaccess/.htpasswd protection to that directory in case they find it.
     
  10. If your host doesn't give you a default domain, or you don't want to use theirs, buy a domain name related to your business and point that to the public_html directory. They're cheap.
     
  11. If your host doesn't let you do any part of this, find a better host.

Regards

Jim


See my profile for a list of my addons and ways to get support.

Share this post


Link to post
Share on other sites

I can remember in the past i set up the site's admin on my localhost, pointing in configure.php to my servers db.

But this was with an 2.1 or 2.2 version.Like that i did not have an admin at all on the live site ;)

Share this post


Link to post
Share on other sites

×