Post by werepair » Sun May 20, 2012 4:18 pm

if you want to secure the admin with .htaccess and you have a fixed ip address create a .htaccess file like below

<Files *.*>
Order Deny,Allow
Deny from all
allow from "put your ip address here"
</Files>

then put your .htaccess in your admin or renamed admins folder if you have renamed it you will then be the only person that can login to your admins back end. (if your ip changes then change the ip address in the file or you will get page not found error) ;)

Note you can still use this if you dont have a fixed ip address!! but you will have to change the ip address in this file when your ip changes.

regards

User avatar
Active Member

Posts

Joined
Sat May 28, 2011 2:54 pm
Location - United Kingdom

Post by krokodylowy3 » Sun May 20, 2012 10:16 pm

Qphoria wrote:[
This is interesting.. we've been looking for a better way to handle that cookie domain issue so I will look into this
Maybe this help also.
In OC 1.5.2.2 cookies are incorrectly handled. Cookies are not set if HTTP_HOST contains port or is virtual host.

Instead setcookie like
setcookie('language', $code, time() + 60 * 60 * 24 * 30, '/', $request->server['HTTP_HOST']);
should be
setcookie('language', $code, time() + 60 * 60 * 24 * 30, '/',$_SERVER['SERVER_NAME']);

SERVER_NAME doesn't contain port part.

Newbie

Posts

Joined
Fri May 18, 2012 2:39 am

Post by Nimitz1061 » Tue May 22, 2012 10:36 pm

krokodylowy3 wrote:
Qphoria wrote:[
This is interesting.. we've been looking for a better way to handle that cookie domain issue so I will look into this
Maybe this help also.
In OC 1.5.2.2 cookies are incorrectly handled. Cookies are not set if HTTP_HOST contains port or is virtual host.

Instead setcookie like
setcookie('language', $code, time() + 60 * 60 * 24 * 30, '/', $request->server['HTTP_HOST']);
should be
setcookie('language', $code, time() + 60 * 60 * 24 * 30, '/',$_SERVER['SERVER_NAME']);

SERVER_NAME doesn't contain port part.
The recommended change also uses an unfiltered input. Shouldn't make any difference in theory - but a bad habit nonetheless.

David

Specializing in secure Hosting 4 OpenCart based eCommerce websites.


New member

Posts

Joined
Sat Mar 24, 2012 7:49 pm
Location - United States

Post by Nimitz1061 » Tue May 22, 2012 10:40 pm

werepair wrote:if you want to secure the admin with .htaccess and you have a fixed ip address create a .htaccess file like below

<Files *.*>
Order Deny,Allow
Deny from all
allow from "put your ip address here"
</Files>

then put your .htaccess in your admin or renamed admins folder if you have renamed it you will then be the only person that can login to your admins back end. (if your ip changes then change the ip address in the file or you will get page not found error) ;)

Note you can still use this if you dont have a fixed ip address!! but you will have to change the ip address in this file when your ip changes.

regards
Nice part of a layered security approach, if your server allows it. FYI, you really should have a fixed, dedicated IP on the site itself. This helps improve, or allows improvements in other aspects of site security and operational stability. Things such as not ending up on an RBL as a spammer because you share an IP with one....

David

Specializing in secure Hosting 4 OpenCart based eCommerce websites.


New member

Posts

Joined
Sat Mar 24, 2012 7:49 pm
Location - United States

Post by al24 » Sun May 27, 2012 2:20 pm

Ok I don't know if this happened to anybody else but when I installed the xml in this post, the .htaccess file blocked me from being able to upload images on file manager. It nearly gave me a heartattack cause I had just installed a million vqmods at once and I didn't know which one was causing the problem. Luckily I found the solution when I simply deleted the .htaccess file in the image folder!

My opencart 1.5.1.3 - Going Out Dresses


Newbie

Posts

Joined
Thu Feb 09, 2012 9:18 am

Post by labeshops » Sun May 27, 2012 9:56 pm

al24 wrote:Ok I don't know if this happened to anybody else but when I installed the xml in this post, the .htaccess file blocked me from being able to upload images on file manager. It nearly gave me a heartattack cause I had just installed a million vqmods at once and I didn't know which one was causing the problem. Luckily I found the solution when I simply deleted the .htaccess file in the image folder!
Just edit the image htaccess file adding additional lines to include the extension you are trying to upload in place of the xxxx below, including capitalization of them. By default it would let you upload .jpg for example but your images may be .JPG or .JPEG which it would block.

