Magento - Security and brute force - security

I'm trying to decide whether to use Magento or create my own platform and I was wondering about security. Does Magento's code include some sort of brute force protection? If not, is this not something important?

Protect your Magento Store to Brute force attacks. Follow following step.
Apache Server Users
To whitelist an IP address for the admin panel, add the following rule in root .htaccess file (inside <IfModule mod_rewrite.c>)
RewriteCond %{REMOTE_ADDR} !^xx.xx.xx.xx
RewriteRule ^(index.php/)?admin/ - [L,R=403]
To whitelist an IP address for the RSS feed, add the following rule in the root .htaccess file (inside <IfModule mod_rewrite.c>):
RewriteCond %{REMOTE_ADDR} !^xx.xx.xx.xx
RewriteRule ^(index.php/?)?rss/ - [L,R=403]
To whitelist an IP address for the downloader application, add the following rule in ./downloader/.htaccess file:
order deny,allow
deny from all
allow from xx.xx.xx.xx

So I know this is an old thread but I found it searching for answers on how to protect Magento against brute-force attacks. The things have changed since 2012, so I want to point the people looking for information about Magento security in (hopefully) the right direction.
Seems like Magento has finally decided to stop ignoring the problem of increasing number of brute-force attacks on Magento websites so they have published an official list of recommended steps on how to protect Magento from such attacks: https://magento.com/security/best-practices/protect-your-magento-installation-password-guessing
Hosting companies also started offering solutions to block these hack attempts, from blocking and blacklisting IPs to installing filtering software.
There are also several security extensions including a good number of Two-Factor Authentication ones. In my opinion the most complete security extension currently available is MageFence by ExtensionsMall. Here's a link on Magento Connect: magentocommerce[.]com/magento-connect/catalog/product/view/id/30596/. It has many useful features like scanning your website for malware and vulnerabilities, blocking IP addresses after too many failed login attempts and it comes together with Two-Factor Authentication module.You can also check out MageFence page on ExtensionsMall website to get the idea of all the security holes this module will help you patch up.

The only brute-force protection Magento has is in case of gift cards. When throwing exception there, Magento obscures real exception message (but puts it in logs) and shows 'Wrong gift card code' message instead.
When it comes to login forms, Magento has no brute force protection.
If this is an important factor for you when deciding whether use Magento or write your own platform, remember that you could write your own Magento module that introduces some brute force protection. This would be way less time-consuming than writing own platform with functionalities similar to Magento.
I did a quick search on the Magento Connect and found one extension that, among other things, provides brute force protection. Here it is: http://www.magentocommerce.com/magento-connect/market-ready-germany.html. You can download it using Freegento website and look into the code for clues on how to make something similar.

Related

Are there limitations to what is possible on a subdomain rather than a domain or risks allowing strangers to use them?

I'm thinking about creating a little service for free subdomains with full DNS control. So in this situation I buy example.com and I allow people to register a subdomain through a form. After registration they get full control over that subdomain. Are there any limitations or risks to consider when giving strangers this power?
My intention is for it to be used for developers and sysadmins to use it in all kinds of ways, from making sites, use it to show work in progress to the world, test MX records, testing of automatically getting ssl certs using certbot etc.

Drupal: URL redirects in .htaccess for multiple sites and a single codebase

I'm using Drupal 8. Multiple sites sharing a single codebase. One .htaccess file for all.
I am receiving the same "page not found error" across all sites. Hackers attempting to break in to the site, presumably.
For example, someone tries to visit https:domain1/wp-admin/admin-ajax.php and https:domain2/wp-admin/admin-ajax.php ... Different domain names, but always the same addresses.
Other addresses include /phpmyadmin/scripts/setup.php and /1/wp-includes/wlwmanifest.xml and so on.
Using .htaccess, what is the most efficient means of redirecting all of these to an internal or external site so that my pages are not even served?
Thank you!
So, the way Drupal and the web server work is that when request arrives, if it matches “serverName” and document root and they points to Drupal then the web-server will hand that to Drupal to handle.
So, you have to ask if this is Drupal destined and if so, handle the redirect at Drupal (probably using the redirect module )
If you want set it up at at web-server level and you have access or using .htaccess then like :
RedirectMatch ^/wp-admin/(.*)$ http://example.com/404/$1
Note, there are plenty of other ways to write the above , but it’s simplest and lightest
I think this is a very common issue about CMS vulnerabilities and hosting security. And security issues is something that can not be done by a simple static action because there's always a new vulnerability. So be careful to always run :
composer update
To have always the last bug fixes and securities updates. Specially when you use modules like webform. At the moment Drupal offers more than one module for better securing your app. And in your case you need to identify IP addresses used by hacking robots and blocking them by using Perimeter .
The good news that the community arround Drupal is very concerned about security. For further reading and securing Drupal you can uses those modules but the more modules you install the more you have performance issues:
https://www.drupal.org/project/clamav
https://www.drupal.org/project/file_upload_secure_validator
https://www.drupal.org/project/key
https://www.drupal.org/project/csp
https://www.drupal.org/project/noopener_filter
https://www.drupal.org/project/hsts
https://www.drupal.org/project/securelogin
...
I also recommend the use of fast 404/403 Drupal error pages to not allow using of Database or more code running to serve that kind of pages.

