Joomla! 1.5 Security Joomla!day Presentation Utrecht, Netherlands 12 june 2009
Is Joomla! safe?
Is the World Wide Web Safe?
You know, I don't mean any disrespect, but I had to chuckle by the question "Is Joomla! not safe?" since it remi...
I would say - anyone who tells a community that a Web site or a out of the box solution is safe is not being responsible. ...
What is this presentation about?
<ul><li>Getting Started
Hosting and Server Setup
Joomla Setup
Site Administration
Site Recovery </li></ul>Presentation overview
Getting started
Getting started
Getting started
Some basic things before we go into details: <ul><li>Report (possible) hack to JSST http://developer.joomla.org/security/c...
Please don’t report hacks or  proof-of-concepts out in the  open, also report them to JSST
Stay informed! </li></ul><ul><ul><li>Automatic Email Notification http://feedburner.google.com/fb/a/mailverify?uri=JoomlaS...
RSS feed http://feeds.joomla.org/JoomlaSecurityNews </li></ul></ul>Getting started
Hosting and server set up Shared hosting? Or Dedicated hosting?
Hosting and server set up “ register_globals” “ open_basedir”
<ul><li>Configure Apache: </li></ul><ul><ul><li>Secure important areas with .htaccess
Use mod_rewrite  and mod_security to block PHP attacks </li></ul></ul><ul><li>Configure MySQL </li></ul><ul><ul><li>Implem...
Configure your php.ini file properly (most of the times limited with shared hosts) </li></ul></ul>Hosting and server set up
<ul><li>Configure php.ini </li></ul><ul><ul><li>Use “ disable_functions”  to disable dangerous PHP functions that are not ...
“ Use PHP open_basedir ”
Don't use “ PHP safe_mode ” (it gives a false sense of security)
Upcoming SlideShare
Loading in...5
×

Joomladay Netherlands - Security

3,303

Published on

Joomla security presentation given on the Dutch Joomladay

Published in: Technology, Business
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,303
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
44
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide
  • Joomladay Netherlands - Security

