How to secure osCommerce and CRE Loaded site ?
To prevent site hacking you need to install the following contribution.
1] Site Monitor
2] Security pro
3] Ip trap
4] .htaccess Protection
5] Anti XSS
6] Register Globals patches
7] Check permissions
8] Admin access level
9] Captcha for create account & reviews & contactus
10] .htaccess Protection For images Directory
11] Stop spamming.
Site Monitor :
If someone is trying to hack your site, they can alter your files to send them your customers information. We have seen this happen several times, thus the genesis of this contribution. This contribution will create a record of your files so that they can be checked at a later date. If any files have been added or deleted, or the size, timestamp or permissions were changed, you are notified via email. The script can be ran manually, but the best way is to set up a cron job so that the files are checked automatically on a daily basis.
************** OPTIONAL CRON *******************
If you don’t want to have to run it each time to check for differences, you can setup a cron job to have the script ran automatically. This is not required but is the preferred way. The following explains how to do this. Your host has to have this feature enabled.
To set up the cron job, add the following as the cron command:
php /home/username/public_html/catalog/admin/sitemonitor.php
Note : you need to change username to your username and the path to the sitemonitor.php file must be correct. Also, some hosts require a different syntax for the command. Ask your host if you run into problems.
There should also be settings for Minute, Hour, Day, Month and Weekday. If you place an asterisk (*) in these fields, then it means any time at all. If a number is placed in that field, it means just that one time. For example, if you place a 10 in the minute field and a * in all of the other fields, the job will be ran every hour of every day at 10 past the hour. Now, if you replace * in the hour field with a 12, the script will be called everyday at 12:10.
If you have a large site, the script might time out before all of the files are checked. When, or even if, that timeout occurs will depend upon your server. If you find that the script is not completing, then you may need to exclude some directories. This can be done in the admin->Sitemonitor->Configure section.
****************************************************
IMPORTANT NOTE:
There is a place in the configure file to load the username and password of admin. This is needed in order to allow curl to be used. But if the configure page is filled in while on a non-secure page, it is possible for someone to obtain that login information. Using curl is not required unless your server won’t allow fopen to be used. In that case, you should enable ssl for your admin so entering this information is safe. Otherwise, the curl options in the
sitemonitor_configure.php file can be ignored (set to blank spaces).
*****************************************************
Security pro :
What is Security Pro?
Security Pro is simply a security function that cleans $_GET/$HTTP_GET_VARS/$_REQUEST(The $_GET part) at source. This being application_top.php. The variables are cleaned recursively the key concept being that we ALLOW characters into the querystring as opposed to attempting to “clean” some bad characters. Having implemented Security Pro your querystring should be safe as long as the contribution/code calls application_top.php.
Note: Unlike other contributions, this one will break more things the better it gets.
Most important: Test fully your important systems after adding this . especially payment/shipping etc.
*******************************************************
Ip trap :
This contribution traps bad bots and anyone taking too much interest is you site. It’s a full contribution that is automatic and hassle free for you to have. It offers you security from some of the nasty’s out there.
The contribution works by setting up a trap in a folder that only bad bots, or someone poking around in your site will come across (hackers use the Robots.txt to try and find sensitive file on your server) it then redirects then to a message page that tells them they are blocked, at the same time writing their IP number to file.If they try to return they will only get the blocked message.
******************************************************
.htaccess Protection :
this contribution contains scripts that help you protect your site via your htaccess file.
Some great tools here for your protection.
Also for those who use the IP trap there is a separate file you can copy and paste in to the IP_Trapped.txt file on your server.
Hope it helps, and prevents you having your sites hacked!
****************************************************
Anti XSS
Stop Cross Site Scripting attacks with Anti XSS.
Protect your webshop against XSS attacks or HTML code being saved in your database with this 5 seconds modification.This fixes the whos_online.php vulnerability.
Improve security when storing variables into database by not just sql injection protect them, but also make sure they dont include HTML tags which without can be a Cross Site Scripting (XSS) vulnerability.
****************************************************
Register Globals :
This is a patch that will remove the need to enable ‘register_globals’ in the php.ini file. In fact, once it is applied,, register_globals MUST be disabled from php.ini or through .htaccess otherwise it will not work.
****************************************************
Check permissions :
Do you want to check the file and directory permissions on your server match those specified in the post installation instructions in the knowledgebase?
You can run this feature in 2 modes. Check and Update. One shows what would be done if the permissions, which you can set on the screen, are applied and the other shows the changes actually made.
It is possible that your server will throw 500 “Internal Server Error” if you set the permissions to values they do not like. As you get a display of all the changes made, make sure you test your site before you leave the results page. (You can set everything back.)
Also it would be good if you know how to change permissions from your ISP’s control panel and using an ftp client such as filezilla.
******************************************************
Admin access level :
This contribution contains the assign access level to Administration Tool for each admin member.
For example.
If admin group id “1-Top Administrator” and assign all the permision to access the sites pages.
If admin group id “2-Marketing” and assign permision to access the sites specific pages.
If top adminitrator login then all the site content will display and allow the access to all the pages.
If Marketing person is login then it will display on that site content that the top administrator allow to access.
*****************************************************
Captcha for create account & reviews & contactus :
This adds a Random-graphical-text Validation field in Registration form to protect your osC Shopping Cart from being flooded of robotic-member-registration (like many free webhost signup form…).
******************************************************
.htaccess Protection For images Directory:
.htaccess protection for images directory contribution contans the script that help to protect your images directory(admin and user both).
Why use .htaccess Protection For images Directory?
– If someone try to hack your site images directory to delete all the sites images and upload any script file.
But this contribution deny the permission to execute the script .
The script will not run in browsers and redirects to “404 error page”.
****************************************************
Stop spamming :
This contribution will check the request coming is of browser request and not from bots.
**************************************************