JaB11 - Joomla! Security 101

2,864 views
2,779 views

Published on

The complete set of slides from my J and Beyond 2011 presentation "Joomla! Security 101". Enjoy!

Published in: Technology, Design
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,864
On SlideShare
0
From Embeds
0
Number of Embeds
101
Actions
Shares
0
Downloads
59
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • Scratches the surface\nImperative everyone follows this advice\n\nNext: Me\n
  • 30-y.o. Mech Engineer turned web dev\nInto PHP for > 10 years\nLead dev of Akeeba Backup and Admin Tools\n\nNext: Basic Security\n
  • What is it?\nIs it Chuck Norris on your site?\nMaking site unhackable?\n
  • Make it harder, not impossible\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Everyone knows these things have to be done\nWe rarely do them because we’re bored\n\nNext: Backups\n
  • Use Akeeba Backup or any other tool for at least daily backups\nTest restore backups every week or after installing a new release\n\nNext: Updates\n
  • Always update on the same day\nKeep an eye on JVEL\nSubscribe to ahead warning service like SalvusAlerting\n\nNext: backend protection\n
  • Password-protect administrator\nAdd secret key to administrator (jSecure, Admin Tools Professional, etc)\n\nNext: 777\n
  • Why 0777 is a bad idea (hack from the inside)\nSane perms on next slide\n\nNext: perms\n
  • Use suPHP/mod_itk if possible\nRoot 0755 / 0700 (disables 0777)\nDirs 0755, Files 0644\nYou never “must” use 0777. If you do, use .htaccess\n\nNext: sitting duck\n
  • Default Joomla! settings = sitting duck\nIt’s duck hunting season; you don’t want to be a duck\n\nNext: prefix\n
  • Prefix has nothing to do with telephony\nDefault jos_ table prefix is evil\nUse something random; use Admin Tools for easy change\nDanger, Will Robinson: some extensions might break\n\nNext: Super Admin ID\n
  • Default SA ID is 62/42. Used in direct SQLi attacks.\nDo not just create a new user, equally unsafe.\nCreate a “low ID” user; use Admin Tools\n\nNext: Ninja!\n
  • How the big boys deal with security\nSome tips are over the top\nYou can never be too paranoid w/ security\n\nNext: Visual fingerprinting\n
  • Appending parameters can reveal too much\nUsed to identify your site as a Joomla! site = potential target\nSecurity through obscurity; not THE solution, but it helps\n\nNext: solution\n
  • These rules in my Master .htaccess\n\nNext: PHP has a big mouth\n
  • Appending parameters can reveal too much\nUsed to identify your PHP version\nCan deliver non-Joomla! specific exploits\n\nNext: demonstration\n
  • This is what it looks like\nEach version has a different image!\n\nNext: solution\n
  • These rules are in my master .htaccess\n\nNext: Blind Elephant\n
  • No, you’re not going to the circus; or a safari.\nA blind elephant is after you and will stomp you.\nSee for yourself! (next slide)\n\nNext: BlindElephant run\n
  • Typical blind elephant run\nIt’s not the only fingerprinting script\nThey’re moderately to very accurate\n\nNext: solution\n
  • These rules are in my master .htaccess\n\nNext: More protection\n
  • \n
  • My master .htaccess is free, reqs expert knowledge, no support\nATPro is easier for site builders, has docs, support\n\nNext: security is a process\n
  • It’s not fire and forget. You have to work on it continuously as your site evolves.\n\nNext: questions\n
  • Ask your questions!\n\nNext: the end\n
  • Thank you for listening\nVisit the URL for the slides in PDF format\n\nTHE END\n
  • Thank you for listening\nVisit the URL for the slides in PDF format\n\nTHE END\n
  • JaB11 - Joomla! Security 101

