8 Oct
2013
8 Oct
'13
9:01 p.m.
Dear All
Yesterday I friend asked me how I'd build a webstore. I told him that I
would take something like Magento[1] or OpenCart[2] for that. But I could
not tell him how I'd set things up to protect the store against getting
compromised. Could anyone come up with a suggestion on how to build up a
webstore securly using bitfolks infrastructure?
Cheers,
Sam
[1] http://www.magentocommerce.com/download
[2] http://www.opencart.com/index.php?route=download/download
--
Samuel Bächler
Obere Bläsistrasse 1
8049 Zürich
Web: boeser.ch
Tel: +41(0)43 817 46 28
Mob: +41(0)79 478 49 42
9 Oct
9 Oct
12:04 a.m.
Hi Sam,
On Tue, Oct 08, 2013 at 11:01:40PM +0200, Samuel Bächler wrote:
Yesterday I friend asked me how I'd build a
webstore. I told him that I
would take something like Magento[1] or OpenCart[2] for that. But I could
not tell him how I'd set things up to protect the store against getting
compromised. Could anyone come up with a suggestion on how to build up a
webstore securly using bitfolks infrastructure?
Assuming that the payment processing will be taking place externally
to the VPS, e.g. via some sort of payment gateway third party, which
is common, then really your question becomes:
How do I securely run large, popular PHP web applications on a
small virtual server?
That's a big topic but I feel confident that if you took simple
measures such as:
- Stay absolutely on top of security updates for the application
itself
- Put some effort into securing any administrative web interfaces,
like phpmyadmin or whatever
- Restrict administrative access wherever possible, as much as
possible
- Reiterate those restrictions with IP-level blocks, for example, if
only a few people need access to particular URL spaces used for
admin functions, then by all means restrict access to those URL
paths by IP address. That would be like the wp-admin/ URLs in
Wordpress - why let people view them if you don't need to?
- Make as much as possible of the web space the application runs
from read-only
- Research the given application's community for tips and tricks of
securing it. There are often simple measures that frustrate the
vast majority of the attacks out there.
then I think you would be ahead of 90%+ of the other people running
the same popular app.
And that is really all you need.
Most compromised VPSes I see did none of the above and attackers got
in via very simple means.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
"SCSI is usually fixed by remembering that it needs three terminations: One at
each end of the chain. And the goat." — Andrew McDonald
7:17 a.m.
On Wed, Oct 9, 2013, at 01:04 AM, Andy Smith wrote:
That's a big topic but I feel confident that if
you took simple
measures such as:
- Stay absolutely on top of security updates for the application
itself
Although all the other suggestions below are sensible and relatively
easy to do, this one would have stopped I think every compromise I've
seen in recent times. Get yourself on the security mailing lists and
apply updates ASAP - which is trivial these days for most popular bits
of software I've used.
The only other thing I'd really add is to make sure you keep good
backups and be prepared to nuke from orbit and start again as quickly as
you can if the worst happens.
- Put some effort into securing any administrative web
interfaces,
like phpmyadmin or whatever
- Restrict administrative access wherever possible, as much as
possible
- Reiterate those restrictions with IP-level blocks, for example, if
only a few people need access to particular URL spaces used for
admin functions, then by all means restrict access to those URL
paths by IP address. That would be like the wp-admin/ URLs in
Wordpress - why let people view them if you don't need to?
- Make as much as possible of the web space the application runs
from read-only
- Research the given application's community for tips and tricks of
securing it. There are often simple measures that frustrate the
vast majority of the attacks out there.
then I think you would be ahead of 90%+ of the other people running
the same popular app.
And that is really all you need.
Most compromised VPSes I see did none of the above and attackers got
in via very simple means.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
"SCSI is usually fixed by remembering that it needs three terminations:
One at
each end of the chain. And the goat." — Andrew McDonald
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
Email had 1 attachment:
+ signature.asc
1k (application/pgp-signature)
--
Richard Dignall
richard(a)dignall.co.uk
www.bebackedup.co.uk
11:12 a.m.
