Magento Security Team published a list of steps required to prevent brute-force attacks. How effective are they, and will the non-tech savvy users be able to implement them?
In the past couple of weeks the Magento community noticed an increased attempts to break into Magento webshops by using so called brute force attacks – automatically trying out different combinations of passwords until the right one is guessed. Some of these attacks have resulted in unauthorized admin panel access and several agencies have reported compromised shops as a result of brute force attacks. That motivated Magento Security Team to release a list of recommended steps to protect your store against password guessing.
Although we commend Magento Security Team for finally directing attention to the problem of brute force attacks and password hacking, we feel that many of methods described would be either too complicated for a regular user, or just not effective enough. We tried to outline the problem with each of the recommended steps, and offer an alternative solution.
Besides essential ways of making your store more secure, like using a strong and hard-to-guess password, choosing less common username and installing all the patches, there are some other measures you should take according to Magento.
Changing the Location of Admin Panel and Magento Connect Manager
Admin Panel and Magento Connect Managers are both access points for your Magento backend. If they are at their default locations hackers can very easily launch a brute force attack. Even with strong password these attacks can be a problem due to exhausting server’s resources. So it is recommended to change default Admin Panel location (/admin) into something custom and hard to guess. The same goes for default Magento Connect Manager location (/downloader). You can do this in System Config in Magento Admin Panel, but DON’T. Why? Because it has never worked, and it has been known to cause severe problems.
Changing the name of the Admin Panel
The only way Magento allows you change your Admin Panel location is through modifying the local.xml configuration file. This is efficient, but definitely not the easiest way to do it, especially if you are not a fan of tampering with the files.
Changing the name of Magento Connect Manager
Magento Connect Manager is another access point to Magento backend. Magento recommends a method of changing the name of “downloader” folder, but the method described will most likely break Magento Connect Manager functionality in backend.
Protecting Admin Panel the easy way
At Extensions Mall we are very aware of the risk that these two weak points possess, so we have developed the simplest and most effective way to protect both Admin Panel and Magento Connect Manager. With our security extension you can do this from backend just by entering the desired custom location in the field. And you can continue to use Magento Connect Manager just like you usually do from backend.
Magento Security team recommends to restrict admin access to specified IP addresses only. Admin access points include /downloader, admin panel and RSS feeds. Setting up access permissions in Magento requires modifying the .htaccess file, and a full access to your server if you are using Nginx Web Server. Also, this is a good solution only if you always access admin panel from the same location or computer. If you are using dynamic IP addresses or accessing the backend through a mobile device, then this way of IP whitelisting might not work for you.
Extensions Mall team has addressed this problem from completely different angle.
Rather than restricting access, which can be very inconvenient, we have concentrated on implementing an Intrusion Detection System in our security extension. Instead of trying to block everyone and everything we made sure that you always be informed and aware of what’s going on with your Magento installation. Our extension scans your system on regular basis and detects all the changes in your files and code, registers every time an admin user logs in, logs all the changes made by admin users, and detects unauthorized admin users injected into database. And of course, notifies you about all this things by email.
Fail2Ban Adaptive Filtering Software
The Adaptive Filtering, or Intrusion Prevention System is a way of blocking repeated login attempts. However, this can be tricky to implement and requires full access to your server, which your hosting provider will probably be reluctant to give you. Also, the configuration shown in the article is not guaranteed to work properly for everyone.
Instead of installing Fail2Ban software, Extensions Mall has developed a way to set up brute force attack blocking from backend. Our security extension allows you to set number of failed login attempts after which the IP address that attempts are coming from will be banned. You can also set the duration of the ban. And you will be notified by email about every banned IP address so you can see the location of cyber-burglar. How awesome is that?
Finally, Magento Security Team recommends that you should consult with your developers and hosting providers to implement the methods that are best suited to you. Which basically means: “If you are not 100% sure what you are doing, don’t touch it, you might break it.”
What can I do to protect my Magento if I am not a developer?
Extensions Mall has been dealing with ecommerce security for a while. After seeing a lot of complaints about various security issues, we felt the need to create a comprehensive security solution for Magento that store owners would be able to configure and manage by themselves. Our module makes implementing most of the measures described above, like changing Admin Panel Location, much easier and straightforward. It also gives an effective and simple alternative to the rest and allows you to monitor all the changes in your system without having to manually go through everything. You can see detailed description of all the features on MageFence page. If you have any questions or suggestions, you can write in the comments below.