JaB11 - Joomla! Security 101

Joomla! Security 101 What to do before disaster strikeshttp://akeeba.info/security-101

Hi, I’m Nicholas Dionysopoulos and I bet you can’t pronounce my last namehttp://akeeba.info/me

What is site security?And what Chuck Norris has to do with anything?!

Security is about... making it harder to infiltrate, not making it impossible

How do you do that?What stands between your site and hackers?

Security comes in layers Incoming request Firewall Web Server (Global)Web Server (.htaccess) Joomla! Extensions

Security comes in layers Incoming request Always managed by your host Firewall Web Server (Global)Web Server (.htaccess) Joomla! Extensions

Security comes in layers Incoming request Firewall mod_security, suPHP, … Web Server (Global)Web Server (.htaccess) Joomla! Extensions

Security comes in layers Incoming request Firewall Web Server (Global) The most basic protectionWeb Server (.htaccess) Joomla! Extensions

Security comes in layers Incoming request Firewall Web Server (Global)Web Server (.htaccess) Basic filtering Joomla! Extensions

Security comes in layers Incoming request Firewall Web Server (Global)Web Server (.htaccess) Joomla! These are ultimately responsible! Extensions

Security comes in layers Incoming request Firewall Web Server (Global)Web Server (.htaccess) Joomla! Extensions

Our scope today Incoming request Firewall Web Server (Global)Web Server (.htaccess) Joomla! Extensions

The basicsWhat we’re supposed to do and rarely do it

Frequent, tested backups Would you jump off a plane without a parachute?http://akeeba.info/backup

Update, yesterday Yesterday’s code is tomorrow’s hackhttp://akeeba.info/basic-security

Protect your backendThe login is not enough

777: The number of the beast Permissions are doors; don’t leave them openhttp://akeeba.info/777

Sensible permissions Ask your host to enable suPHP or Apache’s mod_itk Site root 0755 or 0700 Directories 0755 Files 0644 If you “must” use 0777 (don’t!) protect with .htaccess: order deny, allow deny from all

Don’t be a sitting duckIt’s duck season!

Mind your prefix Nobody wants to be a jos_http://akeeba.info/prefix

62 reasons to fire your Super Administrator or 42, depending on Joomla! version...http://akeeba.info/62-reasons

Security Kung-Fu You can’t kill a Ninjahttp://akeeba.info/ninja

Visual fingerprinting Seeing is believing and then some tm pl= offl ine tp =1http://akeeba.info/ninja template =ja_purity

Visual fingerprinting RewriteCond %{QU ERY_STRING} (^| &)tmpl=(componen t|system) [NC] RewriteRule .* - [L] RewriteCond %{QU ERY_STRING} (^|& )t(p|emplate| mpl)= [NC] RewriteRule .* - [F]http://akeeba.info/ninja

PHP has a big mouth and that’s not water cooler gossip!http://akeeba.info/ninja

PHP has a big mouthhttp://akeeba.info/ninja

PHP has a big mouth RewriteCond %{QU ERY_STRING} =PH P[a-f0-9]{8}-[a- f0-9]{4}-[a-f0-9 ]{4}-[a-f0-9]{4} -[a-f0-9]{12} [NC] RewriteRule .* - [F]http://akeeba.info/ninja

Blind Elephant Meet your supervillainhttp://akeeba.info/ninja

Blind Elephanthttp://akeeba.info/ninja

Blind Elephant nicholas@teapot:~/blindelephant$ ./BlindElephant.py mysite.com joomla Loaded /home/nicholas/projects/3rdparty/blindelephant/trunk/src/build/lib.linux-x86_64-2.6/blindelephant/ dbs/joomla.pkl with 33 versions, 3696 differentiating paths, and 122 version groups. Starting BlindElephant fingerprint for version of joomla at http://joomla.ubuntu.web Hit http://joomla.ubuntu.web/media/system/js/validate.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/includes/js/joomla.javascript.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/media/system/js/caption.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/media/system/js/openid.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/templates/rhuk_milkyway/css/template.css Possible versions based on result: 1.5.17, 1.5.18 Fingerprinting resulted in: 1.5.17 1.5.18 Best Guess: 1.5.18http://akeeba.info/ninja

Blind Elephant RewriteRule ^ima ges/stories/.*. (jp(e?g|2)?|png| gif|bmp|css|js|s wf|ico)$ - [L] RewriteCond %{HT TP_REFERER} . RewriteCond %{HT TP_REFERER} !^ht tps?://(www.)? example.com [NC] RewriteCond %{RE QUEST_FILENAME} -f RewriteRule .(j p(e?g|2)?|png|gi f|bmp|css|js| swf|ico)$ - [F]http://akeeba.info/ninja

There are more threats Cross-site scripting (XSS) Remote file inclusion (RFI) Local file inclusion (LFI) SQL injection (SQLi) Cross-site request forgery (CSRF) Brute force password cracking Spamming & e-mail harvesting

More protection for youf re e! 2 0€ 10€ The Master Admin Tools .htaccess Professionalhttp://akeeba.info/master- http://akeeba.info/atpro htaccess Use coupon code JOSCAR for 50% off

One more thing... security is a process

Any questions?

That’s all folks!

Want the slides? http://akeeba.info/security-101

http://www.webagencyvarese.it	36
http://paper.li	2
http://translate.googleusercontent.com	2
http://webcache.googleusercontent.com	1

JaB11 - Joomla! Security 101

by AkeebaBackup.com on May 13, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

4 Embeds 41

Statistics

JaB11 - Joomla! Security 101 — Presentation Transcript