Linux System Administration

Magento emails & SMTP

Emails are a very critical portion of an eCommerce website. There are 2 types of emails that are used – transactional and promotional.

Transactional emails are emails the eCommerce system sends for regular customer activity – such as order confirmation email. It may also include abandoned cart email, wish list reminders, password change, etc. If a website visitor action causes an email to go out, it is a transactional email.

In this article we will discuss the best way to configure transactional email sending in Magento. This article applies to both Magento 1 and Magento 2. The focus is on what happens on production systems.

The SMTP Plugin

Traditionally Magento agencies and developers install a “SMTP Plugin”. A simple search in Magento marketplace for SMTP reveals many options. Some are general plugins that allow you to connect to any SMTP provider, others are from vendors such as SendGrid.

Advantages of such plugins are

  • Easy setup
  • Developer testing is easy
  • Websites on shared hosting have to use such a plugin

However, for growing websites, this is a particular problem

  • Outgoing ports from the application server may not be open
  • Many SMTP providers have restrictions such as rate limit on email sending or number of connections. Some SMTP plugins may not handle this condition well - just reporting the error vs trying to send again.
  • They may not be able to alert when email sending is down
  • When upstream providers' SMTP service is down or slow, cron will slow down as each email times out on sending. (Magento sends emails in cron).

Using postfix

By default, Magento sends emails to the local system where php is running. Linux systems have many options for receiving such requests and sending out the emails. A popular software is postfix. While postfix can directly send emails to the recipients’ email systems, we are interested in the “relay host” mode of postfix. In this mode, postfix acts to relay emails sent to it from Magento to the upstream provider – such as SendGrid.

Advantages of postfix

  • Postfix has an inbuilt queue. When the upstream server’s rate limit is reached, a “defer” status is returned. Postfix understands this and it will queue deferred emails and keep retrying. Emails are not lost.
  • Magento cron will deliver to local postfix in a matter of milliseconds, freeing up cron to perform other activities.
  • Connections can be pooled so if many emails are in queue they will be pooled together and sent using a single connection. Some SMTP servers, notably gmail, have a rate limit on the number of connections.
  • Log files that can be checked by system admins. Log files can also be sent to a log collection tools. Advanced commands help checking the queue, even trimming it using conditions such as email subject.
  • Flexible configuration allows many features – on a staging server for example, only whitelisted recipients can receive emails, preventing accidental trigger of email to customers. Or emails to known spammers can be filtered by email id or domain.

Installation and configuration

Installing postfix is easy – the package is part of any linux system. For RHEL based system like CentOS :

sudo yum -y install postfix
sudo yum -y install cyrus-sasl-plain cyrus-sasl-md5

Configuring postfix to act as a relayhost.

Click on the tab below to see configuration information for the specific SMTP service being used. Commands below should be run as root (or sudo). Ownership of files created, especially the password files is assumed to be root.

  1. Sign in to SendGrid and go to Settings > API Keys.
  2. Create an API key.
  3. Select the permissions for the key. At a minimum, the key must have Mail sendpermissions to send email.
  4. Click Save to create the key. SendGrid generates a new key. This is the only copy of the key, so make sure that you copy the key to clipboard and use if for the next step.
  5. Create the hashmap from the key
    echo [smtp.sendgrid.net]:2525 apikey:{{{PASTE}}} >> /etc/postfix/sasl_passwd
    postmap /etc/postfix/sasl_passwd
    rm /etc/postfix/sasl_passwd
    chmod 600 /etc/postfix/sasl_passwd.db
  6. Add to postfix configuration file main.cf
    cat >> /etc/postfix/main.cf <<EOF
    smtpd_tls_security_level = may
    # enable SASL authentication
    smtp_sasl_auth_enable = yes
    # tell Postfix where the credentials are stored
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_sasl_security_options = noanonymous
    header_size_limit = 4096000
    relayhost = [smtp.sendgrid.net]:587
    smtp_tls_CAfile =/etc/pki/tls/certs/ca-bundle.crt
    EOF
  7. service postfix restart
  1. Signup for maligun account.
  2. Get credentials for maligun. Mailgun has an option for SMTP username and password under the Domains section of the mailgun portal.
  3. Create the hashmap from the key
    echo [smtp.mailgun.org]:2525 {{user}}:{{password}} >> /etc/postfix/sasl_passwd
    postmap /etc/postfix/sasl_passwd
    rm /etc/postfix/sasl_passwd
    chmod 600 /etc/postfix/sasl_passwd.db
  4. Add to postfix configuration file main.cf
    cat >> /etc/postfix/main.cf <<EOF
    relayhost = [smtp.mailgun.org]:2525
    smtp_tls_security_level = encrypt
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_sasl_security_options = noanonymous
    smtp_tls_CAfile =/etc/pki/tls/certs/ca-bundle.crt
    EOF
  5. service postfix restart