    1. 1. Joomla! 1.5 Security Joomla!day Presentation Utrecht, Netherlands 12 june 2009
    2. 2. Is Joomla! safe?
    3. 3. Is the World Wide Web Safe?
    4. 4. You know, I don't mean any disrespect, but I had to chuckle by the question &quot;Is Joomla! not safe?&quot; since it reminded me of the movie The Marathon Man when the dentist is pulling Dustin Hoffman's teeth out, asking &quot;Is it safe?&quot; and he's so desperate to get the Dentist to stop that he says Yes or No or What do you want to hear? Is Joomla! safe? Quote taken from: http://forum.joomla.org/viewtopic.php?f=432&t=318351&st=0&sk=t&sd=a
    5. 5.
    6. 6. I would say - anyone who tells a community that a Web site or a out of the box solution is safe is not being responsible. No , it is not &quot;safe&quot; on the Internet.
    7. 7. What is this presentation about?
    8. 8. <ul><li>Getting Started
    9. 9. Hosting and Server Setup
    10. 10. Joomla Setup
    11. 11. Site Administration
    12. 12. Site Recovery </li></ul>Presentation overview
    13. 13. Getting started
    14. 14. Getting started
    15. 15. Getting started
    16. 16. Some basic things before we go into details: <ul><li>Report (possible) hack to JSST http://developer.joomla.org/security/contact-the-team.html
    17. 17. Please don’t report hacks or proof-of-concepts out in the open, also report them to JSST
    18. 18. Stay informed! </li></ul><ul><ul><li>Automatic Email Notification http://feedburner.google.com/fb/a/mailverify?uri=JoomlaSecurityNews
    19. 19. RSS feed http://feeds.joomla.org/JoomlaSecurityNews </li></ul></ul>Getting started
    20. 20. Hosting and server set up Shared hosting? Or Dedicated hosting?
    21. 21. Hosting and server set up “ register_globals” “ open_basedir”
    22. 22. <ul><li>Configure Apache: </li></ul><ul><ul><li>Secure important areas with .htaccess
    23. 23. Use mod_rewrite and mod_security to block PHP attacks </li></ul></ul><ul><li>Configure MySQL </li></ul><ul><ul><li>Implement user accounts with “need-to-know” principle </li></ul></ul><ul><li>Configure PHP </li></ul><ul><ul><li>Use PHP 5!
    24. 24. Configure your php.ini file properly (most of the times limited with shared hosts) </li></ul></ul>Hosting and server set up
    25. 25. <ul><li>Configure php.ini </li></ul><ul><ul><li>Use “ disable_functions” to disable dangerous PHP functions that are not needed by your site.
    26. 26. “ Use PHP open_basedir ”
    27. 27. Don't use “ PHP safe_mode ” (it gives a false sense of security)
    28. 28. Don't use “ PHP register_globals ”
    29. 29. Don't use “ PHP allow_url_fopen ”. This option enables the URL-aware fopen wrappers that enable accessing URL object like files. </li></ul></ul>
    30. 30. Joomla! setup
    31. 31. <ul><li>Some basic rules to think about: </li></ul><ul><ul><li>Only install official Joomla! versions!
    32. 32. Change the default administrator username
    33. 33. Protect directories and files </li><ul><li>Move crucial files outside public directory http://docs.joomla.org/Security_and_Performance_FAQs#How_do_I_move_confidential_files_outside_of_public_html.3F
    34. 34. Ensure that all configurable paths to writable or uploadable directories
    35. 35. Protect your log directory (moving it out of document root or .htaccess protect it) </li></ul><li>Adjust file and directory permissions </li><ul><li>Set critical directories to 755
    36. 36. Set file permissions to 644 </li></ul><li>Remove unneeded files </li></ul></ul>Joomla! setup
    37. 37. <ul><li>Before you install extensions </li></ul><ul><ul><li>Always backup (even on your test system)
    38. 38. Always test before you install on your life server
    39. 39. Check for extension vulnerabilities
    40. 40. Download from trusted sites
    41. 41. User beware! Check the code quality
    42. 42. Test! Test! Test!
    43. 43. Remove junk files (all that is not needed)
    44. 44. Avoid encrypted code </li></ul></ul>Joomla! setup
    45. 45. Site administration
    46. 46. <ul><li>Use well-formed passwords
    47. 47. Maintain a strong site backup process
    48. 48. Monitor crack attempts (tripwire, SAMHAIN)
    49. 49. Perform manual intrusion detection (manual logfile scan)
    50. 50. Stay current with security patches and upgrades </li></ul>Site administration
    51. 51. <ul><li>Get help the right way
    52. 52. Follow a logical and rigorous recovery process
    53. 53. Reset your administrator password (and all admins/super admins)
    54. 54. Find exploit attempts using the *NIX shell </li></ul>Site recovery
    55. 55. Links
    56. 56. <ul><li>Documentation wiki : http://docs.joomla.org/Category:Security_Checklist
    57. 57. Joomla! Security Strike Team (JSST): http://developer.joomla.org/security.html
    58. 58. Report issues to JSST : http://developer.joomla.org/security/contact-the-team.html </li></ul>Links
    59. 59. Joomla! related <ul><li>www.joomla.org
    60. 60. developer.joomla.org/security.html
    61. 61. www.secunia.org
    62. 62. www.milw0rm.com </li></ul>Sites to put RSS feeds on <ul><li>http://feedburner.google.com/fb/a/mailverify?uri=JoomlaSecurityNews </li></ul>General <ul><li>www.us-cert.gov
    63. 63. www.frsirt.com </li></ul>Operating systems related <ul><li>www.debian.org/security
    64. 64. www.openbsd.org/security
    65. 65. www.redhat.org/apps/support </li></ul>Sites to monitor when you take security seriously
    66. 66. Questions?
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×