Magento Security Best practices 2015
Transcription
Magento Security Best practices 2015
http://goo.gl/MFpBWS Grow your business safely Magento Security Best practices 2015 www.nbs-system.com Q4 2015 11 e-Commerce: the 60% rules • • • • • >60% of web traffic is non-human >60% of attempts to steal databases target e-Commerce sites >60% of growth for identity theft over three years A 2012 study showed Retailer websites are at risk 328 days/year An IP address is scanned around 40 times per day www.nbs-system.com www.nbs-system.com 22 The triple loot www.nbs-system.com www.nbs-system.com 33 A different time scale Seconds Minutes Hours Days Weeks Months Years Time between attack launch and compromising Time between compromising and discovery of it Statistics made based on large corporations in 2012 (Verizon Databreach report) www.nbs-system.com www.nbs-system.com 55 A *very* bad year www.nbs-system.com www.nbs-system.com 66 #@% A *very* bad year www.nbs-system.com 77 #@% It all started with a big #fail (Shoplift) www.nbs-system.com 88 #@% It all started with a big #fail (RSS orders) www.nbs-system.com 99 #@% It all started with a big #fail (Magmi) www.nbs-system.com 10 10 #@% Other “SUrPrEEses www.nbs-system.com 11 11 #@% Magento cache leak www.nbs-system.com 12 12 But there were other before www.nbs-system.com www.nbs-system.com 13 13 #@% Did you took care of the previous ones? www.nbs-system.com 14 14 #@% Did you took care of the previous ones? www.nbs-system.com 15 15 #@% Did you took care of the previous ones? The PayPal / Magento integration flaw (by NBS) www.nbs-system.com 16 16 NBS System will release a new vulnerability soon www.nbs-system.com 17 17 #@% Or even the one that were not Magento specific? www.nbs-system.com 18 18 PHP: two versions behind, really? PHP versions in use, in our parc: 88% are outdated and not supported anymore… No security fixes. (and +12% to +40% performances to gain) www.nbs-system.com 19 19 Easily exploitable things beyond classical vulnerabilities www.nbs-system.com www.nbs-system.com 20 20 When Magento support is being creative… Magento Support giving dangerous advices • • • • “Chmod 777 your document root…” *REALLY* ? “Magento is not compatible with Reverse proxies.” *Woot* ? “Give me your root password so we can look” *NO KIDDING*? Etc… Don’t go to a car dealer to fix a bad tooth… www.nbs-system.com www.nbs-system.com 21 21 Classical mistakes that cost… Leaving your logs accessible, especially Debug one Leaving payment gateway logs accessible to all Not hiding Magento, PHP, Apache versions Use a minimum of unaudited extensions, a lot are BAD Weak passwords, along with no locking policies are a plague www.nbs-system.com www.nbs-system.com 22 22 Applicative level D.o.S attacks Leaving import/export scripts, reindexers, crontabs accessible Try calling pages that load very slowly Access directly the API to import / export Etc. www.nbs-system.com www.nbs-system.com 23 23 Securing Magento Flaws www.nbs-system.com www.nbs-system.com 24 24 Securing Magento flaws • • • Update to versions CE > 1.9 or EE > 1.14.1 Use PHP 5.6 Shoplift, Magmi, XML-RPC-XEE : filter the access with a .htaccess file (or an nginx rule) www.nbs-system.com www.nbs-system.com 25 25 Securing recent flaws Example with Magmi (using Apache) RewriteCond %{REQUEST_URI} ^/(index.php/)?magmi/ [NC] RewriteCond %{REMOTE_ADDR} !^192.168.0.1 RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=302,L] Example with Magmi (using Nginx) location ~* ^/(index.php/)?magmi { allow 192.168.0.1; deny all; location ~* .(php) { include fastcgi_params; } } www.nbs-system.com www.nbs-system.com 26 26 Protect your backoffice & updater Example using Apache <Location /wp-admin> AuthType Basic AuthName "Restricted Area" AuthUserFile /etc/apache2/access/htpasswd Require valid-user Order deny,allow Allow from [MY_IP] Satisfy any </Location> Then, just add a user: htpasswd –c /etc/apache2/access/htpasswd [user] www.nbs-system.com www.nbs-system.com 27 27 Leveraging native Magento security • • • • • • • Use HTTPS in Backoffice & order tunnels access Change your backoffice default URL Do *NOT* use a weak password (no « tommy4242 » is not safe) Put some limits to number of failed login attempts Put a password expiration time and change it every 3 months Enforce use of case sensitive password Disable email password recovery www.nbs-system.com www.nbs-system.com 28 28 Securing Web application www.nbs-system.com www.nbs-system.com 29 29 Organizational security • • • • • • • Get a security review Keep track of vulnerabilities on Magento ecosystem Have serious passwords, change them every 3 months Do not keep informations unless they are needed Pick a PCI/DSS certified hosting company Use 3D secure Keep up to date versions of Magento & PHP www.nbs-system.com www.nbs-system.com 30 30 Infrastructure security • • • • Keep a daily backup Use a WAF, NAXSI is opensource, free and stable Put rate limits on your Reverse Proxies Filter your outgoing trafic It’s the job of your managed services provider. www.nbs-system.com www.nbs-system.com 31 31 Host level security • • • • • Change default backoffice URL Disable directory indexing Have correct permissions : file=644, directory=755 No follow, no index on preprod Use the best practices mentioned before It’s the job of your managed services provider. www.nbs-system.com www.nbs-system.com 32 32 High end security www.nbs-system.com www.nbs-system.com 33 33 CerberHost Motivating wages Equipe SOC Security trainings Background checks Humans Website Database Applicative stack Network Operating system Hardware N.A.X.S.I (web application firewall) ReqLimit (Anti applicative DoS) ExecVE killer File Upload checker PHP Suhosin V2 App scan Threadfix virtual patching MySQL Interceptor PHP Suhosin V2 Daemon hardening Anti DDoS Isolated Vlans Firewalling PAX GrSec Watch Folder PHP Malware finder Redundant hardware Redundant datacenters Redundant data storage Redundant telecom uplinks www.nbs-system.com Log central Security Event Manager Ban Commander Flex Dynamic Firewall 34 9 Grow your business safely Contact [email protected] +33.1.58.56.60.80 www.nbs-system.com Twitter : @nbs_system www.nbs-system.com www.nbs-system.com 35