An Auditor’s Checklist for Securing Magento 2 Backends on OVH
OVH Magento 2 Backend Security: An Auditor’s Deep Dive
This document outlines a rigorous checklist for auditing the security posture of Magento 2 backends hosted on OVH infrastructure. It targets security engineers and compliance officers, focusing on actionable steps and specific configurations to ensure a robust defense against common threats.
1. Server-Level Hardening (OVH Dedicated/VPS)
Assuming a dedicated server or VPS environment managed by OVH, initial hardening is paramount. This section details essential OS-level configurations.
1.1. SSH Access Control
Restrict SSH access to authorized personnel and implement strong authentication mechanisms. Disabling root login and password-based authentication is a critical first step.
1.1.1. Disable Root SSH Login
Edit the SSH daemon configuration file:
sudo nano /etc/ssh/sshd_config
Locate or add the following line and ensure it’s set to ‘no’:
PermitRootLogin no
Restart the SSH service:
sudo systemctl restart sshd
1.1.2. Enforce Key-Based Authentication
Ensure that public key authentication is enabled and preferred. This typically involves setting:
PubkeyAuthentication yes
And disabling password authentication:
PasswordAuthentication no
1.1.3. Limit SSH Access by IP (if applicable)
If your administrative IPs are static, consider restricting SSH access to only those IPs using `iptables` or `ufw`. For example, using `ufw`:
sudo ufw allow from YOUR_ADMIN_IP to any port 22 proto tcp
Ensure your firewall rules are correctly configured and tested before applying them.
1.2. Firewall Configuration (OVH Control Panel & OS)
OVH provides network-level firewalling through its control panel. This should be complemented by an OS-level firewall (e.g., `ufw` or `firewalld`).
1.2.1. OVH Network Firewall Rules
Access the OVH control panel and navigate to your server’s “Network” or “Firewall” section. Ensure only necessary ports are open. For a typical Magento setup, this includes:
- Port 80 (HTTP)
- Port 443 (HTTPS)
- SSH port (default 22, or custom)
- Database ports (if external, e.g., 3306 for MySQL)
- Redis port (if external, e.g., 6379)
Deny all other inbound traffic by default.
1.2.2. OS-Level Firewall (UFW Example)
Configure `ufw` to allow essential services and deny everything else.
sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow ssh # Or your custom SSH port sudo ufw allow http sudo ufw allow https sudo ufw enable
1.3. File Permissions and Ownership
Incorrect file permissions are a common vulnerability vector. Magento requires specific ownership and permissions for its directories and files.
1.3.1. Web Server User
Identify the web server user (e.g., `www-data` for Apache/Nginx on Debian/Ubuntu, `apache` for Apache on CentOS/RHEL). All Magento files should be owned by a dedicated user/group, and the web server user should have read access. Write access should be restricted to specific directories.
1.3.2. Magento Directory Permissions
The standard recommended permissions are:
# Assuming your Magento root is /var/www/html/magento
# And your web server user is www-data:www-data
# Set ownership to your deployment user (e.g., deployer)
sudo chown -R deployer:www-data /var/www/html/magento
# Set directory permissions
sudo find /var/www/html/magento -type d -exec chmod 755 {} \;
# Set file permissions
sudo find /var/www/html/magento -type f -exec chmod 644 {} \;
# Grant write permissions to specific directories for the web server
sudo chown -R www-data:www-data /var/www/html/magento/var
sudo chown -R www-data:www-data /var/www/html/magento/app/etc
sudo chown -R www-data:www-data /var/www/html/magento/pub/static
sudo chown -R www-data:www-data /var/www/html/magento/pub/media
Note: The `app/etc` directory requires write access for configuration changes and module installations. `pub/static` and `pub/media` need write access for generated files and uploaded assets.
2. Web Server Configuration (Nginx Example)
This section focuses on securing the Nginx web server, a common choice for Magento 2 due to its performance characteristics.
2.1. HTTPS Enforcement and TLS Configuration
Ensure all traffic is served over HTTPS and that TLS is configured securely.
