brahms2 Posted March 21, 2007 Posted March 21, 2007 Hi all, If anyone has general recommendations about what should be done extra, beyond basics (like SSL) in order to avoid hacking the online store? Many thanks to any idea. Best Theo
vasttech Posted March 21, 2007 Posted March 21, 2007 1. Secure your admin area either with the secure admin contribution or a .htaccess file on that directory 2. SSL (install for both the catalog and your admin side. Remember you are looking at sensitive customer information when you are on the admin area so anything you do without SSL is being transmitted unencrypted.) 3. Ensure your server and ftp passwords are strong (i.e. DO NOT USE testing or something like that). We force all of our customers to use at least 8 characters with mixed alphanumeric and upper/lower case as well as one special character like a $ or !. 4. Make sure you are using the latest release of osCommerce (i.e. osCommerce 2.2 Milestone 2 Update 060817). That has a couple security fixes in it. 5. If you have multiple people administering your site we always recommend using administrator levels (there is a contribution to do this). It protects against "innocent" mistakes being made. 6. A lot of security falls on where you host your website. While many hosting companies take some steps to protect their servers, they are usually just the standard steps and do practice a "true" hardening. 7. If your site receives a lot of traffic it would probably be better to move to a dedicated server. A couple reasons here. First you are sharing a server with other people so there is always that risk no matter how minimal. Second, performance. The more sites on the server the worse your performance. You can only push so much traffic through a 100MB backbone and if 50 sites are competing for that network connection you will notice degradation. 8. Make sure your database has a strong password on it. Same as #3 above. 9. Make sure you are not storing customer credit numbers. 10. Backup, backup, backup.... Not just your files, but the database as well. The admin backup does not backup files, only the database. Store the backups in a safe place. 11. Test, test, test... Always keep an eye on the site, even if it is just once a week. Run test transactions every now and then. Make sure no errors are arising. Try to imitate what a customer would do. Somehow customers always have a way of hitting just the right keys to find an error in your code even if you have tested for weeks straight. Get friends or family to test for you. 12. Randomly check your access/error logs on the server. This way you can usually detect problems or errors that you may not realize. Also it will give you an idea of what people are doing when they come to your site. 12. And last but not least... Always look for strange things happening on the site. Many people recently have been noticing a javascript code appearing on their site after installing contributions. The javascript is making connections to a server in Hong Kong. Unsure what exactly it is doing but this should raise red flags everywhere. There are plenty of other things out there you can do but it all comes down to how much time, effort, and most importantly money you want to spend. Companies like Best Buy or Walmart spend millions of dollars to protect their sites and they still get hacked, so spending that extra $100 with your hosting company for security monitoring while a great next step, will never fully protect you. :) osCommerce Knowledge Base osCommerce Documentation Contributions
Guest Posted March 21, 2007 Posted March 21, 2007 Jacks mcs's Site Monitor contribution is very good. It will tell you if any files have been altered. There is also one that will email you every time someone gets a 404 error on your site, can't remember the name of it.
Guest Posted March 22, 2007 Posted March 22, 2007 Can't edit the last response. My suggestions won't harden your store against an attack but it will help you trace one and make it easier to fix in case it does happen. The previous suggestion was a great list.
vasttech Posted March 22, 2007 Posted March 22, 2007 Thanks Peter - I forgot all about the site monitor one and I use it regularly. I knew i was bound to forget one. Another item I forgot, and Peter you reminded me, is the 404 pages. If you have access to a stats for your website such as AWSTATS, or install Google Analytics, but look at things like 404, 403, and 400 errors as well. I never knew there was a contrib for the 404 errors so I will have to check that out. Thanks! osCommerce Knowledge Base osCommerce Documentation Contributions
Guest Posted March 22, 2007 Posted March 22, 2007 http://www.oscommerce.com/community/contributions,933
vasttech Posted March 22, 2007 Posted March 22, 2007 ah cool thxs!!! :) We already use custom 404 pages, but that would be a nice added feature though. Especially when changing pages around and old search engine listings are out there. Helps make sure we point the old pages appropriately. Thanks again! osCommerce Knowledge Base osCommerce Documentation Contributions
bill110 Posted March 22, 2007 Posted March 22, 2007 Another good idea is to rename the admin folder to something other than admin and be sure to change the refrences in catelog/admin/includes/configure.php. to the new name. If someone does not know the name of the admin they will not even get your login page if trying to browse to it. My Contributions Stylesheet With Descriptions Glassy Grey Boxtops Our Products Meta Tags On The Fly Password Protect Admin "No matter where you go....There you are" - Buccaroo Bonsai
Guest Posted March 22, 2007 Posted March 22, 2007 Another good idea is to rename the admin folder to something other than admin and be sure to change the refrences in catelog/admin/includes/configure.php. to the new name.If someone does not know the name of the admin they will not even get your login page if trying to browse to it. Or you could use a range of ips from your isp in the .htaccess of the osc admin folder (or maybe just one if you have a static ip). This way you can leave the admin name as is. You can even ban ips that are outside the range automatically. And I've seen some store owners have the tendency to use the robots file to indicate that spiders should not access this "admin" folder for some reason.
