Protect your Magento installation from password guessing

This is a great article from Magento: 

https://magento.com/security/best-practices/protect-your-magento-installation-password-guessing

All of the content below is from Magento’s article written by the Magento Security Team.

We’ve recently become aware of brute-force password guessing attacks on Magento installations worldwide. In some cases, these attacks have resulted in unauthorized admin panel access. We highly recommend that you take the following steps to protect your store against such attacks.

Please note that in a typical Magento 1 installation (e.g. Magento Enterprise Edition 1.14.2), locations /admin (or a custom name you have chosen for admin) and /downloader need to be protected. In the case of Magento 2, only the admin panel location (the location is generated automatically during installation) should be protected.

Before you proceed in making any changes, please take the following steps:

  1. Review all admin users in System->Permissions->Users. Remove any unused entries or entries you do not recognize. This should be done at least once a month or when any employee leaves.
  2. Ensure your password and the password of any other employee using the admin panel is strong. Remember that longer, complex passwords are much harder to guess.  For examples on how to create a secure password, please visit:HTTP://SUPPORT.GOOGLE.COM/ACCOUNTS/ANSWER/32040?HL=EN. Your password should be updated every three months.
  3. Consider changing the username to something less common – do not use admin or administrator.
  4. Ensure that you have all the patches installed, which are available for download onMY ACCOUNT for Enterprise Edition customers and on the COMMUNITY EDITION DOWNLOAD PAGE for Community Edition.

IP Whitelisting

The best way to protect access to admin and downloader locations is to enable access only for users coming from a specified IP address or network. This works best if you always access the store backend from the same location and computer or computers. To find your IP address you can use Google:HTTPS://WWW.GOOGLE.COM/SEARCH?Q=WHAT+IS+MY+IP. It should show an address like 111.222.333.444 . This solution will not work properly if you are using dynamic IP addresses or accessing the backend through a mobile device. If your company has a remote workforce, it is important to add their IP addresses as well to ensure that they have access to the network.

IP WHITELISTING PROTECTION FOR /DOWNLOADER

If You Are Using Apache Web Server

Modify the existing .htaccess file in /downloader. Add the following at the end:

order deny,allow

deny from all

allow from x.x.x.x

You can use multiple allow statements to allow access for more machines or locations.

If You Are Using Nginx Web Server

YOU WILL NEED TO WORK WITH YOUR HOSTING PROVIDER TO BLOCK THE ADMIN, DOWNLOADER AND RSS LOCATIONS.

If you have full access to your server, you can modify the Nginx configuration yourself, following instructions posted at HTTPS://WWW.NGINX.COM/RESOURCES/ADMIN-GUIDE/RESTRICTING-ACCESS/

IP WHITELISTING THE ADMIN PANEL AND RSS FEEDS

The admin panel is accessible through /admin and /index.php/admin URLs (or custom paths that you can choose), but it is not a real directory on the server and therefore needs to be protected differently. The same holds true for admin RSS feeds such as low stock notification or order status updates.

The way to protet the admin panel and RSS feeds is to redirect requests coming from unknown IP addresses to the main page. This can be done by editing the .htaccess file in the root Magento folder and adding the following just right after rewrite rules for mobile user agents, which is located just before a section called “always send 404 on missing files in these folders”.

RewriteCond %{REQUEST_URI} ^.*/ADMIN_PANEL_LOCATION [OR,NC]

RewriteCond %{REQUEST_URI} ^.*/DOWNLOADER [OR,NC]

RewriteCond %{REQUEST_URI} ^.*/RSS/CATALOG [OR,NC]

RewriteCond %{REQUEST_URI} ^.*/RSS/ORDER [NC]

RewriteCond %{REMOTE_ADDR} !^1.2.3.4

RewriteCond %{REMOTE_ADDR} !^5.6.7.8

RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=302,L]

If You Are Using Nginx Web Server

YOU WILL NEED TO WORK WITH YOUR HOSTING PROVIDER TO BLOCK THE ADMIN, DOWNLOADER AND RSS LOCATIONS.

If you have full access to your server, you can modify the Nginx configuration yourself, following instructions posted at HTTPS://WWW.NGINX.COM/RESOURCES/ADMIN-GUIDE/RESTRICTING-ACCESS/

Fail2Ban Adaptive Filtering

Note: this section is based on information from https://support.hypernode.com/knowledgebase/how-to-protect-your-magento-store-against-brute-force/ created by the authors of magereport.com.

If you have full access to your server, you can install fail2ban software which can limit or stop guessing attacks. An example configuration for Nginx is shown below. Note: this configuration does not block access to RSS feeds. Please work with your system administrator or hosting provider to implement fail2ban properly.