On 09/10/13 01:04, Andy Smith wrote:
<snip>
Assuming that the payment processing will be taking
place externally
to the VPS, e.g. via some sort of payment gateway third party, which
is common, then really your question becomes:
How do I securely run large, popular PHP web applications on a
small virtual server?
<snip>
then I think you would be ahead of 90%+ of the other
people running
the same popular app.
And that is really all you need.
I'd like to concur. You don't need to outrun the lion, you just need to
outrun your companion. So as long as there are plenty of insecure
sites that are easier to hack than yours, you are very unlikely to get
hit.
Bearing in mind therefore that a lot of attacks are dumb scripts, it's
a good idea to change default locations and names where possible, e.g.
use /adm111 rather than /admin, or change the default database table
prefix e.g. qz-users rather than wp-users (for wordpress).
Similarly, no harm in putting an htauth password around any admin areas,
to work in addition to the existing password protection. A (slightly
trendy) phrase kicking around these days is "the swiss cheese model":
basically, things go wrong when the holes line up [0]. So although
your username / password pairs should be strong enough [1] if
you inadvertently create a weak one ('test' / 'test') then either an
obfuscated URL or an additional password will keep you safe - and both
together should ensure it. [2]
Interestingly I got passed a list of things to be done to a wordpress
site that is going to use Paypal Pro to take credit card details on site
and therefore needs PCI compliance. They include:
* Resolving OpenSSL problem
* Configuring an SSL cert for FTP.
* Update PHP to be above 5.5.2 | 5.3.28
* Maybe update Apache to be > 2.2.25
* Add SSL for 'www.domain.net'
* Remove the phpinfo.php file from 'http://www.domain.net'
* Disable cPanel user URLs (~user)
* Disable networking on MySQL.
I've commented that it's like padlocking the second floor windows
when on the ground floor there's a load that will open with a
quick shove... the site has no less than 40 wordpress plugins.
IMO it's just a matter of when, not if, one of them is found to
have an injection flaw or similar.
[0]
http://taranevenmrt.wordpress.com/2013/05/03/when-the-holes-line-up-its-tim…
[1] Strong enough can actually be quite simple. You don't NEED 15
character passwords in most situations.
[2] A useful aviation concept from the world of aerobatics - always
practice at least "two mistakes high", i.e. you can mess up twice in
a row and *still* not hit the ground.
7:48 a.m.
Magento seems to be the gold standard for shopping carts, however I
find the implementation a bit scary.
Isn't there such things as a statically built shopping site that does
all shopping cart stuff via Javascript nowadays?
I thought Etsy did this "my way", but when looking at the resources
tab in Chrome dev tools, I can't find evidence of this.
Kind regards,
7:52 a.m.
On 2013-10-09 08:48, Kai Hendry wrote:
Magento seems to be the gold standard for shopping
carts, however I
find the implementation a bit scary.
I have set up both Magento and OpenCart, I would recommend OpenCart for
ease of use and good community support. I recently had a user switch
back to OpenCart because they didn't get on with Magento.
8:07 a.m.
On 8 October 2013 22:01, Samuel Bächler <baechler(a)boeser.ch> wrote:
Yesterday I friend asked me how I'd build a
webstore. I told him that I
would take something like Magento[1] or OpenCart[2] for that. But I could
not tell him how I'd set things up to protect the store against getting
compromised. Could anyone come up with a suggestion on how to build up a
webstore securly using bitfolks infrastructure?
Has your friend tried selling their products on the hosted alternatives
such as Amazon, ebay, or Shopify and proven the market for whatever he or
she is selling? A simple, static product webpage with a link to an online
store might suffice for now.
Online stores in general and payment processing in particular are pretty
time-consuming to set up and it's easy to get carried away and do a lot of
work on e.g. branding and customisation before you understand that the
fundamental business is sound. Once you've made a few sales on a hosted
solution you'll also have a far better understanding of which features are
important when building your own platform.
Cheers,
Graham
4092
days inactive
4093
days old
6 comments
7 participants
participants (7)
-
Andy Smith -
Dom Latter -
Graham Bleach -
Kai Hendry -
Richard Dignall -
Samuel Bächler -
Simon