JoomlaSecurity<br />Bare essentials to serious measures<br />Brendon Hatcher<br />Technical Director<br />Photo: flickr.co...
Understanding     hackers and                 hacking<br />Definitions of “hacker”<br />Hacker’s motivations<br />Evidenc...
What is a hacker?<br />Someone who deliberately seeks to bypass a server’s security<br />Black, grey, white hats<br />A ha...
Hacker’s motivations<br />To see if they can<br />To create mayhem<br />For social standing in the sub-culture<br />For po...
Evidence of hacking<br />None!<br />Site trashed<br />Hacking message<br />High bandwidth use<br />Changed admin password<...
Why be concernedabout security?<br />No-one is safe <br />Hacking is actually quite easy<br />Fixing hacked sites is tric...
No-one is safe<br />
Why worry about hacking? <br />Sites are targeted at random<br />Hacking is actually quite easy<br />Vulnerable sites are...
Why worry about hacking? <br />Hacked sites are a big problem<br />Business reputation<br />Angry clients<br />Site shutd...
Hacking aJoomla site<br />Is Joomla less secure than other systems?<br />The site must be vulnerable<br />3 steps to hack...
Is Joomla less secure than other systems?<br />Yes and No<br />Joomla has to strike a balance between security and ease of...
3 steps to hacking for fun and profit<br />Find a vulnerability (and instructions on how to exploit it)<br />Find a vulner...
<br />Find a vulnerability<br />Security sites<br />www.exploit-db.com, www.secunia.com<br />Various hacking sites/forums...
<br />Find a vulnerable site<br />Google Dork - a search phrase to find vulnerable sites<br />PHPInfo<br />intitle:phpinf...
<br />Cut and paste hack code<br />http://xxxxxxxxxxxxxxxxx/index.php?option=com_acajoom&act=mailing&task=view&listid=1&I...
Securityaction plan<br />Web sites are like onions<br />Levels of security<br />Web development tools<br />Strong, unique...
Web sites arelike onions<br />Server operating system<br />Apache<br />PHP + MySQL<br /><ul><li>Joomla
Extensions
Users and their behaviour</li></li></ul><li>Levels of security<br />[1] Basic actions<br />[2] More complex actions<br />[...
Web development tools<br />WHM – server administration<br />cPanel – hosting account administration<br />FileZilla – FTP a...
General advice<br />Strong, unique passwords everywhere<br />A password vault removes the need to have a single, simple pa...
Creating a safehome for Joomla<br />Shared, VPS or dedicated servers?<br />Apache<br />PHP<br />MySQL<br />
Shared, VPS or dedicated servers?<br />A shared server<br />Your site(s) live in the same hosting space as other sites th...
Shared, VPS or dedicated servers?<br />A dedicated server<br />Still a “shared” server<br />Allow you to upgrade and twea...
Additional security<br />Suhosin – hardens PHP<br />Samhain or Tripwire<br />Configserver firewall<br />
Apache<br />[3] suExec<br />CGI scripts run under the user of the website instead of the Apache user<br />[3] Mod_security...
PHP<br />[2] PHP5, not PHP4<br />[3] suPHP<br />PHP files are run under the user of the website instead of the Apache user...
Hosting account<br />.htaccess files<br />[1] Activate the htaccess file in the Joomla root<br />[1] Use an .htpasswd for ...
Keeping up to date<br />Avoiding the obvious<br />Hide, and be very, very quiet<br />Spam form submissions<br />Install sh...
Keeping up to date<br />Must update Joomla core and extensions<br />Remove unused extensions<br />
Avoiding the obvious<br />[1] The default database extension is jos_<br />[1] The default admin username is admin<br />[1]...
Hide, and be very, very quiet<br />[1] SEF all URLs<br />[1] Clear the default Joomlametatags<br />[1] Clear the default H...
Spam form submissions<br />Trying to inject spam content onto your site<br />Targets Joomla core forms and extension forms...
Install sh404SEF<br />SEF URLS hide from Google Dorks<br />Flood control<br />Other security settings<br />
Creating a safe working environment<br />PC vulnerability to hacks<br />FTP access hacks<br />A note about users<br />“Bu...
