To log in at the Magento back end of your webshop, using URLs that end in /admin and /downloader are fairly standard. If the Magento management interface (the back end of your Magento shop) is available through the /admin URL (for example, yourdomain.com/admin/), the probability of Brute force attacks is higher. If your password is not sufficiently long or strong, it can be guessed relatively easily in due course. In addition, the server often cannot handle Brute force attempts with regard to capacity. So if there is insufficient server capacity, this may lead to problems such as a slow website or even a server that crashes, meaning that your shop will no longer be accessible. This article explains how to protect your Magento shop from Brute force attacks.

Vanwege de aard van het probleem is het onderstaande artikel geschreven in het Engels. Met een Engelstalig artikel hopen we shopeigenaren van over de hele wereld een how-to te bieden om het probleem op te lossen en hun shop goed te beveiligen. Een uitleg geschreven in Nederlands vind je in het artikel Magento beschermen tegen een Brute force aanval (NL).

How do I change the /admin URL?

You need SSH access to modify your admin URL (Admin slug) in the local.xml. Next, you need to flush your cache. Change the URL / Admin slug into something you can easily remember, but that is difficult to guess by others. Ensure you include sufficient characters. The shorter the URL, the easier it serves as a target for Brute force attacks (therefore, do not use /login or /magento).

  1. Log into the SSH server.
  2. Open the file: app/etc/local.xml in the web content.
  3. Change the URL / Admin slug.
  4. Flush your cache in the back end through: System → Cache Management.

How do I secure the /downloader and /rss/catalog URL

Magento uses the /downloader as a way to install programs via the Magento Connect Manager. This link is a standard Magento URL, making it an easy target for Brute Force attacks. We recommend you to either rename the folder or remove it al together and use N98-Magerun to download modules. If you don’t want to rename or remove the folder you can allow certain IP addresses to request the directory. We also see a lot of Brute force attacks on the /rss/catalog URL so we also recommend securing that URL too.

Magento Dedicated hosting (Apache)

Allowing access for IP addresses can be done via the .htaccess if your shop runs on a Dedicated Magento server (Apache), with the following commands:

order deny,allow
deny from all
allow from x.x.x.x

Replace x.x.x.x with the IP addresses you want to allow. Do this for the /downloader folder.

Because the RSS endpoint is reachable under various locations, it is generally not possible to filter RSS when using Apache (without using mod_rewrite). It is recommended to upgrade to at least version 1.9.3 and disable RSS, in that case.

Hypernode (Nginx)

Create a file called server.downloader in the Nginx folder (/data/web/nginx) that contains:

location /downloader/ {
allow x.x.x.x;
deny all;

location ~ \.php$ {
echo_exec @phpfpm;
}
}

Replace x.x.x.x with the IP addresses you want to allow. This will secure the /downloader URL.

And do the same for the /rss/catalog URL. Create a file called server.rss in the Nginx folder (/data/web/nginx) that contains:

location /rss/catalog { allow x.x.x.x; deny all; location ~ \.php$ { echo_exec @phpfpm; } }

Amasty Improved Layered Navigation (Magento 1)

Do you have a Magento 1 shop and do you use the Amasty extension? You may be open to bruteforce attacks if you have a vulnerable version of the Improved Layered Navigation plugin installed. Try visiting the path /amshopby/adminhtml_filter (e.g. www.example.com/amshopby/adminhtml_filter) and check if you are redirected to your admin login page. If so, follow the instructions above to restrict access to this path.


Veiligheid en gemak met SSH Keys
Veiligheid en gemak met SSH Keys

Gebruik jij SSH in je dagelijkse werk? Dan kun je in plaats van inloggen met een wachtwoord, ook jezelf authenticeren door middel van SSH Keys. Deze methode geeft behalve extra veiligheid nog een aantal erg interessante voordelen t.o.v een wachtwoord. In deze whitepaper gaan we in op de techniek van SSH Key authenticatie, de voordelen en de mogelijkheden die het met zich mee brengt.

50