Amazon SES is the most cost effective SMTP provider to our knowledge. However, it is also the most difficult to setup as it requires you to verify sender emails and sandbox mode (which we will not consider here).

  1. Login to your aws account
  2. Select “Simple Email Service” from the services
  3. Select Domains from the left menu
  4. Click “verify a new domain”
  5. Enter domain and click on verify
    SES will generate the TXT records you need to add to your DNS

    SES will also generate the DKIM CNAME record to be added to your DNS
  6. Ensure domain verification green status
  7. In the SES main screen, select “Email Addresses” from the left menu
  8. Enter the sender email address. Sender email address are set in Magento. Depending on your Magento configuration different emails may need to be configured. Each email needs a mailbox as a confirmation email is sent to it.
  9. Refer https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-credentials.html to create SMTP credentials. Note username and password.
  10. Depending on the region your SMTP endpoint (relayhost setting in the main.cf below) will be different. Refer https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-connect.html
    Note : The region of SES is unimportant in that there are no restrictions from where the email is sent. Your Magento instance can be anywhere - not even on AWS.
  11. Save password
    echo [email-smtp.us-west-2.amazonaws.com]:587 USERNAME:PASSWORD >> /etc/postfix/sasl_passwd
    postmap /etc/postfix/sasl_passwd
    rm /etc/postfix/sasl_passwd
    chmod 600 /etc/postfix/sasl_passwd.db
  12. Update main.cf
    cat >> /etc/postfix/main.cf <<EOF
    relayhost = [email-smtp.us-west-2.amazonaws.com]:587
    smtp_sasl_auth_enable = yes
    smtp_sasl_security_options = noanonymous
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_use_tls = yes
    smtp_tls_security_level = encrypt
    smtp_tls_note_starttls_offer = yes
    smtp_tls_CAfile =/etc/pki/tls/certs/ca-bundle.crt
    EOF

Advanced configurations

Postfix relay gateway

In a more mature environment, each php server may not be able to send on SMTP ports. Even in the presense of a NAT gateway, we would recommend a main postfix gateway to ease logging and prevent loss of emails when an instance is lost in autoscaling. With postfix we can create a relay – php servers are configured to send email to a designated email gateway server which in turn relays to the SMTP upstream server.

Sending promotional emails

Promotional emails should ideally not originate from your website – instead they should be from your marketing tools. However, Magento does support sending promotional emails. To improve deliverability of crucial transactional emails, we recommend using a different sender email domain for promotional emails. If this is configured in Magento, postfix can handle sending promotional emails from a upstream service different from the transactional service. Assuming username / passwords have been created in the SMTP service for the promotional domain, the following configuration allows selecting the relayhost to use based on the sending domain.

cat << /etc/postfix/main.cf >>EOF
smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_map
EOF

cat << /etc/postfix/relayhost_map >>EOF
user@promodomain  [smtp.xxx.com]:{{port}}
EOF

Add the new domains passwords as the first line in /etc/postfix/sasl_passwd

user@promodomain  {{user}}:{{password}}

luroConnect and Magento emails

The configurations described above are abridged versions of what is used in luroConnect. We use the advanced configuration with a designated server allowed to communicate on port 587 to the outside. We also use secure keys to ensure passwords are not saved in chef cookbooks / configurations. Instead they are stored in a secure key store.

Interested in knowing about the advanced architecture of luroConnect?

Fill the form below and we will contact you.

