Basic Magento Security Guide - certsi

Título de la Guía (campo editable)

1

Written by: David Cantón Araujo This guide was produced with the help of Daniel Fírvida Pereira, Elena García Díez and Antonio López Padilla.

June 2014

This publication is the property of INTECO (the Spanish National Institute for Communications Technology) and is covered by a NonCommercial Recognition Licence, Spain 3.0 from Creative Commons. Hence, this work may be copied, distributed and publicly diffused under the following conditions:  

Recognition. The contents of this report may be reproduced in whole or in part by third parties, provided details are given of their origin and express reference is made both to INTECO or INTECO-CERT and to its web-site: http://www.inteco.es. This recognition must not suggest in any case that INTECO supports the third party concerned or the use being made of its work. Non-Commercial Use. Both the original material and work derived from it may be distributed, copied and displayed, provided that these uses are not for commercial purposes.

When this work is re-used or distributed, the terms of this licence must be clearly stated. Some of these conditions may not apply if permission is obtained from INTECO-CERT, owner of the copyright. The full text of the licence is to be found at: http://creativecommons.org/licenses/by-nc-sa/3.0/es/

BASIC MAGENTO SECURITY GUIDE

2

INDICE 1

ABOUT THIS GUIDE

4

2

ABOUT ELECTRONIC COMMERCE

5

2.1

Current Context

5

2.2

E-Commerce Platforms

6

Distribution of E-Commerce Platforms

7

Magento

7

2.3 3

4

5

HOSTING SERVICES

9

3.1

Selection of the Hosting Mode

9

3.2

Technical Requirements

INSTALLATION

¡Error! Marcador no definido. ¡ERROR! MARCADOR NO DEFINIDO.

4.1

Prior Software Requirements

11

4.2

Installating Magento

11

4.3

Installating SSL Certification

17

4.4

General Considerations on Magento Extensions

18

SECURITY ON THE WEB SERVER

19

5.1

File Permissions

19

Reviewing Permissions after Updating or Installing Extensions

20

Limiting Access to the Administration Zone

21

Robots.txt

21

5.2 6

BACKUP

24

7

MAGENTO SECURITY EXTENSIONS

27

7.1

ET IP Security

27

7.2

Improved Admin Security

27

7.3

Improved Admin Security 2.0

27

7.4

Magepim PhpIDS Security Integration

27

7.5

Enhanced Admin Security: Two-Factor Authentication

28

7.6

Admin Logger

28

7.7

MageBackup - Backup Solution Lite

28

7.8

AutoBackup

29

7.9

MagePlace Backup Extension

29

BASIC MAGENTO SECURITY GUIDE

3

1

ABOUT THIS GUIDE

The aim of this guide to basic security in Magento1 is to describe clearly and simply the main aspects that must be taken into account for secure installation of the Magento e-commerce platform. For this purpose, the guide lays out the main security recommendations to be considered when setting up an online shop on this platform. These include questions related to selecting a provider for hosting, and to installing the Magento platform. They also comprise aspects of secure configuration of the web server, the generation of backup copies and the principal security functions available as extensions to Magento. This document does not include all the security aspects that should be kept in mind by systems administrators in the exploitation of a production environment going beyond items strictly linked to Magento. For more information on this topic, see the INTECO guides section2.

1 2

http://magento.com/ http://inteco.es/guias_estudios/guias/

BASIC MAGENTO SECURITY GUIDE

4

2 2.1

ABOUT E-COMMERCE CURRENT CONTEXT

The importance of electronic commerce or e-commerce is unquestionable at the present time, now that initial mistrust of this new way of selling has been overcome. Both new and old-established businesses see the Internet as a great sales opportunity and a major source of customers which they cannot ignore. According to estimates from eMarketer3, in 2012 income from e-commerce reached 740 thousand millions euro worldwide, with an upwards trend foreseen over the next few years. Studies by the consultancy firm Morgan Stanley4 suggest that worldwide e-commerce will grow 50% by 2016, coming to represent more than 9% of the total volume of sales around the world.