PC vulnerability to hacks<br />[1] Install all operating system patches<br />[1] Install all application system patches<br...
FTP access hacks<br />If a hacker can obtain your FTP password, they can login as you, bypassing almost every security bar...
FTP configuration<br />[1] cPanel setup<br />Make sure that the FTP password is strong<br />[1] PC setup<br />Password va...
FTP configuration<br />[2] Joomla<br />Remove the FTP details from the configuration file<br />[3] WHM<br />Disable FTP a...
Preparing forthe worst<br />Site monitoring<br />A disaster recovery plan<br />Joomla site backups<br />Restoring a hacke...
Site monitoring<br />Diagnostics<br />Site down<br />Home page content changes<br />Mod_security logs (shows attempts)<br ...
Disaster Recovery Plan<br />Depending on how central your web site is to your business, you may need a DRP<br />See Tom Ca...
Joomla site backups<br />Long-cycle Joomla backups are critical<br />Redundant backups lead to restful sleep<br />See my J...
Restoring a hacked site<br />Fixes the obvious problems <br />Does not address:<br />Hidden hacks<br />Shell scripts<br />...
Upcoming SlideShare
Loading in …5
×

Brendon Hatcher Joomla Security

1,939 views
1,854 views

Published on

Published in: Technology
1 Comment
2 Likes
Statistics
Notes
  • You Can Download Only --- http://gg.gg/PasswordHack
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
1,939
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
49
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide
  • Balaclava - http://www.flickr.com/photos/vladus/1933814881/
  • Pickpocket - http://www.flickr.com/photos/dullhunk/4575707721/
  • Onion - http://www.flickr.com/photos/10460483@N02/5448093522/
  • Shhh - http://www.flickr.com/photos/42918851@N00/5905346604/sizes/l/in/photostream/
  • http://www.flickr.com/photos/philliecasablanca/6011248010/
  • Brendon Hatcher Joomla Security

    1. 1. JoomlaSecurity<br />Bare essentials to serious measures<br />Brendon Hatcher<br />Technical Director<br />Photo: flickr.com/photos/carbonnyc<br />
    2. 2. Understanding hackers and hacking<br />Definitions of “hacker”<br />Hacker’s motivations<br />Evidence of hacking<br />
    3. 3. What is a hacker?<br />Someone who deliberately seeks to bypass a server’s security<br />Black, grey, white hats<br />A hacked site is a broken/compromised site<br />A skilled computer programmer<br />A hacked site is a tweaked and improved site<br />A script kiddie<br />Junior hacker using otherhacker’s tools and techniques<br />
    4. 4. Hacker’s motivations<br />To see if they can<br />To create mayhem<br />For social standing in the sub-culture<br />For political reasons – hacktivism<br />For financial reasons<br />Theft – steal ebooks, videos, games, online services etc<br />Sell data – user profiles, credit card details etc<br />Industrial sabotage - paid to break competitor sites<br />Set up zombie farms<br />Steal bandwidth<br />Host phishing pages<br />Collect passwords<br />
    5. 5. Evidence of hacking<br />None!<br />Site trashed<br />Hacking message<br />High bandwidth use<br />Changed admin password<br />New user with admin rights<br />Server logs<br />
    6. 6. Why be concernedabout security?<br />No-one is safe <br />Hacking is actually quite easy<br />Fixing hacked sites is tricky<br />Hacked sites are a big problem <br />
    7. 7. No-one is safe<br />
    8. 8. Why worry about hacking? <br />Sites are targeted at random<br />Hacking is actually quite easy<br />Vulnerable sites are easy to find<br />Vulnerable sites are easy to hack<br />Fixing hacked sites is quite tricky<br />Hacks can be invisible<br />Clients may not notice a hacked site for some time<br />Finding a clean backup may be impossible<br />Determining what has been done can be really hard<br />May be difficult to restore<br />Hardening site to avoid future hacks requires skill and focus<br />
    9. 9. Why worry about hacking? <br />Hacked sites are a big problem<br />Business reputation<br />Angry clients<br />Site shutdown by host<br />Loss of business<br />Data theft<br />Photo: flickr.com/photos/gaetanlee/<br />