2.1.1. Redirect HTTP to HTTPS
In your Nginx server block for port 80, add a permanent redirect:
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$host$request_uri;
}
2.1.2. Secure TLS Settings
Configure your Nginx server block for port 443 with strong cipher suites and protocols. Use tools like Mozilla SSL Configuration Generator for up-to-date recommendations.
server {
listen 443 ssl http2;
server_name yourdomain.com www.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
# Modern TLS configuration (example, consult Mozilla SSL Generator for current best practices)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
# HSTS (HTTP Strict Transport Security)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s; # Use your preferred DNS resolvers
resolver_timeout 5s;
# ... rest of your Magento 2 Nginx configuration ...
}
2.2. Magento Specific Nginx Configuration
Ensure the Nginx configuration for Magento is secure and efficient. This includes disabling access to sensitive files and directories.
2.2.1. Deny Access to Sensitive Files
Add directives to prevent direct access to configuration files and other sensitive areas.
location ~* /(composer\.json|composer\.lock|\.htaccess|\.git|\.svn|var/log/.*\.log|var/report/.*\.log|var/session/.*\.sock|app/etc/env\.php|app/etc/local\.xml) {
deny all;
return 404;
}
2.2.2. Security Headers
Implement security headers to mitigate common web vulnerabilities.
add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options "nosniff"; add_header X-XSS-Protection "1; mode=block"; add_header Referrer-Policy "strict-origin-when-cross-origin"; # Consider adding Content-Security-Policy (CSP) for advanced protection, but it requires careful tuning for Magento.
2.3. Rate Limiting and Access Control
Protect against brute-force attacks and excessive requests.
2.3.1. Basic Brute-Force Protection (Admin Panel)
Use Nginx’s `limit_req` module to limit requests to the Magento admin URL.
# Define a zone for rate limiting
# 10 requests per minute, burst of 5
limit_req_zone $binary_remote_addr zone=admin_limit:10m rate=10r/m;
# Apply to your Magento admin location
location /admin_path { # Replace /admin_path with your actual admin URL
limit_req zone=admin_limit burst=5 nodelay;
# ... other admin location directives ...
}
Note: `burst` and `rate` values should be tuned based on expected legitimate traffic and security policy.
3. Magento 2 Application Security
This section covers security configurations directly within the Magento application and its environment.
3.1. Admin Panel Security
The Magento admin panel is a prime target. Secure it aggressively.
3.1.1. Custom Admin URL
Always change the default `/admin` URL. This is configured in Magento’s `env.php` or via the CLI.
// Example via CLI bin/magento setup:config:set --backend-frontname="your_secure_admin_path" // This updates app/etc/env.php
Ensure your Nginx configuration (Section 2.3.1) reflects this custom path.
3.1.2. Strong Administrator Passwords
Enforce strong password policies for all admin users. This includes complexity, length, and regular rotation. Magento’s built-in password policies can be configured under Stores > Configuration > Advanced > Admin > Security.
3.1.3. Two-Factor Authentication (2FA)
Enable and enforce 2FA for all administrator accounts. Magento offers built-in 2FA support (Google Authenticator). This is crucial for mitigating credential stuffing and brute-force attacks.
3.2. Database Security
Secure access to the Magento database.
3.2.1. Restrict Database Access
If your database is hosted on a separate OVH service or instance, ensure it’s not publicly accessible. Restrict access to only the web server’s IP address. Configure MySQL’s `bind-address` to `127.0.0.1` if the database is on the same server as the web server, and use firewall rules to control access.
[mysqld] bind-address = 127.0.0.1
Use strong, unique credentials for the Magento database user. Avoid using the `root` MySQL user.
3.2.2. Encrypt Sensitive Data
Magento offers built-in encryption for sensitive customer data (e.g., credit card numbers, if stored directly, though this is highly discouraged). Review Magento’s encryption key management under Stores > Configuration > Advanced > System.
# Generate a new encryption key bin/magento setup:crypto:key:generate
Ensure the encryption key (`app/etc/env.php`) is protected and not exposed.
3.3. Session Management
Secure user sessions to prevent hijacking.
3.3.1. Session Storage
For enhanced security, configure Magento to use a secure session storage mechanism like Redis or Memcached instead of file-based sessions, especially in multi-server environments. This also improves performance.
