As of Magneto 1.9.3 magento have finally added brute force protection to the downloader folder. As you may be aware even if you have changed your default admin path ie to anything other that /admin Magento connection is still accessible at yourdomain.com/downloader. The fix for this is to rename your downloader folder or move it out of the root folder so that it is not accessable. However, in order to use Connect you need to rename and it had a tendancy to be forgotten. This means that the whole of the internet can have as many guesses at your usernames and passwords as they like.
As well as renaming the downloader folder when ever we find it we also run Fail2ban which monitors access to this fodler and will block IP addresses that fail to log in multiple times. However, Magento have now added a similar feature into the core of magento. There is a new file in var/ called brute-force.ini which monitors login attampt to
Connectbrute-force-bad-attempts-count = 6
brute-force-diff-time-to-attempt = 360
brute-force-attempts-count = 3Of course the downside is that you may find yourself locked out.If you seeAccess is locked. Please try again in a few minutesreset the above
brute-force-bad-attempts-count = 0and you should be able to log in. We still recommend you remove or rename the downloader folder for more complete secuirty.
2543
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
