Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

hwoto secure the admin-panel?


freakingme

Recommended Posts

Hi,

 

I'd like to secure the admin panel using a password.  Anybody that can tell me how?

 

Regards,

 

Peter Clarck

 

 

Since not-so-long, I've got a webhostingbuzz account, with cpanel support. I just thought of the fact that cpanel easily creates .htaccess password files, so I used that function.

 

It works great AND SECURE, here!

 

Peter

Link to comment
Share on other sites

Since not-so-long, I've got a webhostingbuzz account, with cpanel support. I just thought of the fact that cpanel easily creates .htaccess password files, so I used that function.

 

It works great AND SECURE, here!

 

Peter

But how secure is it?

 

Aren't .htaccess protected directories only weakly protected?

Isn't it possible to do a brute-force crack against .htaccess

protected systems?

 

This is an e-commerce system, it needs better security than

this.

 

So what is the /real/ way to secure the admin directory, and still have it be accessible?

 

Is there an apache mod to shut-down brute force password hacking?

Link to comment
Share on other sites

But how secure is it?

 

Aren't .htaccess protected directories only weakly protected?

Isn't it possible to do a brute-force crack against .htaccess

protected systems?

 

This is an e-commerce system, it needs better security than

this.

 

So  what is the /real/ way to secure the admin directory, and still have it be accessible?

 

Is there an apache mod to shut-down brute force password hacking?

The first thing you should do (and not may do) is rename the admin folder to something else, if people do not know what it is called then they will not be able to brute force it. You should still password protect even though its renamed.

 

I use .htpasswd on my system, I change the username/password every X (not telling how many :P) days to make it a bit harder to hack.

 

You can always create admin and password protect it just to make hackers think it still exists and waste their time :D

Dont forget to Search. Your problem has already been fixed before.<br>

Please visit Manchester-Fireworks.com.

Link to comment
Share on other sites

But how secure is it?

 

Aren't .htaccess protected directories only weakly protected?

Isn't it possible to do a brute-force crack against .htaccess

protected systems?

 

This is an e-commerce system, it needs better security than

this.

 

So  what is the /real/ way to secure the admin directory, and still have it be accessible?

 

Is there an apache mod to shut-down brute force password hacking?

 

 

How you should do that? Not so hard, write your own login system. Make one php-file which checks if the user is logged in.

 

Put in that file something like:

<?php

if($session->loggedin <> true)

{

die("Login first plz");

}

?>

 

 

And in every backend file, you put:

session_start();

require("check_loggedin.php");

 

Of course brute-force is also possible at that login system, but what you could do, is adding a hard-to-read validation-image on the login screen which visitors have to copy (the text that is in it) after they filled 3 times a wrong username+password combination in. And after 10 tries, you ban their IP for 24 hours.

 

It's quite a lot of work, but it'll work.

 

I'm going to make this the coming few days, if you're interested, please contact me.

 

Peter

 

p.s. I knew this on before hand already, but because it's a hell of a job, I hoped someone knew a easier way.

Link to comment
Share on other sites

Of course swolsten is right, the /best/ security against the .htaccess

issue is to hide it well.

 

I like to move the directory out of the web space, and only move it back when

I'm using it. I use an obscure name, and I password protect it...

 

But that is a hack... There should be a better way...

 

How you should do that? Not so hard, write your own login system.

 

Good idea! I only have one problem with it... why are you doing it?

Shouldn't that be built into osCommerce? It's like they built a complete

store, but left the manager's desk in the back alley, with an unsecured

hallway leading into the store... with a little sign "build brick wall here,

put lock on door when done".

 

In my opinion, every PHP application that leaves an insecure manager

page in place, is simply unfinished software... just like a building missing

a wall. I have seen plenty of backend login systems in php apps to show

as examples, like Mambo for instance, so it can be done. The system

has a login module for returning customers, surely the admin area

is even more deserving of a login module... and it should have multiple layers

of security. It should have limited access for shipping clerks, and full access

for the manager, etc...

 

Make one php-file which checks if the user is logged in.

 

Put in that file something like:

<?php

if($session->loggedin <> true)

{

      die("Login first plz");

}

?>

And in every backend file, you put:

session_start();

require("check_loggedin.php");

 

Of course brute-force is also possible at that login system, but what you could do, is adding a hard-to-read validation-image on the login screen which visitors have to copy (the text that is in it) after they filled 3 times a wrong username+password combination in. And after 10 tries, you ban their IP for 24 hours.

 

It's quite a lot of work, but it'll work.

 

I'm going to make this the coming few days, if you're interested, please contact me.

 

Peter

 

p.s. I knew this on before hand already, but because it's a hell of a job, I hoped someone knew a easier way.

Stopping brute force is easy.

 

Use an expotential backoff timer. Eventually you will run out of php execution time, and the attack will be stopped untill the timer resets.