    My company owns the Magento site Yes, I am a developer I represent a Magento Agency

    Reactions to this post on linkedin

    Enterprise grade security for your Magento website

    At a time when data theft and leaks are more real than ever, don’t be the next one to explain the reason for a security breach. With threats growing in number, type and modality of attack every day, multiple layers of security are needed, so if one layer were to be breached, another would yet protect.

    Introduction

    Today, security of a Magento web server is a major requirement for the success of the business that runs on it. With threats growing in number, type and modality of attack every day, multiple layers of security are needed, so if one layer were to be breached, another would yet protect.
    With attackers using automated scanners or bots, being small or infamous is no reason to feel secure. Attackers will probe for vulnerabilities and break in before deciding if you had anything of worth.

    In this article we discuss various aspects of security and how luroConnect helps in getting your website an enterprise grade security.

    Securing the Magento Application

    Magento patch updates

    Magento is a well maintained software. Magento routinely releases patches even for the community edition. Keeping patches uptodate is important. When magento releases a patch, while it helps you keep your site secure, it also announces vulnerabilities of an unpatched system to the world.
    A major hurdle in patch application is when the Magento core files have been modified by developers. Developers do this in answer to high time and cost pressures or for not knowing better.

    luroConnect service always patches customers at the earliest — if you have not opted out of the service.

    Purchasing plugins from dependable vendors

    While Magento is good at giving updates using patches, plugin vendors are not so motivated. Plugins are paid for once and quite often updates require one to be on a maintenance plan. So, while selecting a plugin vendor, keeping the vendors track record would be good idea in the future.

    There are many areas where vendors fail to think about security and the following are but a few examples.

    Magmi is popular extension for product upload. However, it is known to have security issues. The developer acknowledges this and has advised not using the web interface. In our research and experience, most Magmi users use their UI, leaving security holes open. luroConnect makes magmi installation more secure by providing htaccess based second login, securing the magmi installation with permissions that disallow updates to this from the UI as well as disallowing php execution from Magento’s media folders.

    Some extensions require ability to write to folders and files that are unreasonable. With default access this seems to work but opens security holes. In our opinion rather than store plugin configurations in the database (core_config_data), plugins use files, sometimes generating php code. An example of a plugin (Aitoc_AdvancedPermissions) requires ability to change the etc/modules/Aitoc_AltPermissions.xml file.

    Some extensions use encrypted code — typically requiring ion decrypter. Apart from being legally on the fence, the requirement of installing a decrypter increases the risk of encrypted malware, making it difficult to detect the existence of malware, even with disk scans.

    PhpMyAdmin is another popular extension that makes a site unsecure. PhpMyAdmin uses the database username and password. If accessed from a unsecured url, the credentials of the database are transmitted over the internet in plain text form. Even with a secure URL, the database is left to be probed via username / password detection BOT that can try combinations.

    Magento’s open architecture has made a marketplace for developers. Custom development is crucial to the Magento’s success. Custom development from vendors who are aware of security is also crucial. Some aspects that we recommend asking developers include awareness in use of form keys, sql injection and avoidance techniques — specifically validating all input parameters before processing and use of Magento’s model architecture vs writing sql.

    Securing the Magento admin panel

    Using host file entries instead of DNS update for non public sites

    DNS entries are the starting point for all BOTs. Windows, Macs and linux allow an entry in the host file that helps the browser resolve a domain name (such as staging.domain.com or phpMyAdmin.domain.com) to a IP address. While not easily doable on a mobile for testing, we encourage use of host file entries to hide the actual domain name used.

    2-password Secure admin access

    Using htaccess (even in nginx) to protect admin URLs with a double authentication system, with both passwords being different. This thwarts most BOTs as they do not expect a basic authentication.

    Changing the admin url, possibly once a year.

    Magento allows obfuscation of the admin url. Selecting a non obvious url for admin and changing it as often as practical helps in preventing leakage of the url. In addition using a different admin url for development and staging compared to production will help keeping the URL on a need to know basis.

    Managing roles in admin

    Magento admin supports role based access. Giving roles on a need to know basis will protect against a threat popularly referred as “malicious insiders”.

    Use of captcha in admin and end user login

    Magento supports enabling captcha in admin. That ensures BOTs do not access the site and it thwarts possible username / password combination hacks.

    Using strong admin passwords and change them often.

    This is general advice for any password. Changing them often is also a general advice.