Code to add to /etc/fail2ban/jail.local

[hn-nginx-retry-ban]

# Only ban after multiple retries.

# Use this for “soft” bad behaviour.

port = http,https

filter = hn-nginx-retry-ban

logpath = /var/log/nginx/access.log

bantime = 7200

maxretry = 10

Code to add to /etc/fail2ban/filter.d/hn-nginx-retry-ban.conf:

[Definition]

# Use this for “soft” bad behaviour, as the source will only be banned after multiple retries.

failregex = ^<HOST> .+”POST \S+(/downloader/|/downloader/index.php\?A=loggedin|/admin/index/|/admin/)\s

ignoreregex =

In the line listing locations, you can add your custom admin path with |/custompath/.

Change the Location of the Admin Panel and Magento Connect Manager

Password guessing attacks assume typical admin panel locations like /admin, /backend, /manage, /control and similar and the default location of Magento Connect Manager: /downloader. Changing the location of the admin panel and downloader can reduce the likelihood of being targeted by a generic attack. However, it does not protect against targeted attacks as the attacks might try to guess the location first with multiple requests.

Note: some Magento hosting providers have specific security rules that apply to default locations. Please ask your hosting provider if they recommend changing the location before making this update.

Note: if you are not planning on installing extensions from Magento Connect you can delete or fully block access to the downloader directory.

Change the Name of the Admin Panel (Magento 1 Only)

Changing the name of the admin panel can also help to protect it from attacks. To change the name, first log into the admin panel and navigate to System -> Cache Management.

Then you will need to edit file app/etc/local.xml in your Magento installation and change the name in section admin -> routers -> adminhml -> args -> frontName.

After this change you need to clear all the caches and then log out and log in again using the new URL.

Change the Name of Magento Connect Manager (/Downloader) (Magento 1 Only)

Another approach is to change the name of the Magento Connect Manager. Once you have made this change, it will no longer be possible to open Magento Connect Manager from the Magento admin panel. It must be accessed directly using the new URL.

To change the name of Magento Connect Manager, simply change the folder name from downloader to something unique.

In summary, there are several approaches you can take to help protect your store from brute-force password guessing attacks. We recommend that you quickly review these approaches with your Solution and Hosting Partners and implement the ones that are best suited to your unique situation.

 

MagentoU – 5 years ago today

184881_10150117621207660_5071293_n

Five years ago today I attended the MagentoU class at Magento HQ in Culver City, California. It was an intense week-long class taught by Ben Marks and Vinai Kopp. I learned a lot that week and met some really nice people! I framed the completion certificate and still have it hanging on my wall.

MagentoU Completion Certificate
March 11, 2011

 

I have a few more that I’ve added since then:

Certificates
Yes, my office wall is orange. I have a few lanyards from Magento Imagine and Magento Innovate along with some MageShades.

 

Today, I’m spending my Saturday learning and tinkering with Magento2. I want be ready whenever the M2 Certification comes out (I’ve heard December 2016).

Facebook reminded me of this anniversary date so below are some of the pictures that I took during the 2011 MagentoU class. Time flies!

MagentoHQ
The hallway at Magento HQ had these pictures hanging on the wall.

 

MagentoHQ
More MagentoHQ hallway pictures including one of Bob Schwartz

 

MagentoHQ
First floor of MagentoHQ. There was a coin operated bull ride there for some reason.

 

MagentoHQ
Upstairs, looking down from the balcony

 

MagentoHQ
Random conference room

 

MagentoHQ
Looking down from the balcony. The blurry guy waving is Ben Marks

 

MagentoHQ
From the upstairs balcony a fake beach scene sits on top of the offices below complete with beach towels, coolers and chairs

 

MagentoHQ
The Magento logo. Why doesn’t Magento sell things like this? I’d love to have a Magento light on my wall.

 

MagentoHQ
Close-up of the coin-op bull ride. My phone camera wasn’t that great at the time so some of these turned out blurry

 

MagentoHQ
Vinai teaching class. I’m pretty sure he’s forgotten more about Magento than I’ll ever know

 

MagentoU
In class

 

MagentoU
Sign set up outside of class. The building where the classes were held was right next door to MagentoHQ. There was a print shop downstairs from the MagentoU class that was packing up. During class the room would change slightly throughout the day due to remodeling. Occasionally I’d turn around and think something like “that clock wasn’t hanging there this morning…” or “when did they paint that?” They were like decorating ninjas.

 

MagentoU
Day 2 or Day 3

 

MagentoU
View from the hotel

 

MagentoU
View from the hotel at night