Host making security changes inquiry please

[ozstar]

Hi,

My host is making some changes and I have 5/6 stores on this server that I am told with fall over after Wednesday unless changes are made. Any suggestions others than.. 'well make the changes!!'

Thanks

oz

Here is the message..


As some of you may know there has been a lot of new viruses and trojans appearing in recent weeks across the internet, including a spate of javascript and iframe injections on sites.

In order to ensure he continued security and stability of our servers we will be implementing a number of security changes to our cPanel servers effective from Midnight tonight.

SSH Users

For ultimate SSH security, we will be disabling PasswordAuthentication and only allowing access using PubkeyAuthentication. For more information on how to use SSH in this manner please refer to the following articles:

SSH User Identities
and
http://www.unixwiz.net/techtips/putt...h.html#keypair

SSH will also no longer be accessible on port 22 but will now be on port 22351


PHP Changes

We will be turning off dynamic loading of modules in PHP dl() so if you are using a script that relies on things such as Ioncube loaders or any other module loaded dynamically you will need to check with the developers of your script for the alternative loading options

We will also be progressively turning all servers to Register Globals = Off over the upcoming weeks, however we will be doing this server by server and announcing 2 weeks prior so that everyone has pleny of time to adjust scripts, in particular oscommerce, to the new arrangement

We are also going to be installing SUHOSIN on all servers to harden the php configuration. You can read more info on this at Hardened-PHP Project - PHP Security - Suhosin

This will be done at the same time as the register globals changes are done as the processes will require an apache rebuild to complete them.

[neil]

ozstar,
We're on the same server. Here is what Steve sent out...

Quote:

The upgrade process may involve up to 3 steps depending on what version your currently running and what updates you have already applied.

1) osCommerce MS 2.2 prior to 17th August 2008 - 20060817 release

Please refer to the changelog instructions at http://www.oscommerce.com/ext/extras...e-20060817.txt which outlines the changes required to bring it up to this release. once these changes are done move onto the next step


2) osCommerce MS 2.2 release candidate 1 (RC1)

Please refer to the changelog instructions at osCommerce Online Merchant v2.2 RC1 Upgrade Notes which outlines the changes required to bring it up to this release. once these changes are done move onto the next step


3) osCommerce MS 2.2 release candidate 2 (RC2)

Please refer to the changelog instructions at osCommerce Online Merchant v2.2 RC2 Upgrade Notes which outlines the changes required to bring it up to this release. once these changes are done you are uptodate, register globals compatible and should have no issues once your server is updated with the new security patches.

PLEASE NOTE :

some 3rd party addon modules may or may not be compatible with register globals. You would need to refer to the contribution pages at osCommerce Community Add-Ons to determine if there are any issues or updates required

The osCommerce forums at osCommerce Community Support Forums may also be a source of information on this

[JohnW]

I didn't think most hosts allowed ssh access but changing it to a different port is definitely a good thing. The ssh port will also be a factor for using sftp so keep that in mind. I recently set up using key pairs so I have a little help. I found this link pretty helpful
Secure Linux/UNIX access with PuTTY and OpenSSH
but a couple key things
1. use ssh2 and RSA is probably a better choice if using Putty.
2. /home/user/.ssh needs chmod 700
and needs to have
/authorized_keys - containing your pub key
/authorized_keys - containing your pub key
/yourpublickfle.pub
Cpanel has functions to do this but mine DID NOT do it correctly so it did not work. If you use Cpanel to set it up check the link above to see how it needs to be setup and especially permissions.

You can turn register globals on for your individual site even if it is turned off server wide, but Bkpie has a couple good threads
php5 question+oscmax rc3
follow the links off of it too.

I have prblems using the stock install of the current Suhosin with it restricting functions on a few Admin features but after looking at the links in Neil's post I'm going to check those out. Bkpie also had a suggestion on my editorders page that I will try.

I can turn Suhosin on and off through php.ini so I will do some more testing but it is suggested by Cpanel and Suhosin that stock settngs need to be modified or it will break functions. Stock didn't break anything I'm aware of in Catalog only in Admin.

Hope this helps

[neil]

Thanks JohnW,

JPFis also correct in saying this about register_globals on in FATAL ERROR: register_globals is disabled in php.ini
"It is NOT a security issue. It is a BAD CODEing issue."

However register_globals will be set to off in php 6 - no choice.
So, the approach should be for individuals to take one contribution each & make it register_globals off compliant.
I'll take Easy Populate cause that is compliant already.