Guest Posted March 22, 2007 Posted March 22, 2007 And I've seen some store owners have the tendency to use the robots file to indicate that spiders should not access this "admin" folder for some reason. Never put your admin folder name in your robots text file. That file is readable by everyone so if you add it there it is not really hiding it. IE - Don't put this in your robots.txt file Disallow: /admin In your admin folder have a different robots.txt file and add; User-agent: * Disallow: /
Guest Posted March 22, 2007 Posted March 22, 2007 Another one; Never leave ANY folder as 777, even the images folder. 755 is the highest it should be, lower if you can. Change the permissions to 777 if you are adding products, and than change it back to a more secure setting.
brahms2 Posted March 24, 2007 Author Posted March 24, 2007 Dear Jeff, Peter, Bill, Mark, wow... :rolleyes: I am really gratefull for all your advices. They are very much appreciated!!!!!!!!!!!! Some of them I've already done... more to go... Million THANKS! Theodore PS: Another open issue that bothers everyone today is the spam mails... that is lately so terrible, since we moved to another web host (westhost.com) a month ago. If before we were getting several spam a day, now we are getting between 60-200 of them every day... unbelieveable. Since they got our domain address they are killing us. There is some webserver tagging... but it proved that eventually it was tagging even legitimate addresses as spam... seems like the new plague of the net... Wish there was a decent solution against those sons of a gun's deeds. Another one; Never leave ANY folder as 777, even the images folder. 755 is the highest it should be, lower if you can. Change the permissions to 777 if you are adding products, and than change it back to a more secure setting.
brahms2 Posted March 26, 2007 Author Posted March 26, 2007 By the way, Do you know how to turn on the SSL on the admin pages? I tried in a few ways and did not succeeded... Many thanks Theodore 1. Secure your admin area either with the secure admin contribution or a .htaccess file on that directory2. SSL (install for both the catalog and your admin side. Remember you are looking at sensitive customer information when you are on the admin area so anything you do without SSL is being transmitted unencrypted.) 3. Ensure your server and ftp passwords are strong (i.e. DO NOT USE testing or something like that). We force all of our customers to use at least 8 characters with mixed alphanumeric and upper/lower case as well as one special character like a $ or !. 4. Make sure you are using the latest release of osCommerce (i.e. osCommerce 2.2 Milestone 2 Update 060817). That has a couple security fixes in it. 5. If you have multiple people administering your site we always recommend using administrator levels (there is a contribution to do this). It protects against "innocent" mistakes being made. 6. A lot of security falls on where you host your website. While many hosting companies take some steps to protect their servers, they are usually just the standard steps and do practice a "true" hardening. 7. If your site receives a lot of traffic it would probably be better to move to a dedicated server. A couple reasons here. First you are sharing a server with other people so there is always that risk no matter how minimal. Second, performance. The more sites on the server the worse your performance. You can only push so much traffic through a 100MB backbone and if 50 sites are competing for that network connection you will notice degradation. 8. Make sure your database has a strong password on it. Same as #3 above. 9. Make sure you are not storing customer credit numbers. 10. Backup, backup, backup.... Not just your files, but the database as well. The admin backup does not backup files, only the database. Store the backups in a safe place. 11. Test, test, test... Always keep an eye on the site, even if it is just once a week. Run test transactions every now and then. Make sure no errors are arising. Try to imitate what a customer would do. Somehow customers always have a way of hitting just the right keys to find an error in your code even if you have tested for weeks straight. Get friends or family to test for you. 12. Randomly check your access/error logs on the server. This way you can usually detect problems or errors that you may not realize. Also it will give you an idea of what people are doing when they come to your site. 12. And last but not least... Always look for strange things happening on the site. Many people recently have been noticing a javascript code appearing on their site after installing contributions. The javascript is making connections to a server in Hong Kong. Unsure what exactly it is doing but this should raise red flags everywhere. There are plenty of other things out there you can do but it all comes down to how much time, effort, and most importantly money you want to spend. Companies like Best Buy or Walmart spend millions of dollars to protect their sites and they still get hacked, so spending that extra $100 with your hosting company for security monitoring while a great next step, will never fully protect you. :)
brahms2 Posted March 26, 2007 Author Posted March 26, 2007 I had this question... Is there a way to make invisible to the hackers (and possibly to their robots) our email addresses from our "Contact us" pages/forms? An ssl turned on on those pages would help? Many thanks again Theodore
Recommended Posts
Archived
This topic is now archived and is closed to further replies.