 

Each login has a delay, with the delay increasing expotentially.

Within 5 to 10 attempts the delay is too long for php to execute, stopping

the attack dead.

 

If there are no login attempts for a period of time (like 5 minutes)

you reset the timer.

 

Another security method is the lock-out... After x failed login attempts,

lock-down the system untill it is stopped and restarted, or untill an

admin deletes a .lockout file, or something.

 

Those are two ideas easily integrated into a php login module. The

multiple layers of security is another issue...

 

But again, great idea... it should be built in...

Link to comment
Share on other sites

Here is what I'm going to do....

 

I have to install webmin to manage something else for the customer,

so I'm putting up a custom command that will temporarily expose

the admin page.

 

The command will ask for a new secret name, explaining that it is only good

for 8 hours. The script moves the directory into place, naming it with the

secret name. The script then creates an "at job" for 8 hours into the

future, and that job moves the secretnamed directory back into the

properly named holding location outside of the web path. A cron job

comes along that scans for an admin directory, and if it sees one twice

with the same name for more than 8 hours, it cleans it up and sends a

warning email to the admin that security is failing somehow.

 

The same security cron job also scans for unexpected changes in the system,

using tripwire.

Link to comment
Share on other sites

Hi all,

 

I'm new here.

 

I got osCommerce installed on my site, and was surprised to see

no security for the admin directory.

 

If I rename it,, to something like "office",, then the pages don't

integrate well. Each time I navigate to a new page it's looking

for "admin" in the URL.. so I have to change it manually with

every new page. That's a drag,,,

 

So my temporary answer is to just give it a goofy name until

I want to actually "admin" the thing again and rename it to

"admin"..

 

But what's the best answer for a guy who's only got a limited

knowledge of server side mechanics, and php?

 

Will the Catalog function without the Admin directory in place?

 

Thanks,,

Ron

Link to comment
Share on other sites

If I rename it,, to something like "office",, then the pages don't

integrate well.  Each time I navigate to a new page it's looking

for "admin" in the URL..  so I have to change it manually with

every new page.  That's a drag.

 

You need to edit the admin/includes/configure.php file with your new folder name. But as others have pointed out it's a good idea to move it out of the catalog folder altogether. It's only in catalog in the first place to make the auto installer simpler.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

You need to edit the admin/includes/configure.php file with your new folder name. But as others have pointed out it's a good idea to move it out of the catalog folder altogether. It's only in catalog in the first place to make the auto installer simpler.

 

 

Thanks,, that worked,,

 

Do I edit the same file if I want to change the name of the

general catalog? I intend to use a different name in the logo,,

so I'd like to URL to match. Just changing the "catalog" directory

name doesn't work by itself,, there's other files I need to edit as

well.

 

I'd like it to read something like,, www.mydomain.net/store

 

Thanks,

Ron

 

PS,, also,, how do I disable other language options.. I just

want the site to display in English.

Link to comment
Share on other sites

  • 1 month later...
Of course swolsten is right, the /best/ security against the .htaccess

issue is to hide it well.

 

I like to move the directory out of the web space, and only move it back when

I'm using it.  I use an obscure name, and I password protect it...

 

But that is a hack...  There should be a better way...

Good idea!  I only have one problem with it... why are you doing it?

Shouldn't that be built into osCommerce?    It's like they built a complete

store, but left the manager's desk in the back alley, with an unsecured

hallway leading into the store...  with a little sign "build brick wall here,

put lock on door when done".

 

In my opinion, every PHP application that leaves an insecure manager

page in place, is simply unfinished software... just like a building missing

a wall.  I have seen plenty of backend login systems in php apps to show

as examples, like Mambo for instance, so it can be done.  The system

has a login module for returning customers, surely the admin area

is even more deserving of a login module... and it should have multiple layers

of security.  It should have limited access for shipping clerks, and full access

for the manager, etc...

Stopping brute force is easy.

 

Use an expotential backoff timer.  Eventually you will run out of php execution time, and the attack will be stopped untill the timer resets.

 

Each login has a delay, with the delay increasing expotentially.

Within 5 to 10 attempts the delay is too long for php to execute, stopping

the attack dead. 

 

If there are no login attempts for a period of time (like 5 minutes)

you reset the timer.

 

Another security method is the lock-out...  After x failed login attempts,

lock-down the system untill it is stopped and restarted, or untill an

admin deletes a .lockout file, or something.

 

Those are two ideas easily integrated into a php login module.  The

multiple layers of security is another issue...

 

But again, great idea... it should be built in...

 

How would you write a code to stop a brute force attack, you said it is easy but did not explain how... If you could give some sample code that would be great!

