Safeguard Your Magento Installation against Brute Force Password Guessing – NEW UPDATE

  • Posted by Envision Ecommerce
  • /
  • November 2, 2016
Safeguard Your Magento Installation against Brute Force Password Guessing - NEW UPDATE

Over the past couple of weeks, there has been a significant increase in the brute force attacks against Magento installation. Most of these attacks have further led to unauthorized access to Magento store admin panel. To safeguard your Magento installation against such brute force attacks, here are some recommended steps for you:

1. Identify All Possible Installation Access Points:

First, you need to identify all possible ways by which your installation can be easily accessed from the outside brute force attackers. Scan your e-store by using http://magereport.com and you can easily identify such possible access points.

Note: If it is a case of typical Magento 1 installation (For instance, Magento Enterprise Edition 1.14.2), your “3 locations, /admin (or a custom name you have selected for your admin)”, “/downloader”, and “/rss”, will require major protection. On the other hand, if it is a case of Magento 2, simply your admin panel location (the location is created spontaneously during installation) will need a safeguard.

2. IP Whitelisting

IP Whitelisting method works best in protecting your admin and downloader locations by restricting access to some specified users with IP address or network. Also, this is the best solution if you always access your Magento store backend from a similar location or computer. You can easily find your IP address via Google: HTTPS://WWW.GOOGLE.COM/SEARCH?Q=WHAT+IS+MY+IP. For example, 111.222.333.444.

However, if you are accessing your store backend via mobile device or applying a dynamic IP address, then this IP Whitelisting solution might not properly work for you. If your enterprise belongs to a remote workforce, it is essential to add their IPs, too, to have network access.

3. IP Whitelisting Protection for Downloader, Admin Panel, and RSS Feeds:

The IP whitelisting method for admin panel and RSS feeds differs in protection compared to the downloader. Why? Because the downloader comes with a physical directory and admin is accessible via /admin and /index.php/admin URLs (or the custom tracks that you can select), and RSS feeds, like low stock warnings or order status updates, are not physical directories available on the server.

4. For Apache Web Server Users:

If you are using Apache web server, you can protect your admin panel and RSS feeds by redirecting the appeals from anonymous IP addresses to the main page. You can do it by editing your .htaccess file, which is present in your root Magento folder. This file comes right after the rewrite rules and just before a unit referred as “always send 404 on missing files in these folders.”

  • Whitelisting an admin panel IP Address:

You need to insert the following rule in your root .htaccess file for whitelisting an admin panel IP address (inside <IfModule mod_rewrite.c> ):

RewriteCond %{REMOTE_ADDR} !^xx.xx.xx.xx
RewriteRule ^(index.php/)?admin/ - [L,R=403]
  • Whitelisting RSS feed IP Address:

You need to insert the following rule in your root .htaccess file (inside <IfModule mod_rewrite.c>) for whitelisting RSS feed IP address:

RewriteCond %{REMOTE_ADDR} !^xx.xx.xx.xx
RewriteRule ^(index.php/?)?rss/ - [L,R=403]
  • Whitelisting Downloader Application IP Address:

Insert the following rule in your ./downloader/.htaccess file for whitelisting downloader application IP address.

order deny,allow
deny from all
allow from xx.xx.xx.xx

5. For Nginx Web Server Users:

In most situations, you must work together with your hosting supplier to put a constraint on the access to admin, downloader, and RSS locations.

But, if there is a full server access permission, you can easily revise your Nginx configuration by your own, by following steps recommended at https://www.nginx.com/resources/admin-guide/restricting-access/ or mentioned below:

  • Whitelisting an admin panel IP Address:

You need to insert the following rule to your Nginx configuration file for whitelisting an admin panel IP address:

    location ~ ^/admin/ { allow xx.xx.xx.xx; deny all; try_files $uri $uri/ /index.php; } location ~ ^/index.php/?admin/ { allow xx.xx.xx.xx; deny all; try_files $uri $uri/ /index.php; }

 

  • Whitelisting RSS feed IP Address:
location ~ ^/index.php/?rss/ {
allow xx.xx.xx.xx;
deny all;
try_files $uri $uri/ /index.php;
}
location ~ ^/rss/ {
allow xx.xx.xx.xx;
deny all;
try_files $uri $uri/ /index.php;
}
  • Whitelisting Downloader Application IP Address:
location ~ ^/downloader/ {
allow xx.xx.xx.xx;
deny all;
}
  • Completely Block or Remove the RSS and Downloader:

If there is no usage of RSS feed or downloader, it would be best to totally block or remove them.