    Hiding Administrators role.

    Recently admin logins have been used to insert malicious code in header or footer "miscellaneous" html section. That has prompted us to advice to hide the administrator role - i.e. have no user with the permission to change that. When needed the role can be enhanced temporarily to access that setting.

    Database containment and Filesystem Security

    Limited privileges to write to code directories

    System level file, directory (folder) and process permissions are crucial. A different hosting user and web server user with limited permissions to the web server user is crucial to protect code directories. The hosting user can update the code but the web user is not able — preventing any attempt to upload code.

    Plugin and code updates only allowed via deployment process

    The deployment process may be as simple as git pull (we prefer git stash before git pull) or a CI based mechanism such as Jenkins.

    Readonly git access to live site

    If git pull is used to update a site, it is important to ensure that the git user used has readonly access. Even using a CI ensure the git user has readonly access.

    Configuration file protection against unauthorized changes

    Ensuring site specific configuration files such as env.php or local.xml are in their own git and versioned ensures a protected master copy. Monitoring changes to these files and alerting would be a good way to ensure their security.

    Only authorized access to code

    The webserver should not have permission to write to the code directory. That requires plugin updates via download manager are done on a staging or development server and code moved via git. Ensuring automation of code deployment will ensure only controlled access to the code.

    Watch our webinar on performance and scaling Magento

    Its free!

    Using analogy to vehicular traffic we explain performance and scaling in Magento.
    Key takeaways

    • Know how to compare hosting options
    • Importance of good code
    • How to scale
    • Tuning Magento

    Security at the edge — before traffic hits your application

    Nginx has many features that allow a very decent edge security — including protection against basic DOS attacks. However, one has to understand the terse configuration options and deflecting a DOS attack may require some manual steps during the attack. There are more automated solutions that one can consider for edge security.

    Rate limiting to block bots from accessing the site — with whitelist

    Nginx supports rate limiting. Rates can be set for a subset of URLs. Whitelisting of IPs is also allowed so for example your own IP need not have the limitation. Rates are configurable and can be specified in hits per seconds or minute and are best tested for a site for a appropriate number, and then monitored. luroConnect / Insight dashboard shows all IPs that were blocked helping in deciding to either block the IP or add it to whitelist.

    Automatic blocking of spambots by whitelisting bots

    Nginx also supports an ability to block BOTs using regular expressions for the User Agent identify text each BOT gives. Note that User Agents are easily faked, so this is not a very reliable way of detecting BOTs.

    Blacklist IPs from site access

    Nginx allows blacklisting IPs from accessing a site. A more advanced geoip resitrction can also be availed. luroConnect / Insight dashboard gives top 10 IPs accessing the site on any particular day. This information can be used to decide which IPs need to be blocked. Note that attackers quite often do not use static IPs, so the banned list needs periodic review or release from blacklist.

    Preventing php scripts from running in media folder

    Media folders will be open to update and write by the web process. Restricting execution of php on these folders will prevent a malicious upload to execute.

    Encryption of user data

    SSL certificate

    Being fully secure (using https over TLS) is becoming a requirement with Google’s ranking and expected indication. However, Magento has secure and unsecure URLs and by default all user data uses a secure URL. With LetsEncrypt project issuing auto renewable SSL certificates for free, there is no reason for a site not be fully secure. luroConnect service includes free LetsEncrypt certificates and auto redirect rules for http to https.

    Securing backup

    Security is as strong as the weakest link — securing the backup

    Backup file transmission encrypted

    Securing backup is an essential component of securing data. Using sftp or rsync over ssh one can ensure backup files are transmitted securely.

    Backup server shut after backup — ensure the backup is secure

    Backup data can be secured at rest. luroConnect goes a step further — backup server is different for each customer and run only when needed. The server is started before a backup starts and shut down at the end of the backup, ensuring its security.

    Disk scans

    Scanning disks for known vectors regularly is important.

    OS Security

    Patch updates

    Securing the server is ensured by patching the server with latest security updates and ensuring only required ports are open ensures security.

    Enable logs and monitor them

    Logs for outgoing emails possibly with subject line, mysql, web server, Magento logs should be enabled and monitored either automatically and continuously or manual and periodically. For example a spam email hack into the site may have left a malicious script that will send out emails. These emails and subject lines will be in the mail log. A high count of emails for example can be a reason to suspect a compromised system.

