Magento security best practices 2015

1www.nbs-system.com 1
Magento Security
Best practices 2015
Q4 2015
Grow your business safely
http://goo.gl/MFpBWS

2www.nbs-system.com 2www.nbs-system.com
e-Commerce: the 60% rules
• >60% of web traffic is non-human
• >60% of attempts to steal databases target e-Commerce sites
• >60% of growth for identity theft over three years
• A 2012 study showed Retailer websites are at risk 328 days/year
• An IP address is scanned around 40 times per day

The triple loot

A different time scale
Seconds Minutes Hours Days Weeks Months Years
Time between
compromising and
discovery of it
Time between attack
launch and
compromising
Statistics made based on large corporations in 2012 (Verizon Databreach report)

A *very* bad year
www.nbs-system.com

A *very* bad year#@%

It all started with a big #fail (Shoplift)#@%

It all started with a big #fail (RSS orders)#@%

It all started with a big #fail (Magmi)#@%

Other “SUrPrEEses#@%

Magento cache leak#@%

But there were other before
www.nbs-system.com

Did you took care of the previous ones?#@%

The PayPal / Magento integration flaw (by NBS)

NBS System will release a new vulnerability soon

Or even the one that were not Magento specific?#@%

PHP: two versions behind, really?
88% are outdated and not
supported anymore…
No security fixes.
(and +12% to +40%
performances to gain)
PHP versions in use, in our parc:

Easily exploitable things beyond
classical vulnerabilities
www.nbs-system.com

Magento Support giving dangerous advices
• “Chmod 777 your document root…” *REALLY* ?
• “Magento is not compatible with Reverse proxies.” *Woot* ?
• “Give me your root password so we can look” *NO KIDDING*?
• Etc…
When Magento support is being creative…
Don’t go to a car dealer to fix a bad tooth…

 Leaving your logs accessible, especially Debug one
 Leaving payment gateway logs accessible to all
 Not hiding Magento, PHP, Apache versions
 Use a minimum of unaudited extensions, a lot are BAD
 Weak passwords, along with no locking policies are a plague
Classical mistakes that cost…

 Leaving import/export scripts, reindexers, crontabs accessible
 Try calling pages that load very slowly
 Access directly the API to import / export
 Etc.
Applicative level D.o.S attacks

Securing Magento Flaws
www.nbs-system.com

Securing Magento flaws
• Update to versions CE > 1.9 or EE > 1.14.1
• Use PHP 5.6
• Shoplift, Magmi, XML-RPC-XEE : filter the access with a
.htaccess file (or an nginx rule)

Securing recent flaws
Example with Magmi (using Apache)
RewriteCond %{REQUEST_URI} ^/(index.php/)?magmi/ [NC]
RewriteCond %{REMOTE_ADDR} !^192.168.0.1
RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=302,L]
Example with Magmi (using Nginx)
location ~* ^/(index.php/)?magmi {
allow 192.168.0.1;
deny all;
location ~* .(php) {
include fastcgi_params; } }

Protect your backoffice & updater
Example using Apache
<Location /wp-admin>
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/apache2/access/htpasswd
Require valid-user
Order deny,allow
Allow from [MY_IP]
Satisfy any
</Location>
Then, just add a user:
htpasswd –c /etc/apache2/access/htpasswd [user]

Leveraging native Magento security
• Use HTTPS in Backoffice & order tunnels access
• Change your backoffice default URL
• Do *NOT* use a weak password (no « tommy4242 » is not safe)
• Put some limits to number of failed login attempts
• Put a password expiration time and change it every 3 months
• Enforce use of case sensitive password
• Disable email password recovery

Securing Web application
www.nbs-system.com

Organizational security
• Get a security review
• Keep track of vulnerabilities on Magento ecosystem
• Have serious passwords, change them every 3 months
• Do not keep informations unless they are needed
• Pick a PCI/DSS certified hosting company
• Use 3D secure
• Keep up to date versions of Magento & PHP

Infrastructure security
• Keep a daily backup
• Use a WAF, NAXSI is opensource, free and stable
• Put rate limits on your Reverse Proxies
• Filter your outgoing trafic
It’s the job of your managed services provider.

Host level security
• Change default backoffice URL
• Disable directory indexing
• Have correct permissions : file=644, directory=755
• No follow, no index on preprod
• Use the best practices mentioned before
It’s the job of your managed services provider.

High end security
www.nbs-system.com

34www.nbs-system.com
Hardware
Operating system
Network
Applicative stack
Database
Website
Humans
Motivating wages
Equipe SOC
Security trainings
Background checks
N.A.X.S.I (web application firewall)
ReqLimit (Anti applicative DoS)
ExecVE killer
File Upload checker
PHP Suhosin V2
App scan
Threadfix virtual patching
MySQL Interceptor
PHP Suhosin V2
Daemon hardening
Anti DDoS
Isolated Vlans
Firewalling
PAX
GrSec
Watch Folder
PHP Malware finder
Redundant hardware
Redundant datacenters
Redundant data storage
Redundant telecom uplinks
Log central
Security Event
Manager
Flex Dynamic
Firewall
Ban Commander
9
CerberHost

35www.nbs-system.com
Contact
Grow your business safely
contact@nbs-system.com
+33.1.58.56.60.80
www.nbs-system.com
Twitter : @nbs_system
www.nbs-system.com

Magento security best practices 2015

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Magento security best practices 2015

Similar to Magento security best practices 2015 (20)

Recently uploaded

Recently uploaded (20)

Magento security best practices 2015