RewriteCond %{REQUEST_FILENAME} !^(.+)\.xxxx$

Running Opencart v2.2 with multi-stores from http://www.labeshops.com which has links to all my stores.

Image


User avatar
Expert Member

Posts

Joined
Thu Aug 04, 2011 4:41 am
Location - Florida, USA

Post by krokodylowy3 » Mon May 28, 2012 1:54 am

Nimitz1061 wrote:
krokodylowy3 wrote:
Qphoria wrote:[
This is interesting.. we've been looking for a better way to handle that cookie domain issue so I will look into this
setcookie('language', $code, time() + 60 * 60 * 24 * 30, '/',$_SERVER['SERVER_NAME']);
SERVER_NAME doesn't contain port part.
The recommended change also uses an unfiltered input. Shouldn't make any difference in theory - but a bad habit nonetheless.
David
Did you mean $_SERVER['SERVER_NAME']? It is already filtered by '$_SERVER = $this->clean($_SERVER);' code.

Newbie

Posts

Joined
Fri May 18, 2012 2:39 am

Post by aresn » Fri Jun 08, 2012 2:52 am

What I do not understand is why nobody actually take my comment about non secure session cookie seriously.
If you have SSL on your store to protect your customers, if you are accepting credit card information , all I have to do to steal your customers info is hijack their insecure session cookie to steal their session and their information.

User avatar
Newbie

Posts

Joined
Fri Jan 13, 2012 12:54 am

Post by iMpr324 » Thu Jul 05, 2012 1:27 pm

werepair wrote:if you want to secure the admin with .htaccess and you have a fixed ip address create a .htaccess file like below

<Files *.*>
Order Deny,Allow
Deny from all
allow from "put your ip address here"
</Files>
But this means the folder is still visible and accessible, right?
Could it be like:
Order Deny,Allow
Deny from all
allow from "put your ip address here"

Without Files tag?
BTW, is there any relevant files in admin folder that should be accessible?

Newbie

Posts

Joined
Tue Jul 03, 2012 3:44 pm

Post by Nimitz1061 » Mon Jul 09, 2012 5:09 am

iMpr324 wrote:
werepair wrote:if you want to secure the admin with .htaccess and you have a fixed ip address create a .htaccess file like below

<Files *.*>
Order Deny,Allow
Deny from all
allow from "put your ip address here"
</Files>
But this means the folder is still visible and accessible, right?
Could it be like:
Order Deny,Allow
Deny from all
allow from "put your ip address here"

Without Files tag?
BTW, is there any relevant files in admin folder that should be accessible?
The files tags are fundamental elements of the Apache configuration system. So, no.

You might want to change "put your ip address here" to something more appropriate, like, say - your own IP address.

David

Specializing in secure Hosting 4 OpenCart based eCommerce websites.


New member

Posts

Joined
Sat Mar 24, 2012 7:49 pm
Location - United States

Post by bobwhite » Thu Jul 26, 2012 2:33 am

Hi David,
Sorry somehow I missed your reply.
Thank you for your help. Some of the questions I was able to figure out myself. If you have a moment can you please check my website for security, it is: http://www.springofhealth.ca maybe you will have some recommendations.
Thanks again,
Bob

User avatar
New member

Posts

Joined
Thu Jan 26, 2012 8:20 am

Post by dolrichfortich » Fri Jul 27, 2012 9:00 am

Just released an opencart admin additional security module. Able to add, captcha, change login url, ban after failed attempts. Details here http://forum.opencart.com/viewtopic.php?f=123&t=71518

Opencart Options Pro, Reward Points For Review, DISQUS Comment Form,
Dolrich Fortich - Freelance web developer

Image


User avatar
New member

Posts

Joined
Thu Aug 05, 2010 8:09 pm
Location - Philippines

Post by toddzy » Tue Jul 31, 2012 12:52 pm

Hello and thank you for the invaluable info in this post.

My question is, what the devil do you mean by "Create a map called circkel"??? a sitemap? my google research for this question hasn't resulted in a conclusive answer, so please help me understand this.

cheers,
Todd.

p.s. I suspect it's an incorrect translation due to automated translation.
p.s. now i get it. i downloaded the zip file at the bottom of the post and cirkel is simply a folder. so where it says "map" it was supposed to say "folder". I thought I'd leave this info here for the next person who searches for it, to hopefully save them some time.