    Conclusion - Securing Magento requires many steps

    With new and sophisticated attacks on the rise, having multiple layers is important — a layer may occasionally break but the harm may not come as another layer will kick in. Nothing less than an entire set of enterprise grade security will be needed to secure a Magento site so it is always up for business. luroConnect managed hosting gives you all this and more.

    For a study of recent Web security breaches, read our article "Analysis of Recent Website Security Breaches"

    luroConnect is a managed hosting service for Magento, wherever you are hosted. Multi layered security is one of the aspects.

    Securing your Magento site

    Executive Summary

    Owning a Magento website means you have a resource you own and control on the internet. Keeping it secure in all aspects is a responsibility. You need to ensure

    • your business data is secure.
    • your customer data and privacy is secured.
    • your customer's computers are protected when accessing your website.

    Your privacy policy indicates your desire to keep your customers' data secure. You would intentionally not violate the policy but a cyber attack on your infrastructure can cause a violation.

    It is not required to be a famous to be in the eyes of the attacker - most attackers today prowl the internet looking for vulnerable sites and automatically get to work. New types of attacks are being designed and hence keeping a site protected is a continuous battle.

    As a person ultimately responsible for your website, you need to periodically review your security processes and see they are enhanced for new vulnerabilities.

    This article has an overview of the aspects of security you need to worry about. In addition it goes in depth as well to make it actionable.

    Aspects of security infrastructure for a Magento Website

    • Protection of the web edge infrastructure. Ensure you keep the bad guys out and the good guys in. Using a Web Application Firewall (WAF) with appropriate configuration will help.
    • Server protection. Ensure access to the server restricted, preferrably without a password, limit port access and protect files and folders with permissions that are just needed. Also ensure the server has the latest security patches installed. Need to know access should enforced. Code updates should be automated. A staging site should be used for updates from vendors. Plugins should be acquired from known and reputable vendors.
    • Code protection. Ensure your code is patched with the latest Magento (or any platform and plugins). In addition train developers to use safe practices to not leave holes.
    • User data protection in transit. Ensure https access to the entire site so all access is secured against in transit hacking as users use your website. Ensure all admin access is restricted either with dual password or two factor authentication or IP restricted.
    • Review all access periodically Change passwords and admin URLs regularly.
    • Run vulnerability scanners Vulnerability scanners are available for testing many aspects of security. Blackbox scanners such as Trustwave, Secure Works, help in checking if they can find external vulnerabilities. Static analyzers such as Fortify scan the code to find code level vulnerabilities.

    Protecting Web Edge Infrastructure

    The key role of this protection is to keep the bad guys out and allow the traffic you want in.

    At the minimum configure nginx or apache (your webserver) to

    • rate limit hits from a single IP address
      However, if you get legitimate hits from behind a firewall these may generate false positives. We recommend to log the IPs that get restricted and review. Whitelist the ones that are ok.
    • rate limit admin server access if you cannot IP limit the access to admin
      Many bots are trying passwords to get acsess to the admin panel
    • Have a mechanism in place to block IPs.

    As with any protection of this nature, detecting bad is a key. OWASP is an online community which has come up with a core rule set (CRS). A Magento site needs a WAF protection either on the nginx server level or with an external service such as Webscale Networks, Cloudflare, Sucuri.
    The OWASP ModSecurity Core Rule Set (CRS) provide protections against the following category of attacks.

    • SQL Injection (SQLi)
    • Cross Site Scripting (XSS)
    • Local File Inclusion (LFI)
    • Remote File Inclusion (RFI)
    • Remote Code Execution (RCE)
    • PHP Code Injection
    • Metadata/Error Leakages
    • Project Honey Pot Blacklist
    • GeoIP Country Blocking, etc
    System Admin Note

    mod_security is a open source project available for apache and nginx. Installation is not difficult. However, you need to tune the rules to your environment. Some rule tuning may require developer or marketing input.