Illustration 1. - Volume of Sales through E-Commerce. (Source: Morgan Stanley Blue Paper: E-Commerce Disruption - A Global Theme)

In Spain, the IT 20135 report on e-commerce by the Spanish Commission for the Telecommunications Market (CMT6) indicated that in the first quarter of 2013 this sort of trading achieved a turn-over of 2,822.6 million euro. This was 15.1% more than in the same quarter in 2012, with a total of 43.5 million operations. These data point to prospects for growth in Spain as well in the next few years,

3 4 5 6

http://www.emarketer.com/ http://www.businessinsider.com/morgan-stanley-e-commerce-disruption-2013-1?op=1 http://www.cmt.es/reports-de-comercio-electronico http://www.cmt.es/

BASIC MAGENTO SECURITY GUIDE

5

making e-commerce into a fundamental factor that must be taken into account in the growth and expansion of trade7.

Illustration 2. - Quarterly Changes in the Volume of E-Commerce and Inter-Year Variations. Figures are in millions of euro and as a percentage. (Source: IT 2013 Report on E-Commerce from the CMT)

2.2

E-COMMERCE PLATFORMS

In this context, one of the main agents in sales over the Internet are digital platforms for e-commerce. These are basically web applications developed specifically for Internet trading or sales. Among the chief characteristics of e-commerce platforms, the following are of note:

7 8



Product Catalogues. Platforms generally facilitate the creation, categorization and maintenance of details of the products it is intended to sell in the shop.



Customization of the Shop’s Appearance. There would be no marketing advantage if all shops were equal and could not be distinguished one from another.



Support for Bank Transactions. To provide payment means in the shop, there can be support for electronic payment channels allowing transactions with credit cards, by bank transfers or through interoperability with other systems like Paypal8.



Order Management. Many e-commerce applications provide facilities for sending and tracing goods.



Creation of Reports and Statistics. Details of the shop’s operations can be gathered.

http://www.cmt.es/informes-de-comercio-electronico https://www.paypal.es/

BASIC MAGENTO SECURITY GUIDE

6

All these functions must be offered within a security framework suited to managing transactions and to the data typical of an e-commerce platform. Thus, their design must take into account a capacity to face up to attacks and protect both the company’s and platform users’ data from them.

Distribution of E-Commerce Platforms Among e-commerce platforms there are both proprietary and open-code applications, these latter predominating amongst those currently installed. Illustration 3 shows the market distribution for ecommerce platforms. It may be observed how the five leaders take roughly 65% of the market.

Illustration 3. - A Study of E-Commerce Platforms Based on Alexa. (Source: aheadworks9)

The business model for open-code trading applications is organized around sale of the basic application and of plug-ins or extensions to improve it and add new functions.

2.3

MAGENTO

Magento is the most widespread e-commerce platform at present and has become something of a benchmark for its sector. It has managed to establish itself as one of the main options when people are creating a virtual shop. Its principal characteristics are the following: 

Scalability and high performance, allowing systems to grow as demand increases.

http://blog.aheadworks.com/2013/07/e-commerce-platforms-survey-who-rules-olympus-these-days-and-who-willgain-power-in-the-future/ 9

BASIC MAGENTO SECURITY GUIDE

7



Customer loyalty and online marketing, permitting the development of trading strategies to secure the customer base by allowing the management of discounts, coupons, offers, and other features.



Large range of options thanks to plug-ins both from Magento, Inc.10 and from third-party developers.



Continuing evolution, driven by its predominant position in terms of number of installations and the large community behind the product, including firms like eBay11.

Its widespread presence and the sensitive data involved in using it, such as personal details and credit card numbers, make Magento a very attractive target for cyber-criminals.

10 11

http://www.magentocommerce.com/ http://www.ebay.es/

BASIC MAGENTO SECURITY GUIDE

8

3 3.1

HOSTING SERVICES SELECTION OF THE HOSTING MODE

One of the first considerations, before going on to the installation of Magento itself, is to decide on the hosting service that will support the electronic shop to be implemented by Magento. Although this is not strictly a security topic, choice of the type of hosting will influence the kind of access and control of the system on which Magento will be installed. Among the possible options offered by the market, the first step will be to decide if the server will be managed by a hosting services company that sees to installation and maintenance of the application. The alternative would be to have the server installed, maintained and defended directly by the firm responsible for the electronic shop, which would have to take care both of the server and of Magento. Furthermore, questions such as whether the server is dedicated or is shared may have security implications to be kept in mind during the process of installation and exploitation of the platform. In any case, choice of the mode of hosting on which Magento will be implemented must be made taking into consideration the level of technical knowledge of the staff responsible for the electronic shop and the level of service it is desired to offer.

