Joomladay Netherlands - Security
Upcoming SlideShare
Loading in...5
×
 

Joomladay Netherlands - Security

on

  • 5,277 views

Joomla security presentation given on the Dutch Joomladay

Joomla security presentation given on the Dutch Joomladay

Statistics

Views

Total Views
5,277
Views on SlideShare
5,223
Embed Views
54

Actions

Likes
5
Downloads
43
Comments
0

4 Embeds 54

http://www.joomladays.nl 51
http://74.125.77.132 1
http://www.joomladagen.nl 1
http://www.slideshare.net 1

Accessibility

Categories

Upload Details

Uploaded via as OpenOffice

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Joomladay Netherlands - Security Joomladay Netherlands - Security Presentation Transcript

  • Joomla! 1.5 Security Joomla!day Presentation Utrecht, Netherlands 12 june 2009
  • Is Joomla! safe?
  • Is the World Wide Web Safe?
  • You know, I don't mean any disrespect, but I had to chuckle by the question "Is Joomla! not safe?" since it reminded me of the movie The Marathon Man when the dentist is pulling Dustin Hoffman's teeth out, asking "Is it safe?" and he's so desperate to get the Dentist to stop that he says Yes or No or What do you want to hear? Is Joomla! safe? Quote taken from: http://forum.joomla.org/viewtopic.php?f=432&t=318351&st=0&sk=t&sd=a
  • I would say - anyone who tells a community that a Web site or a out of the box solution is safe is not being responsible. No , it is not "safe" on the Internet.
  • What is this presentation about?
    • Getting Started
    • Hosting and Server Setup
    • Joomla Setup
    • Site Administration
    • Site Recovery
    Presentation overview
  • Getting started
  • Getting started
  • Getting started
  • Some basic things before we go into details:
    • Report (possible) hack to JSST http://developer.joomla.org/security/contact-the-team.html
    • Please don’t report hacks or proof-of-concepts out in the open, also report them to JSST
    • Stay informed!
      • Automatic Email Notification http://feedburner.google.com/fb/a/mailverify?uri=JoomlaSecurityNews
      • RSS feed http://feeds.joomla.org/JoomlaSecurityNews
    Getting started
  • Hosting and server set up Shared hosting? Or Dedicated hosting?
  • Hosting and server set up “ register_globals” “ open_basedir”
    • Configure Apache:
      • Secure important areas with .htaccess
      • Use mod_rewrite and mod_security to block PHP attacks
    • Configure MySQL
      • Implement user accounts with “need-to-know” principle
    • Configure PHP
      • Use PHP 5!
      • Configure your php.ini file properly (most of the times limited with shared hosts)
    Hosting and server set up
    • Configure php.ini
      • Use “ disable_functions” to disable dangerous PHP functions that are not needed by your site.
      • “ Use PHP open_basedir ”
      • Don't use “ PHP safe_mode ” (it gives a false sense of security)
      • Don't use “ PHP register_globals ”
      • Don't use “ PHP allow_url_fopen ”. This option enables the URL-aware fopen wrappers that enable accessing URL object like files.
  • Joomla! setup
    • Some basic rules to think about:
      • Only install official Joomla! versions!
      • Change the default administrator username
      • Protect directories and files
        • Move crucial files outside public directory http://docs.joomla.org/Security_and_Performance_FAQs#How_do_I_move_confidential_files_outside_of_public_html.3F
        • Ensure that all configurable paths to writable or uploadable directories
        • Protect your log directory (moving it out of document root or .htaccess protect it)
      • Adjust file and directory permissions
        • Set critical directories to 755
        • Set file permissions to 644
      • Remove unneeded files
    Joomla! setup
    • Before you install extensions
      • Always backup (even on your test system)
      • Always test before you install on your life server
      • Check for extension vulnerabilities
      • Download from trusted sites
      • User beware! Check the code quality
      • Test! Test! Test!
      • Remove junk files (all that is not needed)
      • Avoid encrypted code
    Joomla! setup
  • Site administration
    • Use well-formed passwords
    • Maintain a strong site backup process
    • Monitor crack attempts (tripwire, SAMHAIN)
    • Perform manual intrusion detection (manual logfile scan)
    • Stay current with security patches and upgrades
    Site administration
    • Get help the right way
    • Follow a logical and rigorous recovery process
    • Reset your administrator password (and all admins/super admins)
    • Find exploit attempts using the *NIX shell
    Site recovery
  • Links
    • Documentation wiki : http://docs.joomla.org/Category:Security_Checklist
    • Joomla! Security Strike Team (JSST): http://developer.joomla.org/security.html
    • Report issues to JSST : http://developer.joomla.org/security/contact-the-team.html
    Links
  • Joomla! related
    • www.joomla.org
    • developer.joomla.org/security.html
    • www.secunia.org
    • www.milw0rm.com
    Sites to put RSS feeds on
    • http://feedburner.google.com/fb/a/mailverify?uri=JoomlaSecurityNews
    General
    • www.us-cert.gov
    • www.frsirt.com
    Operating systems related
    • www.debian.org/security
    • www.openbsd.org/security
    • www.redhat.org/apps/support
    Sites to monitor when you take security seriously
  • Questions?
  •