    Protect the admin panel login

    • Change the admin URL periodically. Do not use the same name as in test or development environemnts
    • IP restrict admin access to only your known IPs
    • Put a simple http access in front of the admin URL - so there are 2 levels of usernames and passwords and it makes it non standard for automatic hacks
    • 2 factor authentication to admin panel – may need a plugin
    • Change all admin user passwords frequently
    • Monitor log file for frequent unsuccessful attempts to login

    Server Protection

    A hacked or broken in server - popularly shown in movies - gives access to your server to the hacker.  Web prowlers are continuously trying to see what ports are open in the server and what access they can get. Being a very traditional form of hacking, it is highly automated. By the very same count, protecting a linux server is not very difficult either. Follow some guidelines and review process.

    • Keep only known ports open and limit which IPs can access these ports
    • Disable any form of password access (like ftp, ssh). Use keys instead.
    • Keep server patched with latest security patches
    • Run only services that you need. For example never run ftp as it gives password based access to the server.
    • Follow very strict rules on file / folder permissions as well as linux groups and users
    • Periodically scan servers for viruses signatures
    • Periodically review access keys
    • Automate routine processes and restrict with keys including code update
    • If a db server is a separate server further restrict access to this server . If using a autoscale architecture, further restrict access to app servers as well.
    • Allow no exceptions - even for a critical fix do not give access to a developer for example.

    The following system admin note has technical details for linux system administrators to execute the strategies above

    System Admin Note

    Depending on the configuration we recommend the following incoming ports to be open :

    On the only app server without load balancer
    Port of external interface Protocol / usage
    80 http, main site open to the world if site not fully secure.
    443 https, main site open to the world
    22 ssh, possibly open only to specific IP addresses
    On the db server
    Interface / port Protocol / usage
    External / 22 Only if you must to restricted IP addresses
    Internal / 6603 Restricted to internal IPs that run app servers
    Internal / 22 Ssh access from the other servers
    Constellation of app servers, a db server and a nginx load balancer
    Host / Interface / port Protocol / usage
    Load balancer / external / 80, 443 http and https open to the world
    Load balancer / external / 22 ssh, possibly open only to specific IP addresses
    Load balancer / internal /2049 Nfs server
    Db server / internal / 6603 Mysql, for app server access
    App server / internal /1110 Nfs, for file access across all app servers

    Note : If using a load balancer device or service, port 22 access should be given to only the main app server, possibly the nfs host.

    System Admin Note : ssh configuration for secure access

    ssh needs to be configured to a more secure mode. (Refer linux man page)

    • Change default port to non standard port (say) 2020. This will thwart an obvious attempt to breakin. However, an attacker can find the port using a port scan.
    • Disable root ssh access. This is crucial. This means that someone can never login to the server directly as root.
    • Disable password access. Weak passwords are the most common way a breakin is successful. It is common that a server being attacked will have multiple password generators trying to access the server.
    • Enable only key access. With this setting only a private key holder who has a public key stored in the .ssh/authorized_keys file will be allowed access.

    /etc/ssh/sshd_config :

    ...
    # set port to non standard 2020
    Port 2020
    ...

    # Authentication:
    #LoginGraceTime 2m
    #PermitRootLogin yes
    PermitRootLogin no
    ...
    # To disable tunneled clear text passwords, change to no here!
    #PasswordAuthentication yes
    #PermitEmptyPasswords no
    PasswordAuthentication no
    ...
    # GSSAPI options
    #GSSAPIAuthentication no
    GSSAPIAuthentication yes

    Note : First enable key access, exchange keys, ensure ssh to keys works before disabling password

    Note : When changing ssh configuration ensure a ssh session to the root server is separately running. This will prevent from being locked out of the server when changing ssh configuration.

    System Admin Note : What users are needed

    We recommend the following users

    • Login user
      • This user has sudo access (without password)
      • Ssh key exchanged
      • Admin logs in as this user
    • Site user (production)
      • Website will be hosted under this users (/home/production/www NOT /var/www/html)
      • This user may have ssh access to deploy code
      • This user does not have sudo access
      • If using multiple app servers, this users id will be shared across all app servers
    • Web server user (apache)
      • Nginx and php processes will be run as this user
    System Admin Note : File and Directory Permission settings
    • Only media/pub and var folders should have 770 permissions
    • All other folders in should have 750
    • All files under var should have 660
    • All other files should have 640
    • production user should be in apache group