Most Valuable OsCommerce Contributions:

Also Purchased (AP) Preselection (cuts this resource hogging query down to nothing) -- Contribution 3294

FedEx Automated Labels -- Contribution 2244

RMA Returns system -- Contribution 1136

Sort Products By Dropdown -- Contribution 4312

Ultimate SEO URLs -- Contribution 2823

Credit Class & Gift Voucher -- Contribution 282

Cross-Sell -- Contribution 5347

Link to comment
Share on other sites

Its taking me awhile but I think I've come up with a pretty good solution.

 

FIRST install the admin access levels contrib if you haven't already.

http://www.oscommerce.com/community/contributions,1359

 

And heres the mod to this contrib I have been working on borrowing some code here and there and then writing the rest myself. As always BACKUP! BACKUP! BACKUP!

 

WHAT IT DOES:

It disables an email address after 5 login tries for 5 minutes and emails the administrator the offenders IP Address. After 5 minutes you can log right back in automagically!

 

WHY:

To stop brut force attacks, its not perfect but the next step after basic password protection. It helps keep a hacker from using 100s or 1000s of requests to guess your password....

 

HOW TO DO IT?

 

Here is the SQL to create the neccessary table:

DROP TABLE IF EXISTS admin_lock;
CREATE TABLE `admin_lock` (
 `attempt_id` int(11) NOT NULL auto_increment,
 `attempt_email` varchar(50) default '' UNIQUE,
 `attempts` int(1) default '0',
 `last_attempt` int(20) default '0',
 `first_offense` int(1) default '0',
 PRIMARY KEY  (`attempt_id`)
);

 

Then insert in your admin/login.php

AFTER

$password = tep_db_prepare_input($HTTP_POST_VARS['password']);

 

// Checking to see if login attempt > 4 if so time out for 5 minutes then reset login attempts.
//----------------Configuration----------------
$mail_report = '[email protected]';    // address to mail report to
$show_msg = 'Your IP Address was logged and the administrator has been notified. Your IP Address is: ';
//---------------------------------------------

 $check_lockout_query = tep_db_query("select attempt_id, first_offense, attempt_email, attempts, last_attempt from admin_lock where attempt_email = '" . strtolower($email_address) . "' ");
 $check_lockout = tep_db_fetch_array($check_lockout_query);

$attempts = $check_lockout['attempts'] + 1;
if ($check_lockout['attempt_id'] == '') {
$last_attempt = time();
tep_db_query("insert into admin_lock (attempt_email, attempts, last_attempt) values ('" . strtolower($email_address) ."', '1', '" . $last_attempt."')");
} else if ($attempts < 5) {
$last_attempt = time();
tep_db_query("update admin_lock set attempts = '" . $attempts . "', last_attempt = '" . $last_attempt . "', first_offense = 1 where attempt_id = '" . $check_lockout['attempt_id'] . "'");
} else {
$locked_time = (time() - $check_lockout['last_attempt']);
if ($locked_time < 300) {
 echo ('<center><font color=red>Your login attempt has timed out, try again in 5 minutes</font> Time since lockout: ' . $locked_time . ' seconds</center>');
 $password = '';
 if ($check_lockout['first_offense'] == 1) {
	 // get their IP Address
	 if (getenv(HTTP_X_FORWARDED_FOR)){
     $fwd= ' (' . getenv(HTTP_X_FORWARDED_FOR) . ')';
     $ip=getenv(REMOTE_ADDR);
	 } else {
     $ip=getenv(REMOTE_ADDR);
	 }

	 $name = $email_address;

  	 // create nice report
     $msg = "\n" . 'FAILED LOGIN ATTEMPT REPORT' . "\n" . '---------------------------------------' . "\n";
     $msg .= 'Remote Address: ' . $ip . $fwd . "\n";
     $msg .= 'Referer       : ' . $_SERVER["HTTP_REFERER"] . "\n";
      $msg .= 'Requested     : ' . $_SERVER["REQUEST_URI"] . "\n";
      $msg .= 'Used user name: ' . $email_address . "\n";

     mail($mail_report, 'FAILED ADMIN LOGIN ATTEMPT', $msg);
	 echo '<center><b>' . $show_msg . $ip . '</b></center>';
	 tep_db_query("update admin_lock set first_offense = 0 where attempt_id = '" . $check_lockout['attempt_id'] . "'");
 }

} else {
$last_attempt = time();
tep_db_query("update admin_lock set attempts = 0, last_attempt = '" . $last_attempt . "' where attempt_id = '" . $check_lockout['attempt_id'] . "'");
}
}

 

Then just configure your email address and you're done! :thumbsup:

Most Valuable OsCommerce Contributions:

Also Purchased (AP) Preselection (cuts this resource hogging query down to nothing) -- Contribution 3294

FedEx Automated Labels -- Contribution 2244

RMA Returns system -- Contribution 1136

Sort Products By Dropdown -- Contribution 4312

Ultimate SEO URLs -- Contribution 2823

Credit Class & Gift Voucher -- Contribution 282

Cross-Sell -- Contribution 5347

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...