Recommended method to protect /downloader?

magento.stackexchange https://magento.stackexchange.com/questions/323425

Question

Since Magento uses the /downloader as a way to conveniently install programs via Magento Connect Manager it is apparent that this is also a security concern since it allows the possibility for bots or people to attempt to learn credentials for the installation.

Checking access logs to my website, I was alarmed at the amount of attempts to the www.mysite.com/downloader

As a work around I've gotten into the habit of renaming the downloader directory to downloader.offline but occasionally I forget. (Either to rename it back to install a program or after I'm done).

What is the recommended method to protect this link?

Was it helpful?

Solution

Just put a .htaccess (or if nginx/whatever a config) into the downloader directory with Disallow from all in it to forbid any request on the directory.

If you wanted to allow a few IP addresses in (like your own), try something like this in your .htaccess

order deny,allow
deny from all
allow from 1.2.3.4 5.6.7.8

Where 1.2.3.4 and 5.6.7.8 are IP addresses you want to let through.

My prefered way: Just delete downloader

OTHER TIPS

Along with @daniel-sloof's recommendation I would say to ditch the Magento Connect installer altogether. I generally add it to .gitignore when setting up a new repository.

The reason being, as Fabian points out in his answer comments, that there is no way to ensure the replication of your production environment in source control without committing the packages from Connect. The feature you'll be losing here is the ability to update/upgrade packages from Connect - but if you really need that functionality you can always do it locally on your dev box and commit the results when you're satisfied that they work.

tl;dr:

Delete the /downloader folder or remove it from your source control.

I usually delete the downloader directory, but also found the following directive in the root htaccess helpful:

RewriteRule ^downloader/ - [L,R=404]

Which will make Apache send a 404 response even if the downloader directory is present.

what about renaming the downloader folder? In case of need can easily be renamed back to "downloader", doing update and install as needed, and then changing it again. It seems to work for me.

rm -rf downloader/

https://www.zdnet.com/article/magento-online-stores-hacked-in-largest-campaign-to-date/

OpenMage LTS also removed it a while ago https://github.com/OpenMage/magento-lts/commit/c02c9ed53b990a7549a89c03346d755aa11e263e

Use OpenMage LTS to be as secure 'as possible' https://github.com/OpenMage/magento-lts/commit/c02c9ed53b990a7549a89c03346d755aa11e263e

To block the downloader application, add the following rule to your nginx.conf file:

location ~ ^/downloader/ {
    allow xx.xx.xx.xx;
    deny all;
}
Licensed under: CC-BY-SA with attribution
Not affiliated with magento.stackexchange
scroll top