    Protect your code

    • Ensure Magento code is patched to the latest. Subscribe to Magento updates and setup process to check for patch releases on a monthly basis.
    • When the plugin vendor. Many simple looking community plugins can be weak on security and leave the site prone to attacks.
    • Train developers to use safe practices.
    • Keep the code repository (svn / git) access secure and passwordless for developer access.
    • Ensure external respository provider web access is secure and with 2-factor authentication.
    • Ensure backup servers are protected with access to write only given to automatic backup process

    User Data Protection in Transit

    Customer data in transit is the protection of data sent and received from your website to their browser. Internet connections to websites are not direct - the data hops from server to server in between. A server compromised on the way can tap into your data without anyone knowing it.

    • Using https for the complete site is an obvious requirement. Using higher security options in https is even better.
    • Emails sent should not contain sensitive data. A recent Magento patch fixed such an issue - passwords were earlier sent in emails.

    Review all access periodically

    Setup a security task force that reviews and reports on security once a month.
    The charter of the task force would be evaluate the following

    • Who has access the the server and do they yet require this access. The access may be via keys and when a employee or contractor leaves, the key should be removed
    • Who has access to development environment. Have required access been withdrawn appropriately.
    • Who has access to version control systems. Have required access been withdrawn appropriately.
    • Admin access Are all admin users yet needing access?
    • Were admin passwords reset at agreed frequency?
    • Magento Patch status
    • OS patch and update status
    • External security scan (if arranged) status
    • Action taken report for the last period on any security issues
    • Backup and restore process review to ensure data and code is appropriately backed up

    Conclusion

    Protecting a eCommerce asset like a website in these times of automated hacks is a major challenge. Periodic reviews is a must as the attacks and defenses are quickly evolving. Being a small site is no excuse - the attackers, typically robots do not care.

    Watch our webinar on performance and scaling in Magento

    Its free!

    Using analogy to vehicular traffic we explain performance and scaling in Magento.
    Key takeaways

    • Know how to compare hosting options
    • Importance of good code
    • How to scale
    • Tuning Magento

    We can analyze your site for free

    Schedule a call

    Not happy with your website performance and want an expert to look at it?

    • We will analyze your site using public information.
    • We will ask you to give us a 1 day web server log file.
    • We will try to identify what steps if any you should take to improve your sites performance goals.

    Think before you execute

    How system admins can use planning and checklists to improve quality

    Introduction

    Sounds like a right statement to make an obvious but in this article I will look at how it applies practically to a system admin

    It starts at the beginning

    When a task (in the form of a incident request or a service request) comes to a system admin, this is when the principle starts – how deep do you think. My observation is that a natural thing to do is to take a superficial view of the task and then either a google search is performed or a quick think is done to find commands will resolve the task. The fundamental issue with this approach is that it is solution centric not problem centric. i.e. not enough time is spent in understanding the problem and coming up with a solution. Another problem with the approach is that there is a rush to execute as being in front of the system and executing is what will make things work.

    Thinking before executing addresses both of these

    • Has the problem well understood?
      If the problem is not well understood, the advice on google would not be understood and only coincidentally will you solve the problem. Quite likely the problem will resurface. If on the other hand the problem is well understood, the solution quite often will be obvious or the advice on the internet will make sense.
    • Once the problem is understood, a detailed plan is needed.
      Most tickets require multiple steps to solve. If each step is not well documented, you are forced to plan while executing – in our experience very difficult.
    • Our approach is to come up with a detailed plan before executing. It is a modified and more comprehensive checklist. We have SOP (Standard Operating Procedures) for common tasks, but this works even if we do not have a SOP. We use a spread sheet.
      • At the top we have information we will need before we start executing. This includes information such as IP (internal or external) of the systems we wiil use, passwords if any that we will need, etc. Here is a sample of a sheet we use for rehosting. info_sheet
      • Below that is a table that is both a planning as well as a execution tool. The table has the following headers :
        • Function – overall heading for a set of commands
        • Step details / reference – SOP reference and commands to be executed
        • Command – the actual command that will be executed. Note the commands are created before they are executed.
        • Status – marked upon execution
      audit_trail

      Conclusion

      Checklists help being purposeful in execution and the result is a audit trail that can be used to debug issues later on.