We are noticing dynamic increase in robots/crawlers brute-forcing Magento’s /downloader/ locations, trying default admin user with various passwords (mostly dictionary-based) and other popular logins. We seen the bots are trying it continuously (in some cases for several months or years already)
What is wrong with publicly available /downloader/?
Magento Connect Manager available via/downloader/ location is used for installation of Magento extensions and Magento upgrades and requires Magento admin rights for the action. It use the same authorization methods as for Backend. Therefor if bot will find out a matching pair of login/password, whole Magento installation will be compromised. Attacker will be able to discover backend URL for login (even if it is customized as described in Securing Magento /admin/), install a Filesystem extension to obtain full access to all files and finally database.
Magento Connect Manager default credentials
Default login and password combination for Magento Connect Manager / Downloader are the same as for any Magento admin account. So any Magento admin account can be used to access Magento Connect Manager with their credentials. That is why it is actively used to bruteforce Magento admin passwords and it is important to protect default Downloader URL.What is the default Magento Connect Manager URL?
The default Magento Connect Manager URL is/downloader/ appended to the main URL of your Magento store, i.e. https://mystore.com/downloader/.
What can be done to prevent it
There are several ways of restricting access to /downloader/ possible. You can select any way that suit your needs and qualification.Move /downloader/ out when don’t need it
The most simple way that require absolutely no knowledge of webserver magic. Just navigate to your Magento root directory in your web-filemanager (FTP or SSH are also just fine) and move/downloader/ folder our or into another folder that is already protected, preferably renaming it. var/myhiddendownloader folder should be just fine as a new name. When you need to use Magento Connect Manager, install Magento extensions or perform upgrade, you just move it back.
Restrict access by IP-address
Apache2 with .htaccess enabled
Add the following lines on top of/downloader/.htaccess file:
Order deny,allow Deny from all Allow from 66.211.190.109
66.211.190.109 is your IP-address as detected by our server, make sure to add IP-addresses of another administrators, who use Magento Connect, install extensions or perform upgrades.
nginx
Ask your hosting support or server admin to allow access to /downloader/ location for your IP-address (66.211.190.109) only. Sample code to apply in nginx configuration file can be like the following:
location /downloader/ {
allow 66.211.190.109;
deny all;
# other code, depending on your config and the way of passing requests to PHP
# usually the same as for / location
}
Restrict access by additional password protection
Create password protection file undervar/ directory, i.e. var/.htpwd. Use htpasswd command on your server or its safe online alternative for generation.
Apache2 with .htaccess enabled
Add the following lines on top of/downloader/.htaccess file:
AuthType Basic AuthName "Restricted" AuthUserFile /full/path/to/your/magento/root/var/.htpwd Require valid-user
nginx
Ask your hosting support or server admin to allow access to /downloader/ location by password protection. Sample code to apply in nginx configuration file can be like the following:
location /downloader/ {
auth_basic "Restricted";
auth_basic_user_file /full/path/to/your/magento/root/var/.htpwd;
# other code, depending on your config and the way of passing requests to PHP
# usually the same as for / location
}
Posted in: Configuration, Magento Connect