If you don’t perform installation or update your extensions on your production server or may be utilizing a version control system to handle files, you can go with entire download folder deletion or opt for access blockage. However, you need to follow proper commands to block RSS feed.

  • For Apache Server Users:

Insert the following rule into your downloader/.htaccess file to have a blocked access onto the downloader application.

deny from all

To block right to use to the RSS feed, insert the below mentioned rule in your root .htaccess file (inside <IfModule mod_rewrite.c>):

RewriteRule ^(index.php/?)?rss/ - [L,R=403]
  • For Nginx Web Server Users:

In most situations, you must work together with your hosting supplier to put a constraint on the access to the downloader, and RSS locations.

But, if there is a full server access permission, you can easily revise your Nginx configuration by your own, by following the commands below:

  • Insert the following rule to your nginx.conf file so as to have blocked downloader application access:

location ^/downloader/ {
deny all;
}
  • Insert the below-mentioned rule to your nginx.conf file to have a blocked RSS feed access:

location ~ ^/index.php/?rss/ {
deny all;
}
location ~ ^/rss/ {
deny all;
}
  • Admin Panel & Magento Connect Manager Location Alteration

Admin panel and Magento Connect Manager (downloader) are both possible access points for attackers to induce a brute force attack. However, if you alter the location of your admin panel and downloader, you can diminish the chances of being attacked by general attacks. But. It doesn’t safeguard in contrast to targeted attacks that attempt to predict the location with numerous requests.

Make sure to do the inspection in conjunction with your hosting provider before applying these alterations. Because some may be assigned with particular security rules which apply to default locations. On the other hand, if there is no possibility to install extensions from Magento Connect, you can go for deletion or totally blocked access to the downloader directory.

  • Change the Name of the Admin Panel (for Magento 1 Merely):

Here are steps to change the name of the admin panel:

1)    Login to the admin panel

2)    Navigate to System – Cache Management.

3)    Edit File app/etc/local.xml in your Magento installation

4)    Modify the name in section:

Admin> routers> adminhtml> args> frontName

5)    Clear cache and log out

6)    Login again via new URL

  • Change the Name of Magento Connect Manager (or Downloader) (For Magento 1 Merely)

This method is another efficient option, but once after changing the name of Magento Connect Manager, it will no longer be probable to gain access to Magento Connect Manager via Magento admin panel. It must be opened directly via new URL.

To alter the name of Magento Connect Manager, you only need to alter the folder name from existing “downloader” to something “distinctive”.

6. Advanced/Alternate Scenarios Use Cases:

There may be some scenarios where it would be unmanageable to restrict the access to a set of IP addresses, particularly when your store’s admin panel required to be addressed by numerous users from numerous locations. In such situations, you need to follow different approaches:

  • A VPN tunnel to block any additional access to the services (in conjunction with your hosting supplier)
  • Installation and enabling of 2-factor validation. For instance, you can use the extension mentioned here: https://www.nexcess.net/resources/plugins/sentry-two-factor-authentication-magento. (But, you still require to block or constrain /rss and /downloader access.
  • Utilize adaptive request filtering, or Intrusion Prevention System such as Fail2Ban.

We at Envision Ecommerce have been dealing with Magento security since our inception in the Magento industry. There are numerous methods to deal with your Magento store’s security against such brute force password guessing attacks. We recommend you to examine methods and pick up the one suits your Magento store’s existing situation. If you have any query or suggestion, we welcome you to write in the comments below.

Source: https://magento.com/security/best-practices/protect-your-magento-installation-password-guessing-new-update