New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

Protect your Magento Installation from Password Guessing - New Update

October 29, 2016

We’re seeing an increasing number of brute force password guessing attacks on Magento installations worldwide. In some cases, these attacks have resulted in unauthorized admin panel access. We highly recommend that you take steps outlined below to protect your store against such attacks.

As a first step, take an inventory all of the ways your installation can potentially be accessed from the outside world by a brute force password guessing attack. You can scan your site with http://magereport.com to identify all access points. In a typical Magento 1 installation (e.g., Magento Enterprise Edition 1.14.2), 3 locations, /admin (or a custom name you have chosen for admin), /downloader, and /rss, will need to be protected. In the case of Magento 2, only the admin panel location (the location is generated automatically during installation) will require protection.

IP WHITELISTING

The best way to protect access to admin and downloader locations is to enable access only for users coming from a specified IP address or network. This works best if you always access the store backend from the same location and computer or computers. To find your IP address you can use Google: https://www.google.com/search?q=what+is+my+ip. It should show an address like 111.222.333.444 . This solution will not work properly if you are using dynamic IP addresses or accessing the backend through a mobile device. If your company has a remote workforce, it is important to add their IP addresses as well to ensure that they have access to the network.

IP Whitelisting the Admin Panel, Downloader, and RSS Feeds

The approach for whitelisting the admin panel and RSS feeds differs from the method used to protect the downloader. This is because the downloader has a physical directory, while the admin, which is accessible through /admin and /index.php/admin URLs (or custom paths that you can choose), and RSS feeds, such as low stock notifications or order status updates, are not real directories on the server.

 

Apache Server Users (typical configuration)

The way to protect the admin panel and RSS feeds is to redirect requests coming from unknown IP addresses to the main page. This can be done by editing the .htaccess file in the root Magento folder right after the rewrite rules for mobile user agents. This is located just before a section called "always send 404 on missing files in these folders."

To whitelist an IP address for the admin panel, add the following rule in root .htaccess file (inside <IfModule mod_rewrite.c> ):

RewriteCond %{REMOTE_ADDR} !^xx.xx.xx.xx
RewriteRule ^(index.php/)?admin/ - [L,R=403]

 

To whitelist an IP address for the RSS feed, add the following rule in the root .htaccess file (inside <IfModule mod_rewrite.c>):

RewriteCond %{REMOTE_ADDR} !^xx.xx.xx.xx
RewriteRule ^(index.php/?)?rss/ - [L,R=403]

 

To whitelist an IP address for the downloader application, add the following rule in ./downloader/.htaccess file: 

order deny,allow
deny from all
allow from xx.xx.xx.xx

 

Nginx Web Server Users

In most cases you will need to work with your hosting provider to restrict access to the admin, downloader and RSS locations.

However, if you have full access to your server, you can modify the Nginx configuration yourself, following instructions posted at https://www.nginx.com/resources/admin-guide/restricting-access/ or by following the instructions below.

To whitelist an IP address for the admin panel, add the following rule to your nginx.conf file:

location ~ ^/admin/ {
    allow xx.xx.xx.xx;
    deny all;
    try_files $uri $uri/ /index.php;
}
location ~ ^/index.php/?admin/ {
    allow xx.xx.xx.xx;
    deny all;
    try_files $uri $uri/ /index.php;
}

 

To whitelist an IP address for the RSS feed, add the following rule to your nginx.conf file:

location ~ ^/index.php/?rss/ {
    allow xx.xx.xx.xx;
    deny all;
    try_files $uri $uri/ /index.php;
}
location ~ ^/rss/ {
    allow xx.xx.xx.xx;
    deny all;
    try_files $uri $uri/ /index.php;
}

 

To whitelist an IP address for the downloader application, add the following rule to your nginx.conf file:

location ~ ^/downloader/ {
    allow xx.xx.xx.xx;
    deny all;
}

 

BLOCKING THE RSS AND DOWNLOADER

If you are not planning to use the RSS feed or downloader, it is best to completely block or remove them.

You can delete the whole download folder or alternatively block access if you do not install or upgrade extensions on the production server and use a version control system to manage files.

If you are not planning to use the RSS feed, you need to block it through appropriate commands.

 

Apache Server Users (typical configuration)

To block access to the downloader application, add the following rule to downloader/.htaccess file:

deny from all

 

To block access to the RSS feed, add the following rule in the root .htaccess file (inside <IfModule mod_rewrite.c>):

RewriteRule ^(index.php/?)?rss/ - [L,R=403]

 

Nginx Web Server Users

In most cases you will need to work with your hosting provider to restrict access to the downloader and RSS locations.

However, if you have full access to your server, you can modify the Nginx configuration yourself, following the instructions below.

To block access to the downloader application, add the following rule to your nginx.conf file:

location ^/downloader/ {
    deny all;
}

 

To block access to the RSS feed, add the following rule to your nginx.conf file:

location ~ ^/index.php/?rss/ {
    deny all;
}
location ~ ^/rss/ {
    deny all;
}

 

CHANGING THE LOCATION OF THE ADMIN PANEL AND MAGENTO CONNECT MANAGER (DOWNLOADER)

Password guessing attacks assume typical admin panel locations like /admin, /backend, /manage, /control and similar and the default location of the Magento Connect Manager: /downloader. Changing the location of the admin panel and downloader can reduce the likelihood of being targeted by a generic attack. However, it does not protect against targeted attacks which try to guess the location with multiple requests.

Be sure to check with your hosting provider before making these changes. Some have specific security rules that apply to default locations. Also, if you are not planning on installing extensions from Magento Connect, you can delete or fully block access to the downloader directory.

 

Changing the Name (Location) of the Admin Panel (Magento 1 only)

To change the name, first log into the admin panel and navigate to System -> Cache Management.

Then edit file app/etc/local.xml in your Magento installation and change the name in section admin -> routers -> adminhml -> args -> frontName.

After this change, clear all the caches and then log out and log in again using the new URL.

 

Change the Name of Magento Connect Manager (Downloader) (Magento 1 Only)

Changing the name of the Magento Connect Manager is another option, but once you have made this change, it will no longer be possible to open Magento Connect Manager from the Magento admin panel. It must be accessed directly using the new URL.

To change the name of Magento Connect Manager, simply change the folder name from downloader to something unique.

ADVANCED USE CASES

In some situations, it might be impossible to limit access to a set of IP addresses, especially when the site administration panel needs to be accessed by multiple people from different locations. In this case, there are other approaches that might be used:

  • Use a VPN tunnel and block any other access to the services (you will need to work with your hosting provider to set up this method).

  • Install and enable 2-factor authentication, for example using the following extension: https://www.nexcess.net/resources/plugins/sentry-two-factor-authentication-magento.

    Note: you still need to block or restrict /rss and /downloader access.

  • Use adaptive request filtering like Fail2Ban.

In summary, there are several approaches you can take to help protect your store from brute force password guessing attacks. We recommend that you quickly review these approaches with your Solution and Hosting Partners and implement the ones that are best suited to your unique situation.