Your SlideShare is downloading. ×
0
Active securityfor Joomla! sites                    version 5.2
Mission: ImpossibleTalking in-depth about Joomla! security in 30 minutesor less... but I’ll try!
Put your pens awaySit back and enjoy
A site is like a building• Strong foundations• Careful construction• Active maintenance
Step 1: Strong foundationsYour server setup - Geeky stuff ahead!
Updated server softwarePHP, MySQL, Apache, FTP Server...
mod_security for ApacheYour server’s security guard
You need some rulesAtomic (GotRoot) Rules:http://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_RulesOWASP Rules:http...
Permissions & ownershipWho can do what and where
Sane ownership &permissionsAll files and folders owned by the FTP userFolders: 0755 permissionsFiles: 0644 permissionsUse J...
Too much to remember?Akeeba Backup User’s Guide, SecurityInformationhttps://www.akeebabackup.com/documentation/akeeba-back...
Make it all happenThe magic script
https://github.com/betweenbrain/ubuntu-web-server-build-scriptwritten by Matt Thomas (@betweenbrain)
Step 2: Careful constructionYour site setup
Update, yesterdayJoomla! & extensions
Think before installingDon’t be the mouse in the trap!
Length matters
Your Password’s length matters
A terrifying thoughtPassword hacking super-computer: 2,700 USD(2 years ago; much cheaper now)
How safe is your password?         Password               Bits    Iterations Time to crack15082005                        ...
Lock it downNothing on my site runs unless I say so
.htaccess RulesMy Master .htaccess - FREEhttp://akeeba.assembla.com/code/master-htaccess/git/nodes/htaccess.txtAdmin Tools...
Armor upProtect your site
Step 3: Active maintenanceStaying on top of it all
BackupsFrequent, automated, off-site backups
Monitor file changesA changed file is usually a bad thing
Monitor itKeep an eye on the logs
In spite of it all…
Dammit!You got hacked, now what?
DON’TPANIC
We’ve got instructions Unhacking your site https://www.akeebabackup.com/documentation/ walkthroughs/item/1124-unhacking-yo...
Questions?
LE SS     ME !   HA UG  S     PL20% discount on all subscriptionsUse coupon code JD12PLon https://www.AkeebaBackup.com/sub...
“Quick! Snatch this presentation before I do!”http://akeeba.info/asjd12pl
Thank you for listening!Image credits: sxc.hu; istockphoto.com
Upcoming SlideShare
Loading in...5
×

Joomla! Day Poland 2012 - Active Security for Joomla! sites

884

Published on

Published in: Technology, Design
3 Comments
2 Likes
Statistics
Notes
No Downloads
Views
Total Views
884
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
13
Comments
3
Likes
2
Embeds 0
No embeds

No notes for slide
  • Scratches the surface\nImperative everyone follows this advice\n\nNext: Me\n
  • \n
  • \n
  • Make it harder, not impossible\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Whitepixel + cheap hardware\nCosts $2,800\nBreaks 33.1 billion passwords / second\nNext: sample pw\n
  • All about entropy.\nWords stronger than random garbage\nThere’s a catch. All words = 1 day. Add numbers/padding to increase entropy.\nNext: 777\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Ask your questions!\n\nNext: QR-Code\n
  • \n
  • Ask your questions!\n\nNext: QR-Code\n
  • Thank you for listening\n\nTHE END\n
  • Transcript of "Joomla! Day Poland 2012 - Active Security for Joomla! sites"

    1. 1. Active securityfor Joomla! sites version 5.2
    2. 2. Mission: ImpossibleTalking in-depth about Joomla! security in 30 minutesor less... but I’ll try!
    3. 3. Put your pens awaySit back and enjoy
    4. 4. A site is like a building• Strong foundations• Careful construction• Active maintenance
    5. 5. Step 1: Strong foundationsYour server setup - Geeky stuff ahead!
    6. 6. Updated server softwarePHP, MySQL, Apache, FTP Server...
    7. 7. mod_security for ApacheYour server’s security guard
    8. 8. You need some rulesAtomic (GotRoot) Rules:http://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_RulesOWASP Rules:https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
    9. 9. Permissions & ownershipWho can do what and where
    10. 10. Sane ownership &permissionsAll files and folders owned by the FTP userFolders: 0755 permissionsFiles: 0644 permissionsUse Joomla!’s FTP mode on shared hostsBetter yet, use suPHP or FastCGI
    11. 11. Too much to remember?Akeeba Backup User’s Guide, SecurityInformationhttps://www.akeebabackup.com/documentation/akeeba-backup-documentation/security-info.html777: The number of the beasthttp://www.dionysopoulos.me/blog/777-the-number-of-the-beast
    12. 12. Make it all happenThe magic script
    13. 13. https://github.com/betweenbrain/ubuntu-web-server-build-scriptwritten by Matt Thomas (@betweenbrain)
    14. 14. Step 2: Careful constructionYour site setup
    15. 15. Update, yesterdayJoomla! & extensions
    16. 16. Think before installingDon’t be the mouse in the trap!
    17. 17. Length matters
    18. 18. Your Password’s length matters
    19. 19. A terrifying thoughtPassword hacking super-computer: 2,700 USD(2 years ago; much cheaper now)
    20. 20. How safe is your password? Password Bits Iterations Time to crack15082005 13.6 12416 0.00038 msecadmin 15.9 61147 0.00185 msecortrtaortftaaidbt 67.7 2.39E+20 228.95 years0rtrTA0rtfTa&idbT 88.2 3.55E+26 340 million yearshorse correct battery stapler 107.2 1.86E+32 178179 billion years
    21. 21. Lock it downNothing on my site runs unless I say so
    22. 22. .htaccess RulesMy Master .htaccess - FREEhttp://akeeba.assembla.com/code/master-htaccess/git/nodes/htaccess.txtAdmin Tools Professional - 20€https://www.akeebabackup.com/products/46-software/855-admintools.html
    23. 23. Armor upProtect your site
    24. 24. Step 3: Active maintenanceStaying on top of it all
    25. 25. BackupsFrequent, automated, off-site backups
    26. 26. Monitor file changesA changed file is usually a bad thing
    27. 27. Monitor itKeep an eye on the logs
    28. 28. In spite of it all…
    29. 29. Dammit!You got hacked, now what?
    30. 30. DON’TPANIC
    31. 31. We’ve got instructions Unhacking your site https://www.akeebabackup.com/documentation/ walkthroughs/item/1124-unhacking-your-site.html You do have backups, right? Make sure you read the instructions before getting hacked.
    32. 32. Questions?
    33. 33. LE SS ME ! HA UG S PL20% discount on all subscriptionsUse coupon code JD12PLon https://www.AkeebaBackup.com/subscribe
    34. 34. “Quick! Snatch this presentation before I do!”http://akeeba.info/asjd12pl
    35. 35. Thank you for listening!Image credits: sxc.hu; istockphoto.com
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×