3.2

TECHNICAL REQUIREMENTS

The chief technical requirements12 that must be kept in mind when selecting a hosting server are:

12 13



Disk Space. The minimum requirement for a Magento installation is 100 megabytes of disk space. In addition to this there would be a need for further space for extensions and for the shop’s products themselves.



Operating System. Magento supports the Linux x86 operating system, x86-64, so this is the program that must be used. Specifically, Magento’s official web-site recommends distributions from CentOS and Ubuntu.



PHP. Magento was developed in PHP (PHP: Hypertext Pre-processor)13, so it is necessary to install a PHP interpreter so as to operate a shop. Version 1.8.0.0 of Magento is compatible with versions 5.2.13 to 5.3.24 of PHP. Besides the basic installation of PHP, there is a need for several extensions: -

PDO_MySQL

-

Simplexml Hypertext Pre-processor

-

Mcrypt

-

Hash

-

GD

http://magento.com/resources/system-requirements http://es1.php.net/

BASIC MAGENTO SECURITY GUIDE

9

-

DOM

-

Iconv

-

Curl

-

SOAP (if a web service application programming interface [API] is used)

It is also necessary for Safe_mode to be disabled (off) and for the parameter Memory_limit not to be less than 256Mb, with 512Mb recommended. 

Database. For Magento installations with versions higher than 1.13.0.0 it is necessary to install MySQL14 database with a version of 5.0.2 or later. Naturally enough, the database will be where most of the data for the electronic shop will be stored.



Redis NoSQL. Redis NoSQL is an optional component for Magento from versions CE 1.8 onwards and EE 1.13 onwards. Redis is an in-memory key-value model NoSQL database engine, used by Magento for caching data to get better performance. The versions need to work properly are: -

Redis server 2.6.9 or higher.

-

Redis PHP extension 2.2.3 or higher.



SSL. The electronic shop should have a Secure Sockets Layer (SSL) certificate installed so the communications will be encrypted, whether in the administration or in the customer section. Self-signed SSL certificates are not acceptable.



Hosting server configuration. For Magento to work properly, there must be the possibility of programming tasks (crontab) with PHP5. There must also be the option of cancelling choices in the configuration file .htaccess

All these concepts must be taken into account when selecting the type of hosting online store among the multiple options available, of providers of shared hosting services, shared servers, virtual servers or cloud hosting.

14

http://www.mysql.com/

BASIC MAGENTO SECURITY GUIDE

10

4

INSTALLATION

The official installation guide15 includes a detailed description of the steps to be taken in installing Magento. Hence, the present document will merely summarize the main steps, stressing security aspects where necessary.

4.1

PRIOR SOFTWARE REQUIREMENTS

This section describes the software and configuration needed before installation of Magento itself can be undertaken. It is necessary to put in place the following components:

4.2



Apache2, as the web server for the shop. Before installing Apache, consideration should be given to the option of isolate the process inside of a container16 from the system where it is resident.



PHP, the script language used by the server to execute Magento



MySQL, the database needed by the shop. During configuration of the database it is advisable to create user accounts with the minimum possible permissions, avoiding giving users an administrator profile. It is also a good idea to use robust passwords for identification.



SELinux, installation of this security component for Linux operating systems is recommended.



Configuration of whatever Firewall the operating system may have.



Configuration of the properties and privileges of installation files and folders of Magento. It is best for only the user owning the Apache service to hold permissions for reading and writing folders, and writing, reading and executing files. This model of configuration may avoid security problems in the future.

MAGENTO INSTALLATION

Once all the prior requirements installed Magento, it will be continued with itself. Although the official Magento installation guide should be consulted for a detailed explanation, this section will go step by step through installation, noting points in the configuration that affect the security of the web application.