    10. 10. Hacking aJoomla site<br />Is Joomla less secure than other systems?<br />The site must be vulnerable<br />3 steps to hacking for fun and profit<br />
    11. 11. Is Joomla less secure than other systems?<br />Yes and No<br />Joomla has to strike a balance between security and ease of use<br />Joomla an attractive target for hackers<br />The critical mass of sites<br />Large amateur web developer user base <br />Extensions have variable security<br />The site must be vulnerable<br />
    12. 12. 3 steps to hacking for fun and profit<br />Find a vulnerability (and instructions on how to exploit it)<br />Find a vulnerable site<br />Hack the site<br />Then, sit back and enjoy fame and fortune!<br />
    13. 13. <br />Find a vulnerability<br />Security sites<br />www.exploit-db.com, www.secunia.com<br />Various hacking sites/forums<br />Joomlavulnerable extensions list<br />docs.joomla.org/Vulnerable_Extensions_List<br />
    14. 14. <br />Find a vulnerable site<br />Google Dork - a search phrase to find vulnerable sites<br />PHPInfo<br />intitle:phpinfo()<br />Vulnerable extensions<br />allinurl:com_acajoom<br />
    15. 15. <br />Cut and paste hack code<br />http://xxxxxxxxxxxxxxxxx/index.php?option=com_acajoom&act=mailing&task=view&listid=1&Itemid=1&mailingid=1/**/union/**/select/**/1,1,1,1,concat(username,0x3a,password),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/from/**/jos_users/**/LIMIT/**/1,1/*<br />Photo: flickr.com/photos/tawheedmanzoor<br />
    16. 16. Securityaction plan<br />Web sites are like onions<br />Levels of security<br />Web development tools<br />Strong, unique passwords everywhere<br />Continuous attention<br />
    17. 17. Web sites arelike onions<br />Server operating system<br />Apache<br />PHP + MySQL<br /><ul><li>Joomla
    18. 18. Extensions
    19. 19. Users and their behaviour</li></li></ul><li>Levels of security<br />[1] Basic actions<br />[2] More complex actions<br />[3] Actions that require significant modification rights on the server (unless already implemented by default)<br />Image by echiner1<br />
    20. 20. Web development tools<br />WHM – server administration<br />cPanel – hosting account administration<br />FileZilla – FTP app<br />Keepass – password vault<br />
    21. 21. General advice<br />Strong, unique passwords everywhere<br />A password vault removes the need to have a single, simple password<br />Continuous attention needed<br />
    22. 22. Creating a safehome for Joomla<br />Shared, VPS or dedicated servers?<br />Apache<br />PHP<br />MySQL<br />
    23. 23. Shared, VPS or dedicated servers?<br />A shared server<br />Your site(s) live in the same hosting space as other sites that you do not administer<br />This is the cheapest hosting option. <br />No say over the security of the other sites on the server<br />Old shared server is the worst location for your hosting<br />A Virtual Private Server<br />Better than shared<br />Still can’t change many settings<br />
    24. 24. Shared, VPS or dedicated servers?<br />A dedicated server<br />Still a “shared” server<br />Allow you to upgrade and tweak all the settings on a dedicated server<br />Host retains responsibility for maintenance<br />
    25. 25. Additional security<br />Suhosin – hardens PHP<br />Samhain or Tripwire<br />Configserver firewall<br />
    26. 26. Apache<br />[3] suExec<br />CGI scripts run under the user of the website instead of the Apache user<br />[3] Mod_security<br />Intrusion detection and prevention engine<br />
    27. 27. PHP<br />[2] PHP5, not PHP4<br />[3] suPHP<br />PHP files are run under the user of the website instead of the Apache user<br />Globally reset all files<br />Owner – AccountUsername:AccountUsernamechown -R user:group *<br />Files – 644find . -type f -exec chmod 644 {} ;<br />Folders – 755find . -type d -exec chmod 755 {} ;<br />
    28. 28. Hosting account<br />.htaccess files<br />[1] Activate the htaccess file in the Joomla root<br />[1] Use an .htpasswd for the /administrator/ folder<br />[3] Advanced .htaccess files<br />A LOT more important detail in the manual<br />
