Magento / Security

GIT Protect your Magento store

by ,


We have by far the largest RPM repository with dynamic stable NGINX modules and VMODs for Varnish 4.1 and 6.0 LTS. If you want to install NGINX, Varnish, and lots of useful modules for them, this is your one-stop repository to get all performance-related software.
You have to maintain an active subscription in order to be able to use the repository!

Recently I have spent a great amount of time, assisting a client in securing Magento store after hack incident. Seeing all the impact of the hack on their business, I can say – it’s really best to secure things early.

You should save yourself from all the trouble of dealing with clients who had their credit card data stolen, or police investigators. Worst case, you might even loose your business completely as payment processor might prevent you from using them again.

Secure Magento with GIT

One of the ways in securing your store is being alert when hackers make modifications to Magento files. To achieve this, you can put your entire Magento under GIT.

This 5 minutes read will teach you how to get email alerts when any of your Magento files have been changed by a hacker. This implies that the hacker changes files on your server directly, whereas all legitimate changes are done by you or developer via Git.

Step 1. Setup root email address

A trivial yet often oversight sysadmin task is to setup email where you will receive system emails. It’s easy to do that. Edit the file /root/.forward and put your email address as contents of the file. Or a simple bash one liner will do it for you:

echo 'jsmith@example.com' > /root/.forward

Step 2. Setup cron for monitoring GIT

Provided that you have already put your Magento store under GIT, you have to edit root user’s crontab:

sudo crontab -e

Add the following cron task. It will monitor your Magento store for files which were changed / added directly on the server:

* * * * * /usr/bin/git --git-dir "/var/www/html/.git" --work-tree "/var/www/html" ls-files -m -o --exclude-standard

It runs every minute and sends immediate alert to your email once any files have been changed directly, outside Git workflow.

You will continuously receive email alert every minute until the files are reverted or commit / pushed to your Git repository.

“Every minute might seem to much” for some people but you really want to be alerted early and not give much time for hacker to collected credit card numbers.

If you have a dedicated developer working with your Magento store, then you can have different monitor frequency for yourself and the developer. Using simple cron trick:

MAILTO="dev@example.com"
* * * * * /usr/bin/git --git-dir "/var/www/html/.git" --work-tree "/var/www/html" ls-files -m -o --exclude-standard
MAILTO="root"
0 * * * * /usr/bin/git --git-dir "/var/www/html/.git" --work-tree "/var/www/html" ls-files -m -o --exclude-standard

The above lines are for 2 cron jobs: one is every-minute monitoring with notifications sent to dev user, and the other one for every-hour monitor with notifications sent to root user (yourself).

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.