15 16

http://www.magentocommerce.com/knowledge-base/entry/ce18-and-ee113-installing http://www.linux-faqs.info/apache/running-apache-in-chroot-jail

BASIC MAGENTO SECURITY GUIDE

11

The main steps in installation are as listed below: 1. With the latest stable version of Magento in the installation directory, the process is initiated by opening the corresponding route in the web browser. For example, if the application has been placed in the Magento sub-directory from the root directory of the server the pathway would be: http://www.dominioShop.com/magento

This pathway will display a page with the End User License Agreement of the product:

Illustration 4. - End-User Licensing Agreement for Magento.

2. To continue the license has to be accepted and select the “Continue” button. 3. The next web page shows localization options for the shop: country, time zone and currency. The appropriate choices are selected and the “Continue” button is clicked.

BASIC MAGENTO SECURITY GUIDE

12

Illustration 5. - Configuring Localization for Magento.

4. The next stage displays a page for inputting the configuration parameters for the shop. This page is divided into two sections: database and web access parameters.

Illustration 6. - Database configuration.

In the section for configuring the database connection, the installation process requires the following data: 

Host: IP address or server name for the database.



Database Name: Name of the database that will store the information about the virtual shop.



User Name: The name of the user account with which the Magento web application will connect to the database. It is advisable for both the user name and its credentials to be unique.

BASIC MAGENTO SECURITY GUIDE

13



User Password: The password corresponding to the user name from the previous field that will be used for authenticating database connections.



Tables Prefix: If a new installation of the Magento database is being made, this field will be the prefix added to all the tables that will be created in the installation process for the shop. This field was initially intended to permit various installations of Magento in the same database. Although use this field is optional, it is recommended. If it is decided not to utilize this parameter, the system is more vulnerable to thread like code injection attacks because the attackers know the database structure of the database. To reduce the likelihood of being vulnerable to these, it is advisable to use a random prefix involving a combination of at least four alphanumeric characters.

The second section of this configuration web-page is given over to web access options.

Illustration 7. - Options for Configuring Web Access in Magento.

The fields in this section are the following: 

Base URL: This is the URL that will be used as the base address to gain access to the Magento administration panel and shop.



Admin Path: This is a pathway that when added to the Base URL permits access to the de Magento administrator control panel. It is advisable to change the default configuration into something less common, so as to avoid possible automated attacks attempting to gain access to the shop. Modification of this parameter prevents attackers from knowing in advance what the address of the Magento control panel is.



Enable Charts: This checkbox allows graphs to be shown on the administration panel.

BASIC MAGENTO SECURITY GUIDE

14



Skip Base URL Validation before the Next Step: The base URL of the server is validated by performing an HTTP GET. In production environments it is recommended that this option not be ticked.



Use Web Server (Apache) Rewrites: This option enables use of the Apache mod_rewrite module.



Use Secure URLs (SSL): This enables use of SSL. In production environments the use of secure communications should be obligatory. This is achieved by enabling and configuring security certificates on the server. Using secure communication methods prevents sensitive customer data (names or credit cards numbers) from being intercepted by third parties.

The third and final configuration section permits selection of the way in which session data are saved: in the file system or the database.

Illustration 8. - Configuration of Session Storage.

5. Creation of the administration account. This screen allows selection of the credentials for the administrator of the virtual shop. To ensure at least minimum security, it is advisable to assign robust passwords and usernames that are not easy to guess or common and that have a minimum length of 8 characters. The final field on the page is the key that Magento will use to encrypt sensitive data in the database. If this is left blank, the installation process will generate a random key. If it is not an installation from scratch, it will be necessary to input the key used in the previous installation.

BASIC MAGENTO SECURITY GUIDE

15

Illustration 9. - Configuration of the Administration Account.

6. The final screen for the installation process shows the encryption key generated, together with a message that Magento is now correctly installed.

Illustration 10. – Final Magento Installation Screen.

