MAY 13 2015

Restrict access to Magento /downloader/

We are noticing dynamic increase in robots/crawlers brute-forcing Magento’s /downloader/ locations, trying default admin user with various passwords (mostly dictionary-based) and other popular logins. We seen the bots are trying it continuously (in some cases for several months or years already)

What is wrong with publicly available /downloader/?

Magento Connect Manager available via /downloader/ location is used for installation of Magento extensions and Magento upgrades and requires Magento admin rights for the action. It use the same authorization methods as for Backend. Therefor if bot will find out a matching pair of login/password, whole Magento installation will be compromised. Attacker will be able to discover backend URL for login (even if it is customized as described in Securing Magento /admin/), install a Filesystem extension to obtain full access to all files and finally database.

What can be done to prevent it

There are several ways of restricting access to /downloader/ possible. You can select any way that suit your needs and qualification.

Move /downloader/ out when don’t need it

The most simple way that require absolutely no knowledge of webserver magic. Just navigate to your Magento root directory in your web-filemanager (FTP or SSH are also just fine) and move /downloader/ folder our or into another folder that is already protected, preferably renaming it. var/myhiddendownloader folder should be just fine as a new name. When you need to use Magento Connect Manager, install Magento extensions or perform upgrade, you just move it back.

Restrict access by IP-address

Apache2 with .htaccess enabled

Add the following lines on top of /downloader/.htaccess file:

Order deny,allow
Deny from all
Allow from 184.73.72.65

184.73.72.65 is your IP-address as detected by our server, make sure to add IP-addresses of another administrators, who use Magento Connect, install extensions or perform upgrades.

nginx

Ask your hosting support or server admin to allow access to /downloader/ location for your IP-address (184.73.72.65) only. Sample code to apply in nginx configuration file can be like the following:

location /downloader/ {
  allow 184.73.72.65;
  deny all;
  # other code, depending on your config and the way of passing requests to PHP
  # usually the same as for / location
}

Restrict access by additional password protection

Create password protection file under var/ directory, i.e. var/.htpwd. Use htpasswd command on your server or its safe online alternative for generation.

Apache2 with .htaccess enabled

Add the following lines on top of /downloader/.htaccess file:

AuthType Basic
AuthName "Restricted"
AuthUserFile /full/path/to/your/magento/root/var/.htpwd
Require valid-user
nginx

Ask your hosting support or server admin to allow access to /downloader/ location by password protection. Sample code to apply in nginx configuration file can be like the following:

 location /downloader/ { 
   auth_basic           "Restricted"; 
   auth_basic_user_file /full/path/to/your/magento/root/var/.htpwd; 
   # other code, depending on your config and the way of passing requests to PHP
   # usually the same as for / location
 }

Posted in: Configuration, Magento Connect

Restrict access to Magento /downloader/
51 votes, 4.87 avg. rating (97% score)
  • rohit patel

    what about iis server ?
    how to set permissions in iis server ?