How to ensure server security when mod_rewrite is enabled

I am being informed by the team that manages the servers that enabling mod_rewrite will excessively compromise the server security.
Are they correct?
What can be done to make sure sever security is minimally compromised if at all after enabling the mod_rewrite.
I am not able to clean up joomla urls without mod_rewrite enabled.
Thanks in advance!
They're not correct as the issue depends exactly how "mod_rewrite" is tuned.
You can:
Enable "mod_rewrite" for your specific site/virtualhost and not other sites by using directives such as [RewriteEngine On] and then tune the rewrite code to handle what to do should someone ask for inappropriate url etc.
Remember the server itself is tuned by using other directives and the code within "mod_rewrite" block needs to handle itself as a block.
Here is docs and examples of "mod_rewrite" blocks
http://httpd.apache.org/docs/current/mod/mod_rewrite.html
mod_rewrite together with poorly crafted rewrite rules can potentially weaken your security but as with any server software, the key to keeping your server secure is to configure the software properly and keep it up to date.
mod_rewrite is widely used in conjunction with WordPress, Joomla and Drupal and it seems unlikely that this would be the case if it "excessively compromises" security.
Not using mod_rewrite could be a security issue too as the native Joomla URLs are visible and this gives hackers information about the extensions you have installed on your website.
Reference: https://stackoverflow.com/a/5009900/1983389

AllowOverride security issues

There are all sorts of posts out there that advise you on how to add a .htaccess file to remove index.php from the URL. However, in order to get .htaccess files to work, the AllowOverride must be changed (usually to "All").
This tutorial explains that using .htaccess files for mod_rewrite is a misconception and can and should be done in the main config file.
I have been informed by my web security officer that - and I quote - "to change AllowOverride to All increases the risk to the web server as, if exploited, an intruder / hacker / opportunist could override the main servers configuration, which could allow them to get up to allsorts; this would be a serious security breach". I'm not sure how much weight this holds!
So my question is;
are there really serious dangers to changing the AllowOverride
and if so, why is .htaccess being recommended for removing index.php so widely on Stack Overflow?
Well there is little bit of security issue with .htaccess in the sense that if a hacker/intruder gets hold of your file system then they can modify rewrite rules and change the behavior of your website. However do remember that if a hacker gets hold of your DOCUMENT_ROOT folder then a lot more damage can be done by modifying/deleting any other code as well and you have much bigger problem in your hand.
However what .htaccess provides you is utmost flexibility by letting you control your website behavior, authentication needs without need to make those changes in Apache config and restart it every time. Especially in a shared hosting environments Apache config is not even accessible for website owners.

Block bots searching for vulnerabilities

I downloaded a Wordpress plugin that emails me any time my site serves a 404 error. Last night I got about 1000 emails from bots searching for
/wp-content/plugins/(X name of popular plugin)/timthumb.php
where timthumb.php is a popular plugin that had a zero-day vulnerability a few weeks ago, so the traffic is searching my site for vulnerabilities that can be hacked. I don't have timthumb installed, but I really don't want this traffic - is there an easy way to block it?
Use this and this page to blacklist all the bots that were logged through your .htaccess file.
This is really not something that can be fully stopped. Instead you should focus on making sure your system is fully updated, and configured correctly.
Some vulnerability scans and exploits can be stopped using a Web Application Firewall like PHPIDS or mod_security. However these security measures won't stop bots from looking for vulnerable files like, phpmyadmin, fckeditor or the new timthumb.php remote code execution vulnerability.

Resources