Joomladay Netherlands - Security

Joomla! 1.5 Security Joomla!day Presentation Utrecht, Netherlands 12 june 2009

Is Joomla! safe?

Is the World Wide Web Safe?

You know, I don't mean any disrespect, but I had to chuckle by the question "Is Joomla! not safe?" since it reminded me of the movie The Marathon Man when the dentist is pulling Dustin Hoffman's teeth out, asking "Is it safe?" and he's so desperate to get the Dentist to stop that he says Yes or No or What do you want to hear? Is Joomla! safe? Quote taken from: http://forum.joomla.org/viewtopic.php?f=432&t=318351&st=0&sk=t&sd=a

I would say - anyone who tells a community that a Web site or a out of the box solution is safe is not being responsible. No , it is not "safe" on the Internet.

What is this presentation about?

Getting Started
Hosting and Server Setup
Joomla Setup
Site Administration
Site Recovery

Presentation overview

Getting started

Some basic things before we go into details:

Report (possible) hack to JSST http://developer.joomla.org/security/contact-the-team.html
Please don’t report hacks or proof-of-concepts out in the open, also report them to JSST
Stay informed!

Automatic Email Notification http://feedburner.google.com/fb/a/mailverify?uri=JoomlaSecurityNews
RSS feed http://feeds.joomla.org/JoomlaSecurityNews

Getting started

Hosting and server set up Shared hosting? Or Dedicated hosting?

Hosting and server set up “ register_globals” “ open_basedir”

Configure Apache:

Secure important areas with .htaccess
Use mod_rewrite and mod_security to block PHP attacks

Configure MySQL

Implement user accounts with “need-to-know” principle

Configure PHP

Use PHP 5!
Configure your php.ini file properly (most of the times limited with shared hosts)

Hosting and server set up

Configure php.ini

Use “ disable_functions” to disable dangerous PHP functions that are not needed by your site.
“ Use PHP open_basedir ”
Don't use “ PHP safe_mode ” (it gives a false sense of security)
Don't use “ PHP register_globals ”
Don't use “ PHP allow_url_fopen ”. This option enables the URL-aware fopen wrappers that enable accessing URL object like files.

Joomla! setup

Some basic rules to think about:

Only install official Joomla! versions!
Change the default administrator username
Protect directories and files

Move crucial files outside public directory http://docs.joomla.org/Security_and_Performance_FAQs#How_do_I_move_confidential_files_outside_of_public_html.3F
Ensure that all configurable paths to writable or uploadable directories
Protect your log directory (moving it out of document root or .htaccess protect it)

Adjust file and directory permissions

Set critical directories to 755
Set file permissions to 644

Remove unneeded files

Joomla! setup

Before you install extensions

Always backup (even on your test system)
Always test before you install on your life server
Check for extension vulnerabilities
Download from trusted sites
User beware! Check the code quality
Test! Test! Test!
Remove junk files (all that is not needed)
Avoid encrypted code

Joomla! setup

Site administration

Use well-formed passwords
Maintain a strong site backup process
Monitor crack attempts (tripwire, SAMHAIN)
Perform manual intrusion detection (manual logfile scan)
Stay current with security patches and upgrades

Site administration

Get help the right way
Follow a logical and rigorous recovery process
Reset your administrator password (and all admins/super admins)
Find exploit attempts using the *NIX shell

Site recovery

Links

Documentation wiki : http://docs.joomla.org/Category:Security_Checklist
Joomla! Security Strike Team (JSST): http://developer.joomla.org/security.html
Report issues to JSST : http://developer.joomla.org/security/contact-the-team.html

Links

Joomla! related