====== Setting up security ======

Here you will find some hints and tips on how to stop hackers from compromising your store.

=== Preventive Measures ===
  - Rename your admin folder
  - Lock down admin access
  - Use secure passwords
  - CHMOD your files to the correct settings - [[Check Permissions]]
  - Turn off tell a friend
  - Install a captcha form on your contact us page
  - Monitor unauthorised file changes - [[Sitemonitor]]
  - Make sure you have installed all of the security patches (these are not optional)
  - Check your local machine for Malware, Keyloggers, Trojans, etc.
  - If you are running an osCmax version below 2.0.4 - remove filemanager.php and define_language.php - [[http://www.oscmax.com/blog/michael_s/security_notice_oscmax_204_released|Patch]]

=== The Cure ===
  * What to do if you are hacked?

----

===== 1. Rename your admin folder =====

In order to prevent people from trying to hack your admin panel you should rename your admin folder and update your configure.php file.

  * Open admin/includes/configure.php
  * Edit these lines:

<box 70% gray>

define('DIR_WS_ADMIN', '/admin/');



define('DIR_FS_ADMIN', '/home/mystore.com/www/public/admin/');</box>

  * The more obscure the name the better - try to use numbers and letters.

<note tip>If you have an SSL certificate then access your new admin directory [[activate_ssl|securely]].</note>


===== 2. Lock down admin access =====

  * Give users secure user names
  * Ensure that users use secure passwords - letters, numbers, upper and lower case, symbols etc
  * [[Restrict IP access|Set the admin .htacess to only allow your IP address]] 
<note important>Restricted IP access is often not possible due to dynamic IP address assignment. Only implement if you know that you have a fixed IP address or have some method of IP management</note>

===== 3. Use secure passwords =====

  * Ensure that users use secure passwords - letters, numbers, upper and lower case, symbols etc
  * Make sure you use these password throughout ie. on your admin, FTP, Windows Login, etc.
  * [[http://en.wikipedia.org/wiki/Password_strength | Wikipeadia on passwords]]
  * Install a [[http://www.oscmax.com/forums/oscmax-v2-customization-mods/18116-add-google-style-password-strenght-monitor.html | password strength monitor]] to promote security.


===== 4. CHMOD your files to the correct settings =====

The most common cause of hacks is code inserted into unprotected files and folders.

  * Folders should be CHMOD to a maximum of **755**.
  * Files should be CHMOD to a maximum of **644**.
  * Both configure files should be a maximum of **444**.


However, if you are using **suPHP** on your server (ask your host if you are not sure or run this [[suPHP check]]) then ...

  * Files should be CHMOD to a maximum of **600**.
  * Both configure files should be a maximum of **400**

=== Install Check Permissions ===

  * Install [[Check Permissions]] which goes through your entire site to check that all your files are set to the correct CHMOD.
  * It will also check you have removed the install directory, renamed your admin and checks you have a backup directory.

  * Once you have checked your site - you can then update all of the incorrectly CHMOD files.


<note tip>If you are a slightly more advanced user you can use a tip from Michael_S for setting this directly on the server.

These commands can be run from the linux command line or from an executable file via cronjob.


Here is the command run to set all directories:

**''find . -type d -exec chmod 755 {} ;''**

Here is the command run to set all php files:

**''find . -type f -name "*.php" | xargs chmod 644''**
</note>


===== 5. Turn off tell a friend =====

This infobox allows unscrupulous users to use your server to send emails out to people.

  * Disable this infobox by going to Admin --> Infoboxes --> Press the red icon next to the box.

===== 6. Install a captcha form on your contact us page =====

  * Install a [[http://www.captcha.net/ | Captcha Check]] using [[http://www.oscmax.com/projects/release/contact_short_captcha|this module]]

===== 7. Monitor unauthorised file changes =====

In order to do this you will need to install [[SiteMonitor]].
===== 8. Make sure you have installed all of the security patches =====

Make sure that you installed all of the security updates for osCMax.  You can get updates about osCMax from [[http://www.oscmax.com/blog/michael_s | Michael_S's blog]] 

===== 9. Check your local machine for Malware, Keyloggers, Trojans, etc. =====

There are a number of [[useful_software|decent freeware or open source]] anti-virus and anti-malware packages available for download.

===== 10. Remove filemanger and define_language =====

The following files must be removed from your site's administrative panel folder:

**/admin/file_manager.php \\
/admin/define_language.php**

Removing these files will close a security vulnerability.



====== What to do if you are hacked? ======

Okay the worst has happened ... Here is what you need to do: (Source: Michael_S, osCmax forums)
<box 90% round red>
  - Do a complete scan on all your work computers (machines that you access your site from). Make sure you have no malware, trojans, viruses, etc. Once you have certified your machines are clean go to step 2.
  - Change all your passwords. This includes ALL passwords related to your site. FTP (all ftp accounts), Control Panel, osCMax admin panel (all admin accounts), mysql database password, email account passwords.
  - If you have a clean backup, completely wipe your files (all directories and files). Then restore your clean backup. This will guarantee no backdoor files left hidden somewhere in your file tree.
  - Double check all of the admin settings including email addresses, payment details, store name, copy emails to etc.
  - Lock down permissions. This means absolutely no directories or files with 777 permissions at a bare minimum. You should remove write permissions from all directories and files that do not need it.
  - Change behavior - stop using clear text email and ftp. Only use encrypted email (pop3/smtp logins and data transmission) and encrypted ftp (FTPS, FTPES or SFTP).

</box>
===== The Eval base64 hack =====

  * This is a common hack to osCommerce stores.  If you see anything that looks like <?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKC ... at the top of any of your files on the server then you need to wipe and reload.

  * [[http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/Default.aspx|If you would like to try and work out what the code does then use this site to decode the base64.]]

  * [[http://forums.oscommerce.com/topic/345957-evalbase64-decode-hack/|Read the instructions here for a good guide on what to do next]]

===== Check this if you want to pay with different payment method =====

  * Another hack which inserts an iframe and tries to send customers credit card details to a third party tracker ... once card details are sent then it pushes client through to official payment gateway so store owner will be unaware.
  * You will find additional code inserted in templates/fallback/checkout_payment.tpl.php file which is generating the iframe inside a base64 string.  Remove this code immediately.