Jump to content

Archived

This topic is now archived and is closed to further replies.

Jack_mcs

Securring the admin

Recommended Posts

One of the first things a cute little hackling learns in Hacking 101 is that the name of the admin section of an oscommerce shop is usually admin. As a host and someone that works on different shops, I have seen the admins of many shops and it is amazing to me how many of them are poorly protected. So I thought I would put together ways to improve the security of the admin and post them here in an attempt to help shop owners steer that little fellow on to the next shop. :)

 

The following are what I suggest for protecting the admin. If you know of others, please share.

 

Change the name: If your admin is named admin, it needs to be changed. When it is changed, it should be to a name that contains at least one capital letter and at least one number. Hackers have scripts that can guess at common names and even names with some numbers, so being "tricky" by naming the admin "myadmin" or "admin123" isn't helping. I find that it works best if the name has some meaning to the shop owner and is one not mentioned on the shop since that makes it easier to remember, though that should not be a priority. So, for example, if the name "Jennifer Aniston" had special meaning to you, it could be used for the admin name by changing it to jenn1Fer_an1st0N, where the i's are replaced by 1's and the o is replaced by a 0. It would be very difficult for a script to figure out that name.

 

Don't Show the name: If you have a robots file, which you should have, do not put your admin name in it. The search engines can't get to the admin so there's no reason to tell them not to try and placing the name there just let's everyone know what it is.

 

Password protect the admin: This should go without saying but I worked on one site where it wasn't protected at all. The shop owner said "it is too difficult trying to remember the login." :lol: The login should be something very unique. Take the same approach as with the admin name. And don't use admin or the sites username as the username for the login, or for the password for that matter. That's just eliminating one step for the hackers. Another of my clients thought he was tricking hackers by using something obvious so both his username and password were "password." (w00t) And that, it turns out is the most popular password. See this list: http://www.huffingtonpost.co.uk/2013/12/09/most-common-password-list_n_4411383.html.

 

If you are using oscommerce 2.3 or above, then enable the .htaccess password option and don't make the login for it the same as for the other login.

 

Move the .htpasswd file: (or the .htpasswd_oscommerce for 2.3) to a location above the shops root directory. In theory, if a hacker is able to upload files to your account, he could replace the .htpasswd file and thus gain access to your admin. It is rare but possible.

 

Move the complete admin to a location outside of the shop. For added protection, setup a sub-domain for the admin and change the configure file to use it.

 

Enable SSL for the admin: All instances of http in the admins configure file should be https or it is not fully protected. If you don't use an ssl certificate, then you need to fix that problem first.

 

Force SSL for the admin by adding the following to the top of the .htaccess file in admin. An ssl certificate needs to be in use.

SSLRequireSSL

 

Block by IP: In the .htaccess file in admin, add the following lines:

Order Deny,Allow
deny from all
allow from IP

 

where IP is your IP. If there are multiple IP's connecting to the admin, add an allow line for each. This will prevent anyone from accessing your admin unless their IP is listed.

 

Install one of the trap programs that catches someone trying to get into your admin, like IP Trap, Osc Sec and View Counter. There are probably others but these are the ones that come to mind. It's important to realize that even though you may not be seeing these attempts, they are still going on.

 

Never email your admin name and login in one email since emails are not secure. If you must send them via email, break them into separate emails.

 

Change the code in admin's tep_mail function to prevent sending out your admin name. See this thread on how to do that http://forums.oscommerce.com/topic/312606-remove-x-php-script/

Share this post


Link to post
Share on other sites

Jack,

Trying to implement some of these and failing at every attempt.

1ST) When this SSLRequireSSL is inserted first line in catalog/admin/.htaccess subsequent attempts to access admin get a Forbidden access error.

 

The site does use a SSL

 

Thanks

Ken


OSC v2.3.4.1 BS EDGE
Ultimate SEO

 

Share this post


Link to post
Share on other sites

The purpose of that command is to only allow secure connections so be sure you using https in the url. You also have to be sure the admin configure file uses https for all three links.

Share this post


Link to post
Share on other sites

Jack,

I've no idea what you just said, that's good for you I guess, just frustrating for me.

 

 

Thanks

Ken


OSC v2.3.4.1 BS EDGE
Ultimate SEO

 

Share this post


Link to post
Share on other sites

Probably could do that one now but the rest is just going to be one frustration after another and I've had enough with OSC, don't take mew wrong on that, I really like OSC and REALLY like that it is so customizable.


OSC v2.3.4.1 BS EDGE
Ultimate SEO

 

Share this post


Link to post
Share on other sites

The Commercial Enquiries forum is precisely to be used for getting developers. A bunch of posts edited due to breaking forum rules about solicitation.

 

@@Ken_Shea

@@Jack_mcs


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest Responsive osCommerce CE (community edition) here

Share this post


Link to post
Share on other sites

×