BASIC MAGENTO SECURITY GUIDE

16

4.3

INSTALLING SSL CERTIFICATION

The configuration of a digital certificate is an obligatory requirement if it is wished for Magento to execute in a safe environment. If one is installed, communications will be encrypted and customers can verify authentication of the shop itself. Installation of a certificate involves three stages: 1. Purchasing a Digital Certificate. It is necessary to buy a certificate backed by a centre of authority that can verify it. 2. Installation on Apache Web Server. For this purpose, the Apache configuration file should be edited as shown below: DocumentRoot /var/www/html/magento ServerName www.domnioShop.com SSLEngine on SSLCertificateFile /pathway/a/name_dominio.crt SSLCertificateKeyFile /pathway/a/private.key SSLCertificateChainFile /pathway/a/DigiCertCA.crt

Thereafter, the Apache server should be restarted. For more information, see the official website for the Apache web server17. 3. Configuring Magento. In the System/Configuration/Web/Secure section of the administration panel, the fields Use Secure URLs in Frontend and Use Secure URLs in Admin should be changed to Yes. This ensures that secure communication with the shop is always employed, using SSL.

Illustration 11. - Configuring SSL in Magento.

17

http://httpd.apache.org/docs/2.2/howto/htaccess.html

BASIC MAGENTO SECURITY GUIDE

17

4.4

GENERAL CONSIDERATIONS ON MAGENTO EXTENSIONS

Through extensions, Magento provides a way of adding and extending the functions of the electronic shop. Thus, third parties such as companies or independent developers can incorporate new functionalities into this platform. Extensions cover a wide range of matters, running from those intended to improve the web interface of the application to those aimed at improving integration of billing methods or increasing the security of the platform. Such extensions can be found on Magento website18 or on third-party sites. Although there are some free extensions, for the great majority of those that bring major improvements it is necessary to purchase user licences. From the viewpoint of security in Magento, the reliability and trustworthiness of extensions specifically installed in the shop should be carefully considered. Since these modules may have access to all the information in the shop, including sensitive data like customers’ credit card numbers, the shop’s sales records or its stocks. For these reasons, it is advisable to put in place only extensions in widespread use, whose seller or developer is as far as possible trustworthy, and which offer an acceptable level of support and updating rate.

18

http://www.magentocommerce.com/magento-connect/

BASIC MAGENTO SECURITY GUIDE

18

5

SECURITY ON THE WEB SERVER

This section briefly describes certain specific aspects to Magento that should be kept in mind in order to improve the security of the Apache19 web server on which the e-commerce platform runs. For general information on defence of the Apache web server, see the basic guide for rendering the Apache web server secure20 by INTECO.

5.1

FILE PERMISSIONS

Cutting back on access permissions for the various files in the Magento application is one of the first security measures that should be applied in a production environment. A reduction in these permissions cuts down the potential damage that an attacker might cause through some vulnerability in the system. The recommended configuration21 is to establish the privileges for the file system and its properties in the following way: 

On dedicated servers, to configure the properties of Magento files the following is executed: chown -R name-user-owner-server .

In this case, the recommendation is to establish ownership of files and folders as belonging to the proprietor of the web server process. Moreover, it is recommended that access privileges should be set as read and execute for folders (500) and read only for files (400).

19 20 21

http://httpd.apache.org/ https://www.incibe.es/CERT_en/publications/guides/ http://www.magentocommerce.com/knowledge-base/entry/install-privs-after

BASIC MAGENTO SECURITY GUIDE

19



In hosting systems with shared servers, it is recommended that the owner of the files and folders for the service as the corresponding system user. It is also advisable to set privileges for reading and execution as shown below:

find find find find find find

. -type f -exec chmod 400 {} \; . -type d -exec chmod 500 {} \; var/ -type f -exec chmod 600 {} \; media/ -type f -exec chmod 600 {} \; var/ -type d -exec chmod 700 {} \; media/ -type d -exec chmod 700 {} \;

Reviewing Permissions after Updating or Installing Extensions Magento Connect Manager22 is the application tasked with automatically installing new extensions in Magento. However, this application grants write permissions (777) for all folders and files it installed. Because of this, it is advisable to reduce permissions for files and folders after each installation or updating of the system according to the parameters described above.

Illustration 12. - Permissions for Files and Folders.