    1. 1. Joomla! Security 101 What to do before disaster strikeshttp://akeeba.info/security-101
    2. 2. Hi, I’m Nicholas Dionysopoulos and I bet you can’t pronounce my last namehttp://akeeba.info/me
    3. 3. What is site security?And what Chuck Norris has to do with anything?!
    4. 4. Security is about... making it harder to infiltrate, not making it impossible
    5. 5. How do you do that?What stands between your site and hackers?
    6. 6. Security comes in layers Incoming request Firewall Web Server (Global)Web Server (.htaccess) Joomla! Extensions
    7. 7. Security comes in layers Incoming request Always managed by your host Firewall Web Server (Global)Web Server (.htaccess) Joomla! Extensions
    8. 8. Security comes in layers Incoming request Firewall mod_security, suPHP, … Web Server (Global)Web Server (.htaccess) Joomla! Extensions
    9. 9. Security comes in layers Incoming request Firewall Web Server (Global) The most basic protectionWeb Server (.htaccess) Joomla! Extensions
    10. 10. Security comes in layers Incoming request Firewall Web Server (Global)Web Server (.htaccess) Basic filtering Joomla! Extensions
    11. 11. Security comes in layers Incoming request Firewall Web Server (Global)Web Server (.htaccess) Joomla! These are ultimately responsible! Extensions
    12. 12. Security comes in layers Incoming request Firewall Web Server (Global)Web Server (.htaccess) Joomla! Extensions
    13. 13. Our scope today Incoming request Firewall Web Server (Global)Web Server (.htaccess) Joomla! Extensions
    14. 14. The basicsWhat we’re supposed to do and rarely do it
    15. 15. Frequent, tested backups Would you jump off a plane without a parachute?http://akeeba.info/backup
    16. 16. Update, yesterday Yesterday’s code is tomorrow’s hackhttp://akeeba.info/basic-security
    17. 17. Protect your backendThe login is not enough
    18. 18. 777: The number of the beast Permissions are doors; don’t leave them openhttp://akeeba.info/777
    19. 19. Sensible permissions Ask your host to enable suPHP or Apache’s mod_itk Site root 0755 or 0700 Directories 0755 Files 0644 If you “must” use 0777 (don’t!) protect with .htaccess: order deny, allow deny from all
    20. 20. Don’t be a sitting duckIt’s duck season!
    21. 21. Mind your prefix Nobody wants to be a jos_http://akeeba.info/prefix
    22. 22. 62 reasons to fire your Super Administrator or 42, depending on Joomla! version...http://akeeba.info/62-reasons
    23. 23. Security Kung-Fu You can’t kill a Ninjahttp://akeeba.info/ninja
    24. 24. Visual fingerprinting Seeing is believing and then some tm pl= offl ine tp =1http://akeeba.info/ninja template =ja_purity
    25. 25. Visual fingerprinting RewriteCond %{QU ERY_STRING} (^| &)tmpl=(componen t|system) [NC] RewriteRule .* - [L] RewriteCond %{QU ERY_STRING} (^|& )t(p|emplate| mpl)= [NC] RewriteRule .* - [F]http://akeeba.info/ninja
    26. 26. PHP has a big mouth and that’s not water cooler gossip!http://akeeba.info/ninja
    27. 27. PHP has a big mouthhttp://akeeba.info/ninja
    28. 28. PHP has a big mouth RewriteCond %{QU ERY_STRING} =PH P[a-f0-9]{8}-[a- f0-9]{4}-[a-f0-9 ]{4}-[a-f0-9]{4} -[a-f0-9]{12} [NC] RewriteRule .* - [F]http://akeeba.info/ninja
    29. 29. Blind Elephant Meet your supervillainhttp://akeeba.info/ninja
    30. 30. Blind Elephanthttp://akeeba.info/ninja
    31. 31. Blind Elephant nicholas@teapot:~/blindelephant$ ./BlindElephant.py mysite.com joomla Loaded /home/nicholas/projects/3rdparty/blindelephant/trunk/src/build/lib.linux-x86_64-2.6/blindelephant/ dbs/joomla.pkl with 33 versions, 3696 differentiating paths, and 122 version groups. Starting BlindElephant fingerprint for version of joomla at http://joomla.ubuntu.web Hit http://joomla.ubuntu.web/media/system/js/validate.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/includes/js/joomla.javascript.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/media/system/js/caption.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/media/system/js/openid.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/templates/rhuk_milkyway/css/template.css Possible versions based on result: 1.5.17, 1.5.18 Fingerprinting resulted in: 1.5.17 1.5.18 Best Guess: 1.5.18http://akeeba.info/ninja
    32. 32. Blind Elephant RewriteRule ^ima ges/stories/.*. (jp(e?g|2)?|png| gif|bmp|css|js|s wf|ico)$ - [L] RewriteCond %{HT TP_REFERER} . RewriteCond %{HT TP_REFERER} !^ht tps?://(www.)? example.com [NC] RewriteCond %{RE QUEST_FILENAME} -f RewriteRule .(j p(e?g|2)?|png|gi f|bmp|css|js| swf|ico)$ - [F]http://akeeba.info/ninja
    33. 33. There are more threats Cross-site scripting (XSS) Remote file inclusion (RFI) Local file inclusion (LFI) SQL injection (SQLi) Cross-site request forgery (CSRF) Brute force password cracking Spamming & e-mail harvesting
    34. 34. More protection for youf re e! 2 0€ 10€ The Master Admin Tools .htaccess Professionalhttp://akeeba.info/master- http://akeeba.info/atpro htaccess Use coupon code JOSCAR for 50% off
    35. 35. One more thing... security is a process
    36. 36. Any questions?
    37. 37. That’s all folks!
    38. 38. Want the slides? http://akeeba.info/security-101

    ×