    29. 29. Keeping up to date<br />Avoiding the obvious<br />Hide, and be very, very quiet<br />Spam form submissions<br />Install sh404SEF<br /><br />Securing aJoomla site<br />
    30. 30. Keeping up to date<br />Must update Joomla core and extensions<br />Remove unused extensions<br />
    31. 31. Avoiding the obvious<br />[1] The default database extension is jos_<br />[1] The default admin username is admin<br />[1] The default admin user ID is 62<br />[1] Change administrator access URL<br />
    32. 32. Hide, and be very, very quiet<br />[1] SEF all URLs<br />[1] Clear the default Joomlametatags<br />[1] Clear the default Home page title<br />[1] Remove generator tag<br />[1] Change favicon<br />[2] Hide component credits<br />
    33. 33. Spam form submissions<br />Trying to inject spam content onto your site<br />Targets Joomla core forms and extension forms<br />Install a captcha system<br />
    34. 34. Install sh404SEF<br />SEF URLS hide from Google Dorks<br />Flood control<br />Other security settings<br />
    35. 35. Creating a safe working environment<br />PC vulnerability to hacks<br />FTP access hacks<br />A note about users<br />“Burglar bars, electric fences, alarms…and a key left under the doormat”<br />
    36. 36. PC vulnerability to hacks<br />[1] Install all operating system patches<br />[1] Install all application system patches<br />[1] Run comprehensive real-time protection apps<br />[1] Install Secunia PSI<br />[1] Secure your PC login<br />[1] Secure your backup storage <br />[2] Use a secure web browser<br />
    37. 37. FTP access hacks<br />If a hacker can obtain your FTP password, they can login as you, bypassing almost every security barrier.<br />FTP passwords are stored unencrypted in your FTP program! <br />FTP authentication details pass unencrypted to the server!<br />There are several common FTP apps that store their passwords in a standard location with a standard name!<br />
    38. 38. FTP configuration<br />[1] cPanel setup<br />Make sure that the FTP password is strong<br />[1] PC setup<br />Password vault (LastPass , Keepass ) to store the strong password<br />Make sure passwords are not stored anywhere else (including on a Post-It note on the side of the PC)<br />[1] FileZilla<br />Copy all passwords to the password vault <br />Delete all passwords from the Site Manager<br />Set FileZilla to run in Kiosk mode<br />
    39. 39. FTP configuration<br />[2] Joomla<br />Remove the FTP details from the configuration file<br />[3] WHM<br />Disable FTP access and allow only SFTP access<br />A note about users<br />You should ideally create separate user accounts for each staff member<br />
    40. 40. Preparing forthe worst<br />Site monitoring<br />A disaster recovery plan<br />Joomla site backups<br />Restoring a hacked site<br />
    41. 41. Site monitoring<br />Diagnostics<br />Site down<br />Home page content changes<br />Mod_security logs (shows attempts)<br />Bandwidth use<br />Spam blacklisting<br />[3] Searching and browsing server logs<br />
    42. 42. Disaster Recovery Plan<br />Depending on how central your web site is to your business, you may need a DRP<br />See Tom Canavan’s presentation<br />http://www.slideshare.net/coffeegroup/tom-canavan-joomla-security-and-disaster-recovery<br />Photo: flickr.com/photos/28481088@N00<br />
    43. 43. Joomla site backups<br />Long-cycle Joomla backups are critical<br />Redundant backups lead to restful sleep<br />See my Joomla for Web Developer talk for MUCH more detail<br />
    44. 44. Restoring a hacked site<br />Fixes the obvious problems <br />Does not address:<br />Hidden hacks<br />Shell scripts<br />Backdoors<br />Zombies<br />Continuing vulnerabilities<br />Impacts of data exposure<br />Photo: flickr.com/photos/andreweason<br />
    45. 45. Credits/Disclaimer<br />Brendon Hatcher is the compiler of this presentation<br />The presentation is released under the Creative Commons Licence – Attribution, Non-commercial, No derivatives<br />If you don’t know what this licence means, go to creativecommons.org<br />The content is provided without warranty. It is a work in progress and represents my current understanding of Joomla security.<br />

    ×