22

http://www.magentocommerce.com/magento-connect/

BASIC MAGENTO SECURITY GUIDE

20

Limiting Access to the Administration Zone One way to restrict access to the Magento administration zone to a limited set of IP addresses is by configuring .htaccess. This file allows local definition of the configuration parameters affecting the directory where it is located and its respective subdirectories, without any need to have to modify the main Apache configuration file. The following example would redirect to the main Magento address all requests received by the Apache server from any IP other than 192.168.56.102 when the URL contains the string “admin”. RewriteEngine On RewriteCond %{REMOTE_ADDR} !^192\.168\.56\.102 RewriteCond %{THE_REQUEST} ^.*(admin).* [NC] RewriteRule (.*) /

If the advice about installing Magento has been followed, and the Admin Path has been changed from its default admin, it will be necessary to change this pathway to the one chosen.

5.2

ROBOTS.TXT

Robot.txt, also known as The Robots Exclusion Protocol, is a configuration file indicating to website crawlers which areas they should index and which not. Although this standard is a recommendation that may be adopted or not, it is advisable to set limits on the regions of the web-sites it is desired may be indexed. The owner of the electronics store with Magento's interest that all information relating to products or services sold is indexed, but they are not interested in anything index on the configuration pages or administration of Magento. An example of an optimized robots.txt file 23 to Magento might be as follows: ## robots.txt for Magento Community and Enterprise ## GENERAL CONFIGURATION ## Enable robots.txt rules for all crawlers User-agent: * ## Crawl-delay parameter: number of seconds to wait between successive requests to the same server. ## Set a custom crawl rate if you're experiencing traffic problems with your server. # Crawl-delay: 30 ## Magento sitemap: uncomment and replace the URL to your Magento sitemap file # Sitemap: http://www.example.com/sitemap/sitemap.xml ## DEVELOPMENT RELATED SETTINGS

23

http://turnkeye.com/blog/optimize-robots-txt-for-magento/

BASIC MAGENTO SECURITY GUIDE

21

## Do not crawl development files and folders: CVS, svn directories and dump files Disallow: /CVS Disallow: /*.svn$ Disallow: /*.idea$ Disallow: /*.sql$ Disallow: /*.tgz$ ## GENERAL MAGENTO SETTINGS ## Do not crawl Magento admin page Disallow: /admin/ ## Do not crawl common Magento technical folders Disallow: /app/ Disallow: /downloader/ Disallow: /errors/ Disallow: /includes/ Disallow: /lib/ Disallow: /pkginfo/ Disallow: /shell/ Disallow: /var/ ## Do not crawl common Magento files Disallow: /api.php Disallow: /cron.php Disallow: /cron.sh Disallow: /error_log Disallow: /get.php Disallow: /install.php Disallow: /LICENSE.html Disallow: /LICENSE.txt Disallow: /LICENSE_AFL.txt Disallow: /README.txt Disallow: /RELEASE_NOTES.txt ## MAGENTO SEO IMPROVEMENTS ## Do not crawl sub category pages that are sorted or filtered. Disallow: /*?dir* Disallow: /*?dir=desc Disallow: /*?dir=asc Disallow: /*?limit=all Disallow: /*?mode* ## Do not crawl 2-nd home page copy (example.com/index.php/). Uncomment it only if you activated Magento SEO URLs. ## Disallow: /index.php/ ## Do not crawl links with session IDs Disallow: /*?SID= ## Do not crawl checkout and user account pages Disallow: /checkout/ Disallow: /onestepcheckout/ Disallow: /customer/ Disallow: /customer/account/

BASIC MAGENTO SECURITY GUIDE

22

Disallow: /customer/account/login/ ## Do not crawl seach pages and non-SEO-optimized catalogue links Disallow: /catalogsearch/ Disallow: /catalog/product_compare/ Disallow: /catalog/category/view/ Disallow: /catalog/product/view/ ## SERVER SETTINGS ## Do not crawl common server technical folders and files Disallow: /cgi-bin/ Disallow: /cleanup.php Disallow: /apc.php Disallow: /memcache.php Disallow: /phpinfo.php ## IMAGE CRAWLERS SETTINGS ## Extra: Uncomment if you do not wish Google and Bing to index your images # User-agent: Googlebot-Image # Disallow: / # User-agent: msnbot-media # Disallow: /

BASIC MAGENTO SECURITY GUIDE

23

6

BACKUP

One of the principal security measures that any computer application should incorporate is a clear policy for backup copies. In the case of Magento there are even stronger reasons for this, since it is a system in which being out of service for any period of time always leads to financial losses. Magento has mechanisms for creating backups. To access them, select the option System -> Tools -> Backups from the system administration panel, as shown in the image below:

Illustration 13. - Access Route to the Magento Backup Panel.