// Example in app/etc/env.php for Redis
'session' => [
'save' => 'redis',
'redis' => [
'host' => '127.0.0.1',
'port' => '6379',
'password' => '', // If Redis requires authentication
'timeout' => '2.5',
'persistent' => '',
'database' => '0', // Or a dedicated Redis DB for sessions
'compression_threshold' => '2048',
'compression_library' => 'gzip',
'log_level' => '7', // Adjust as needed
]
],
3.3.2. Session Lifetime
Configure appropriate session lifetimes. Shorter lifetimes reduce the window of opportunity for session hijacking but can impact user experience. This is configured under Stores > Configuration > Advanced > Admin > Session Lifetime and for customers under Stores > Configuration > General > Web > Session Cookie Management.
3.4. Security Patches and Updates
Regularly apply Magento security patches and updates. This is non-negotiable.
3.4.1. Patch Management Process
Establish a process for monitoring Magento security advisories and applying patches promptly. Use Composer for managing Magento core and extension updates.
# Check for available updates composer outdated magento/* # Apply a security patch (example) composer require magento/product-community-edition=2.4.x.x --no-update # Replace with specific version composer update
Always test patches in a staging environment before deploying to production.
3.5. File Integrity Monitoring
Implement a system to detect unauthorized modifications to Magento files.
3.5.1. Using Tools like `aide` or `tripwire`
Install and configure a file integrity monitoring tool. `aide` (Advanced Intrusion Detection Environment) is a popular open-source option.
# Install AIDE sudo apt-get update && sudo apt-get install aide # Initialize the database (run this after initial setup and configuration) sudo aideinit # Run a check sudo aide --check # Update the database after legitimate changes sudo aide --update
Schedule regular checks and alerts for any detected changes.
4. Logging and Monitoring
Comprehensive logging and proactive monitoring are essential for detecting and responding to security incidents.
4.1. Magento Application Logs
Ensure Magento’s logging is enabled and configured correctly. Logs are typically found in `var/log/`.
4.1.1. Enable Debug Logging (Temporarily)
For troubleshooting, debug logging can be enabled via CLI. Crucially, disable this in production unless actively debugging and monitoring closely.
# Enable debug logging bin/magento deploy:mode:set developer # Disable debug logging (production mode) bin/magento deploy:mode:set production
4.2. Web Server Logs
Monitor Nginx access and error logs for suspicious activity (e.g., repeated 404s, SQL injection attempts, brute-force login patterns).
4.3. System Logs
Centralize and monitor system logs (e.g., `/var/log/auth.log`, `/var/log/syslog`) for unauthorized access attempts or system anomalies.
4.4. Security Monitoring Tools
Consider integrating with a Security Information and Event Management (SIEM) system or using tools like `fail2ban` to automatically block malicious IPs based on log patterns.
# Example: Install fail2ban sudo apt-get install fail2ban # Configure jail.local for Nginx and SSH # Example: /etc/fail2ban/jail.local [sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 [nginx-http-auth] enabled = true port = http,https filter = nginx-http-auth logpath = /var/log/nginx/access.log maxretry = 20
5. OVH Specific Considerations
Leverage OVH’s provided security features and understand their shared responsibility model.
5.1. OVH Security Services
Explore OVH’s offerings such as DDoS protection, Web Application Firewall (WAF), and managed security services. Understand which services are enabled by default and how to configure them for your Magento instance.
5.2. Data Backup and Recovery
Ensure a robust backup strategy is in place, covering both database and application files. Test recovery procedures regularly. OVH often provides backup solutions; verify their configuration and retention policies.
5.3. Compliance Requirements
If your Magento store handles sensitive data (e.g., PII, payment card information), ensure compliance with relevant regulations (GDPR, PCI DSS). OVH’s infrastructure may offer certifications, but the application-level security and data handling remain your responsibility.
Conclusion
Securing a Magento 2 backend on OVH requires a multi-layered approach, encompassing server, web server, and application-level configurations. This checklist provides a framework for auditing and strengthening your security posture. Continuous vigilance, regular updates, and proactive monitoring are key to maintaining a secure e-commerce environment.