There is a site built on CMS 1C-Bitrix. The site along with the admin stick to the Internet. Since 1C-Bitrix is ​​a very popular CMS, I’m expected to worry about the possibility of publishing serious vulnerabilities in it and the possibility of script script script scripts on the site, since I’ll determine that the site is managed by this particular CMS. not difficult.

What measures can be taken to:

  • make it difficult to automatically determine if the site is managed by CMS Bitrix?
  • to protect the admin Beatrix from brute force admin password?

So far, the simplest thing has come to my mind is to restrict access to the admin panel by IP addresses of those who administer the site, but this solution is not universal, and sooner or later it will have to be abandoned - as soon as it becomes necessary to edit the materials on the site from an arbitrary place the planet 24/7, not bothering with a proxy / VPN.

Update: Bitrix’s position on this issue, as I understood from the correspondence with their support, comes down to using the features of the CMS 1C-Bitrix Proactive Defense module, which allows you to configure IP access restriction and two-factor authorization of admins, and much more including mentioned in the answers below. However, my question is rather about server-level protection, not application level. In addition, this solution has a big drawback - it is not universal: the Proactive Defense module is not included in all editions (types of licenses) of this CMS.

    4 answers 4

    For those interested, I’ll give you the method of closing access to the admin panel by IP: in the root of the site there is a bitrix folder containing the CMS code and the admin panel. In this folder you need to put the .htaccess file as follows:

     Order Deny,Allow Deny from all Allow from 11.11.11.11 Allow from 22.22.22.22

    The lines starting with Allow from indicate the IP addresses or subnets that are allowed to access the admin panel.

    Important subtlety: in addition to the IP of people who need to be able to work with the admin panel, you must also add permission for the IP address from which external connections to the Internet of the server where 1C-Bitrix works, that is, simply speaking, you need to allow Bitrix access to yourself. If this is not done, then when diagnosing in the admin panel, Bitrix will complain about the inoperability of the sockets and will not pass the diagnosis completely.

    The above method of restricting access to the admin panel is not universal. It will work only if the server is running Apache and only if Apache is configured in a way that implies the ability to control access to the site (Deny / Allow) via .htaccess . Usually (on popular hosting) the way it is, but in general terms, it is impossible to be sure about this setting.

      Look towards ModSecurity . There is a paid subscription, which just can prevent an automatic attack on the site.

      Works by special rules. Subscription - the ability to receive these rules. If you do not want to pay, you will have to search the Internet for a more suitable, or make up yourself.

      It is also worth installing two-factor authentication for admins. for example from protectimus.com

      They allow you to generate one-time passwords for certain IP, if the password is intercepted, the attacker will not be able to enter

        I recommend to go through the online course Administrator . Moduli, kindly provided by 1C-Bitrix. The proactive protection module allows you to flexibly configure IP restrictions not only globally to the site, but even to individual folders. Bitrix is ​​able to analyze how many hits the user does and freeze it and send a letter to the specified mail with links for actions on this user. From kiddy scripts and to protect the average level is more than enough. I have 5 active online stores now spinning on the settings of "Proactive Defense" and there are no hacks or XSS attacks. There are attacks, but the antivirus and firewall cope. But it goes without saying that there must be a good quality hoster and provider, ready to perform anti-virus checks upon request.

        • one
          To protect an application with the means of this application itself does not seem to me to be a solution to the problem in general. Thanks for the link, but the question remains open. - AntonioK
        • Who will guard the watchmen? Eternal dispute. I can only say that the tool proposed by 1C-Bitrix is ​​good enough to save the site from hacker attacks. It usually works like this for us. The site is configured at least the average level of the module in the "Proactive Defense". If there are alarm messages in the log, we contact the host and they perform a scan. We also use the "Search Trojans" from Bitrks Search Trojans . If you find a good external solution I will be grateful if you share it. - Nikolaj Sarry