On the screen displayed by Magento when “backups” is selected, there are various options for making backup copies displayed in the top corner, as may be seen from the figure:   

System Backup – This option creates a .tgz with the whole system, including the complete source code and the database. Database and Media Backup – This will create a .tgz containing a backup copy of the database and the contents of the media folder. Database Backup – This makes a backup copy of the database

BASIC MAGENTO SECURITY GUIDE

24

Illustration 14. - The Various Magento Backing-Up Options.

When one of the three options mentioned is selected, the system will ask for the name under which the backup is to be stored.

Illustration 15. - Request for a Backup Name.

After this final step is completed, Magento creates a backup copy which is stored on the server in Magento_root_directory/var/backups. It is highly advisable to store further backup copies on a device external to the server. In this way, even if the data on the server are compromised, it will be possible to re-establish the electronic shop

BASIC MAGENTO SECURITY GUIDE

25

Illustration 16. - Extracting a Backup Copy from the Server.

Finally, mention the existence of extensions to Magento whose purpose is to facilitate and automate backup copies. For more information, see Section 7 of this guide. Moreover, there are multiple generic applications for production environments aimed at generating, managing and restoring systems. Examples of this type of software would be Bacula24, fwbackups25 or Flyback26.

24 25 26

http://bacula.org/ http://www.diffingo.com/oss/fwback-ups https://code.google.com/p/flyback/

BASIC MAGENTO SECURITY GUIDE

26

7

MAGENTO SECURITY EXTENSIONS

This section gives a brief description of a number of extensions available that are aimed at improving security in Magento.

ET IP SECURITY27

7.1   

Description: This allows access to the visitor web-page to be restricted by IP address or IP masks. Compatible with: 1.3, 1.4, 1.4.1.1, 1.4.2, 1.5, 1.6, 1.6.1, 1.6.2.0, 1.7 Price: Free

IMPROVED ADMIN SECURITY28

7.2   

Description: This improves security of access administration section of the shop, incorporating verification in two stages with Google Authenticator29. Compatible with: 1.4, 1.4.1.1, 1.4.2, 1.5, 1.6, 1.6.1, 1.6.2.0, 1.7, 1.8 Price: $39.00

IMPROVED ADMIN SECURITY 2.030

7.3   

Description: Permits the use of two-factor authentication based on the Google Authenticator application. Compatible with: Magento CE 1.4.1, Magento CE 1.4.2, Magento CE 1.5, Magento CE 1.6, Magento CE 1.7, Magento CE 1.8 Price: $89.00

MAGEPIM PHPIDS SECURITY INTEGRATION31

7.4   

Description: A module integrating Magento and PhpIDS. Compatible with: 1.5, 1.6, 1.6.1, 1.6.2.0, 1.7 Price: $60.00

http://www.magentocommerce.com/magento-connect/et-ip-security.html http://www.magentocommerce.com/magento-connect/improved-admin-security.html 29 https://support.google.com/a/answer/175197?hl=es 30 http://templates-master.com/magento-improved-admin-security-with-two-step-verification-by-googleauthenticator.html 31 http://www.magentocommerce.com/magento-connect/magepim-phpids-7654.html 27 28

BASIC MAGENTO SECURITY GUIDE

27

ENHANCED ADMIN SECURITY: TWO-FACTOR AUTHENTICATION32

7.5 

 

ADMIN LOGGER33

7.6 

 



 

33 34

Description: Admin Logger is an extension to Magento that records all the actions taken in the Magento back-end. This extension keeps a record of when the administrator is logged on, what pages are visited and what changes made. Hence, this information constitutes a detailed history of modifications of data and the date when they were performed. It is useful for supervision, investigation or any auditing work that may be necessary. Compatible with: 1.3, 1.4, 1.5, 1.6, 1.7, 1.8 Price: $49.00

