Security

Magento 2 Security Checklist

by , , revisited on


We have by far the largest RPM repository with dynamic stable NGINX modules and VMODs for Varnish 4.1 and 6.0 LTS. If you want to install NGINX, Varnish and lots of useful modules for them, this is your one stop repository to get all performance related software.
You have to maintain an active subscription in order to be able to use the repository!

When you prepare to launch your Magento 2 website, security is one of the primary areas of concern. Whether you plan to accept credit card data directly on your website, or on a payment provider’s pages – you are required to achieve PCI compliance.

Otherwise, you’ll find your business at risk of being banned from use of payment gateways. And sure enough, that is simply a risk you can’t afford to take.

PCI compliance may seem tricky subject because most of the material you can find online will lack concrete measures you have to take on a given server. I’m here to fix this 🙂

Let’s go through a quick security checklist for Magento 2 servers to give them ultimate security lift without compromises.

1. Use a VPS or dedicated server

It is a common knowledge that shared hosting type is not secure. If you are hosted with Siteground, Bluehost, Godaddy, Dreamhost, etc. – there’s a big chance that you’re on a shared hosting plan.

Shared hosting plans are vulnerable to attacks coming from neighbor accounts on the same physical server. And of course, shared hosting is the worst thing for performance.

Transitioning away from shared to a VPS or dedicated server will yield not only security benefits but also increased performance.

Recommendation: Linode VPS 4GB plan and plans above.

2. Run a secure OS with a minimal set of software

RHEL (or its free counterpart, CentOS) is great for running Magento 2. This operating system is known for its stability, and security fixes are backported to the stable versions regularly. What else to want?

Do not install any web panel like cPanel. This will ruin your performance and bring vulnerabilities. Running on the minimal stack is the most efficient and secure approach.

The de-facto standard stack for Magento 2 consists of this software:

  • NGINX
  • Varnish
  • PHP-FPM 7.x (go with the highest your Magento 2 version supports)

If you run an older version of Magento 2 that only supports PHP 7.0, be sure to upgrade to latest Magento. PHP 7.0 is “End of Life” and should be avoided.

2. Use ModSecurity

With the arrival of libmodsecurity, you can, and should, use NGINX ModSecurity connector module. It is now easy to install ModSecurity to your existing NGINX installation.

This is your shield from incoming attacks.

3. Use Security Headers

Security headers are the ones present in HTTP response of your website. They are typically used to protect from XSS attacks.

Recommendation: score at least B with SecurityHeaders test. Make sure to only add the necessary headers to non-HTML files headers. More info here. You can use ngx_security_headers module to do it.

4. Remove Software HTTP Headers

It is not enough to hide server version information. The best path is having no information disclosure done by HTTP headers.

Recommendation: remove Server header and any other headers which directly report of the software you use. The ngx_security_headers module mentioned earlier is up for the task as well.

5. pub is your webroot

Setup your web server’s web root to point to pub directory of your Magento 2 installation. This will ensure that the only entrypoint PHP files required for running Magento will be accessible for public access:

Bad:

root /path/to/m2;

Good:

root /path/to/m2/pub;

6. Whitelist allowed PHP files

To complement the previous item, ensure that only whitelisted set of .php files can be run from your web root directory.

Bad:

location ~ \.php {
...

Good:

location ~ ^/(index|get|static|errors/report|errors/404|errors/503|health_check)\.php$ {
...

7. Install Malware Detect

If you happen to install a plugin with vulnerable upload endpoint, software like Malware Detect is capable of finding the breach and quarantine the offending script.

This is your server’s “immune system”.

8. Run Magento 2 under special user

You have to allocate a special Linux user account on your server that will own and “run” Magento files. That same user account will be the one that PHP-FPM pool runs under.

Bad /etc/php-fpm.d/some.conf:

listen.owner = nginx
listen.group = nginx

Bad /etc/php-fpm.d/some.conf:

listen.owner = www-data
listen.group = www-data

Good /etc/php-fpm.d/some.conf:

listen.owner = magento2
listen.group = magento2

All files of your Magento website has to be owned by that user.

Bad listing (ls -al /path/to/m2):

-rw-rw----   1 nginx nginx     1370 Nov  7  2018 index.php
drwxrwx---   4 nginx nginx     4096 Oct 25  2018 lib
-rw-rw----   1 nginx nginx     10376 Oct 25  2018 LICENSE_AFL.txt
-rw-rw----   1 nginx nginx     10364 Oct 25  2018 LICENSE.txt

Good listing (ls -al /path/to/m2):

-rw-rw----   1 magento2 magento2     1370 Nov  7  2018 index.php
drwxrwx---   4 magento2 magento2     4096 Oct 25  2018 lib
-rw-rw----   1 magento2 magento2    10376 Oct 25  2018 LICENSE_AFL.txt
-rw-rw----   1 magento2 magento2    10364 Oct 25  2018 LICENSE.txt

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.