Newbie

Posts

Joined
Tue Jul 31, 2012 12:49 pm

Post by sleepykidX » Mon Sep 03, 2012 5:46 am

Hi can you help me with this part?
Instantly set config.php in admin and root at CHmod 444

I don't get what is CHmod 444

Also could someone clarify this step please?

Create a map called "circkel" in your store root.
Put a .htaccess file in there with:

Deny from all

What is a map?

Newbie

Posts

Joined
Sun Sep 02, 2012 9:10 am

Post by labeshops » Mon Sep 03, 2012 6:00 am

sleepykidX wrote:Hi can you help me with this part?
Instantly set config.php in admin and root at CHmod 444

I don't get what is CHmod 444

Also could someone clarify this step please?

Create a map called "circkel" in your store root.
Put a .htaccess file in there with:

Deny from all

What is a map?
See the post above yours. map = folder

Running Opencart v2.2 with multi-stores from http://www.labeshops.com which has links to all my stores.

Image


User avatar
Expert Member

Posts

Joined
Thu Aug 04, 2011 4:41 am
Location - Florida, USA

Post by acewoodturner » Sat Nov 03, 2012 12:18 am

I am pretty new to OC and am running the latest version. I am ready to open up my site to the (potentially) many hundreds of people whom I hope will have a look, like something and then buy it!
My problem is the last bit, being the the security of the site before I launch it
I have read the 3 pages of good ideas for website security and I am a little confused.
Can some explain in quite easy terms what I need to do and an idiots guide on how to do it. I would like to make my site as secure as possible,or at least as much by a newb possibly can without wrecking it.

Thanks in advance

Newbie

Posts

Joined
Sat Jun 30, 2012 3:28 am

Post by psycmos » Thu Dec 27, 2012 6:45 pm

This guide works perfect!!! thankz for all and special thkz for rph developer, "Secure Random Password" Extention works perfect!!!!! BIG THANKZ!!!!!!! :D all the best!!!

New member

Posts

Joined
Mon Nov 26, 2012 7:31 pm

Post by peter2000 » Fri Jan 11, 2013 5:16 am

What I do not understand is why nobody actually take my comment about non secure session cookie seriously.
If you have SSL on your store to protect your customers, if you are accepting credit card information , all I have to do to steal your customers info is hijack their insecure session cookie to steal their session and their information.
My 3 best security practices:

1.We have the entire site running in ssl and it is forced through htaccess. There is really no reason not to have your whole site running in SSL. The speed decrease is really no issue anymore with today's servers. This should prevent the above legitimate statement.

2. Get a good host!!! We pay serious money for a superb hosting company. We also get charged for the CPU use on the server. But they are very serious about their security and have extensive support to improve my webshop security.

3. We don't store customer data. WHAT??? Yes... we don't store it. This means you have to enter your data everytime you purchase something. But... There is also nothing to steal.

Newbie

Posts

Joined
Tue Oct 09, 2012 5:32 pm

Post by Gilmore » Thu Jan 24, 2013 11:33 am

Hello,
Why not just make sure your server is running PHP Support in FastCGI and not Apache module, then you will be done with security issues? The permissions are no longer a worry to set right. Plus you are secure!

Thanks!

Gilmore

----------------------------------------------------------
Opencart 1.5.1.x - 2.x


User avatar
Active Member
Online

Posts

Joined
Thu Aug 12, 2010 7:33 am

Post by hypemedia » Tue Mar 26, 2013 5:08 pm

aresn wrote:What I do not understand is why nobody actually take my comment about non secure session cookie seriously.
If you have SSL on your store to protect your customers, if you are accepting credit card information , all I have to do to steal your customers info is hijack their insecure session cookie to steal their session and their information.

Ok I will also like to know why nobody is answering this guy regarding the cookie vulnerability. I am also confused why there is now dedicated section to security on this forum. There is no system that is 100 % safe and we should discuss all the problems that can occur and find fixes. Obscurity is not security this is the first thing anybody should know.

Active Member

Posts

Joined
Fri Aug 17, 2012 5:39 pm
Who is online

Users browsing this forum: No registered users and 6 guests