MAGEBACKUP - BACKUP SOLUTION LITE34

7.7

32

Description: This is an extension that uses two-step authentication with XTENTO, additional security information that is needed whenever a session is to be started up in the Magento back-end. Apart from username and password, it is necessary to provide a security code for identification. This security code is generated through a smart-phone, and remains valid for just 30 seconds. Compatible with: 1.3, 1.4, 1.5, 1.6, 1.7, 1.8 Price: $49.00

Description: MageBackup Lite is the free version of the Magento extension MageBackup. This version provides a function for making backup copies of the web-site. The main features are: - Quick Backup: This extension is optimized for best performance on Linux and Windows servers. - Backup Copying of Files, the Database or Both: There is the possibility of making backup copies of individual files, the database, or both files and database. - Exclusion of Folders: It is possible to omit folders from backup copying. - Auto Backup: MageBackup is compatible with Magento cron for making backup copies automatically. - Backup Administration: This function allows adding to and editing backup copies. Compatible with:1.4, 1.4.1.1, 1.4.2, 1.5, 1.6, 1.6.1, 1.6.2.0, 1.7 Price: Free

http://www.magentocommerce.com/magento-connect/enhanced-admin-security-two-factor-authentication-4816.html http://www.magentocommerce.com/magento-connect/admin-logger-1.html http://www.magentocommerce.com/magento-connect/mageback-up-back-up-solution-lite.html

BASIC MAGENTO SECURITY GUIDE

28

AUTOBACKUP35

7.8   

MAGEPLACE BACKUP EXTENSION36

7.9 

 

35 36

Description: This is an extension that permits programming of automatic backups of the database. Compatible with 1.4, 1.4.1.1, 1.4.2, 1.5, 1.6, 1.6.1, 1.6.2.0, 1.7 Price: $50.00

Description: This extension is intended to make backup copies of the Magento shop web-site to an independent external server. In this case, backup copies can be saved away from the server in storage services like Google Drive, Box.com, Dropbox or Amazon, but with quick and easy access so that in the event of an emergency they can be rapidly used. This extension allows programming of automatic backups of the database. Compatible with: 1.4, 1.4.1.1, 1.4.2, 1.5, 1.6, 1.6.1, 1.6.2.0, 1.7, 1.8 Price: $149.00

http://www.magentocommerce.com/magento-connect/autoback-up.html http://www.magentocommerce.com/magento-connect/mageplace-back-up-extension.html

BASIC MAGENTO SECURITY GUIDE

29

LIST OF ILLUSTRATIONS Illustration 1.- Volume of Sales through E-Commerce. (Source: Morgan Stanley Blue Paper: ECommerce Disruption - A Global Theme) ......................................................................................... 5 Illustration 2 - Quarterly Changes in the Volume of E-Commerce and Inter-Year Variations. Figures are in millions of euro and as a percentage. (Source: IT 2013 Report on E-Commerce from the CMT) ……………………………………………………………………………………………………… ………..……6 Illustration 3.- A Study of E-Commerce Platforms Based en Alexa (Source: aheadworks) ............... 7 Illustration 4.- End-User Licensing Agreement for Magento. ........................................................... 12 Illustration 5.- Configuring Localization for Magento........................................................................ 13 Illustration 6.- Configuring the Database. ........................................................................................ 13 Illustration 7.- Options for Configuring Web Access in Magento. ..................................................... 14 Illustration 8.- Configuration of Session Storage. ............................................................................ 15 Illustration 9. - Configuration of the Administration Account. ........................................................... 16 Illustration 10. - Final Magento Installation Screen. ......................................................................... 16 Illustration 11.- Configuring SSL in Magento. .................................................................................. 17 Illustration 12. - Permissions for Files and Folders. ......................................................................... 20 Illustration 13.- Access Route to the Magento Backup Panel. ......................................................... 24 Illustration 14.- Diferentes options de backup de Magento. ............................................................. 25 Illustration 15.- Request for a Backup Name. .................................................................................. 25 Illustration 16.- Extracting a Backup Copy from the Server. ............................................................ 26

BASIC MAGENTO SECURITY GUIDE

30