Joomladay Switzerland - security


Published on

Joomladay Switzerland - security.ppt

Published in: Technology
  • Hi dear,
    My name is amirah, a beautiful young girl full of love and affection.
    Well, I saw your profile today on the dating site, which gave me interest to contact you and know what the future
    might bring for us together.
    if you feel interested in being my friend, you can contact me back
    through my private email address and I'll give you my picture and tell you more about me.........(
    I wait for your response
    Thank you and God bless
    Sincerely with love
    amirah ...
    Are you sure you want to  Yes  No
    Your message goes here
  • Try to find common security issues in your Joomla installation.
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Joomladay Switzerland - security

    1. 3. Joomla! 1.5 Security <ul><li>Joomla!day Presentation </li></ul><ul><li>Luzern, Switzerland </li></ul>15 November 2008
    2. 4. Is Joomla! safe?
    3. 5. Is the World Wide Web Safe?
    4. 6. <ul><li>You know, I don't mean any disrespect, but I had to chuckle by the question &quot;Is Joomla! not safe?&quot; since it reminded me of the movie The Marathon Man when the dentist is pulling Dustin Hoffman's teeth out, asking &quot;Is it safe?&quot; and he's so desperate to get the Dentist to stop that he says Yes or No or What do you want to hear? </li></ul>Is Joomla! safe? Quote taken from:
    5. 7.
    6. 8. <ul><li>I would say - anyone who tells a community that a Web site or a out of the box solution is safe is not being responsible. No , it is not &quot;safe&quot; on the Internet. </li></ul>Quote taken from:
    7. 9. What is this presentation about?
    8. 10. <ul><li>Getting Started </li></ul><ul><li>Hosting and Server Setup </li></ul><ul><li>Joomla Setup </li></ul><ul><li>Site Administration </li></ul><ul><li>Site Recovery </li></ul>Presentation overview Presentation approach taken from
    9. 11. Getting started
    10. 12. Getting started
    11. 13. Getting started
    12. 14. <ul><li>Some basic things before we go into details: </li></ul><ul><li>Report (possible) hack to JSST </li></ul><ul><li>Please don’t report hacks or proof-of-concepts out in the open, also report them to JSST </li></ul><ul><li>Stay informed! </li></ul><ul><ul><li>Automatic Email Notification </li></ul></ul><ul><ul><li>RSS feed </li></ul></ul>Getting started
    13. 15. Hosting and server set up Shared hosting? Or Dedicated hosting?
    14. 16. Hosting and server set up “ register_globals” “ open_basedir”
    15. 17. <ul><li>Configure Apache: </li></ul><ul><ul><li>Secure important areas with .htaccess </li></ul></ul><ul><ul><li>Use mod_rewrite and mod_security to block PHP attacks </li></ul></ul><ul><li>Configure MySQL </li></ul><ul><ul><li>Implement user accounts with “need-to-know” principle </li></ul></ul><ul><li>Configure PHP </li></ul><ul><ul><li>Use PHP 5! </li></ul></ul><ul><ul><li>Configure your php.ini file properly (most of the times limited with shared hosts) </li></ul></ul>Hosting and server set up
    16. 18. <ul><li>Configure php.ini </li></ul><ul><ul><li>Use “ disable_functions” to disable dangerous PHP functions that are not needed by your site. </li></ul></ul><ul><ul><li>“ Use PHP open_basedir ” </li></ul></ul><ul><ul><li>Don't use “ PHP safe_mode ” (it gives a false sense of security) </li></ul></ul><ul><ul><li>Don't use “ PHP register_globals ” </li></ul></ul><ul><ul><li>Don't use “ PHP allow_url_fopen ”. This option enables the URL-aware fopen wrappers that enable accessing URL object like files. </li></ul></ul>
    17. 19. Joomla! setup
    18. 20. <ul><li>Some basic rules to think about: </li></ul><ul><ul><li>Only install official Joomla! versions! </li></ul></ul><ul><ul><li>Change the default administrator username </li></ul></ul><ul><ul><li>Protect directories and files </li></ul></ul><ul><ul><ul><li>Move crucial files outside public directory </li></ul></ul></ul><ul><ul><ul><li>Ensure that all configurable paths to writable or uploadable directories </li></ul></ul></ul><ul><ul><ul><li>Protect your log directory (moving it out of document root or .htaccess protect it) </li></ul></ul></ul><ul><ul><li>Adjust file and directory permissions </li></ul></ul><ul><ul><ul><li>Set critical directories to 755 </li></ul></ul></ul><ul><ul><ul><li>Set file permissions to 644 </li></ul></ul></ul><ul><ul><li>Remove unneeded files </li></ul></ul>Joomla! setup
    19. 21. Joomla! setup
    20. 22. <ul><li>Before you install extensions </li></ul><ul><ul><li>Always backup (even on your test system) </li></ul></ul><ul><ul><li>Always test before you install on your life server </li></ul></ul><ul><ul><li>Check for extension vulnerabilities </li></ul></ul><ul><ul><li>Download from trusted sites </li></ul></ul><ul><ul><li>User beware! Check the code quality </li></ul></ul><ul><ul><li>Test! Test! Test! </li></ul></ul><ul><ul><li>Remove junk files (all that is not needed) </li></ul></ul><ul><ul><li>Avoid encrypted code </li></ul></ul>Joomla! setup
    21. 23. Site administration
    22. 24. <ul><li>Use well-formed passwords </li></ul><ul><li>Maintain a strong site backup process </li></ul><ul><li>Monitor crack attempts (tripwire, SAMHAIN) </li></ul><ul><li>Perform manual intrusion detection (manual logfile scan) </li></ul><ul><li>Stay current with security patches and upgrades </li></ul>Site administration
    23. 25. <ul><li>Get help the right way </li></ul><ul><li>Follow a logical and rigorous recovery process </li></ul><ul><li>Reset your administrator password (and all admins/super admins) </li></ul><ul><li>Find exploit attempts using the *NIX shell </li></ul>Site recovery
    24. 26. Links
    25. 27. <ul><li>Documentation wiki : </li></ul><ul><li>Joomla! Security Strike Team (JSST): </li></ul><ul><li>Report issues to JSST : </li></ul>Links
    26. 28. <ul><li>Joomla! related </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li>Sites to put RSS feeds on </li></ul><ul><li> </li></ul><ul><li>General </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li>Operating systems related </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul>Sites to monitor when you take security seriously
    27. 29. Joomla! “ All together”
    28. 30. Questions?