Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

JaB11 - Joomla! Security 101

3,087 views

Published on

The complete set of slides from my J and Beyond 2011 presentation "Joomla! Security 101". Enjoy!

Published in: Technology, Design
  • Follow the link, new dating source: ❶❶❶ http://bit.ly/2u6xbL5 ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Dating direct: ❶❶❶ http://bit.ly/2u6xbL5 ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

JaB11 - Joomla! Security 101

  1. 1. Joomla! Security 101 What to do before disaster strikeshttp://akeeba.info/security-101
  2. 2. Hi, I’m Nicholas Dionysopoulos and I bet you can’t pronounce my last namehttp://akeeba.info/me
  3. 3. What is site security?And what Chuck Norris has to do with anything?!
  4. 4. Security is about... making it harder to infiltrate, not making it impossible
  5. 5. How do you do that?What stands between your site and hackers?
  6. 6. Security comes in layers Incoming request Firewall Web Server (Global)Web Server (.htaccess) Joomla! Extensions
  7. 7. Security comes in layers Incoming request Always managed by your host Firewall Web Server (Global)Web Server (.htaccess) Joomla! Extensions
  8. 8. Security comes in layers Incoming request Firewall mod_security, suPHP, … Web Server (Global)Web Server (.htaccess) Joomla! Extensions
  9. 9. Security comes in layers Incoming request Firewall Web Server (Global) The most basic protectionWeb Server (.htaccess) Joomla! Extensions
  10. 10. Security comes in layers Incoming request Firewall Web Server (Global)Web Server (.htaccess) Basic filtering Joomla! Extensions
  11. 11. Security comes in layers Incoming request Firewall Web Server (Global)Web Server (.htaccess) Joomla! These are ultimately responsible! Extensions
  12. 12. Security comes in layers Incoming request Firewall Web Server (Global)Web Server (.htaccess) Joomla! Extensions
  13. 13. Our scope today Incoming request Firewall Web Server (Global)Web Server (.htaccess) Joomla! Extensions
  14. 14. The basicsWhat we’re supposed to do and rarely do it
  15. 15. Frequent, tested backups Would you jump off a plane without a parachute?http://akeeba.info/backup
  16. 16. Update, yesterday Yesterday’s code is tomorrow’s hackhttp://akeeba.info/basic-security
  17. 17. Protect your backendThe login is not enough
  18. 18. 777: The number of the beast Permissions are doors; don’t leave them openhttp://akeeba.info/777
  19. 19. Sensible permissions Ask your host to enable suPHP or Apache’s mod_itk Site root 0755 or 0700 Directories 0755 Files 0644 If you “must” use 0777 (don’t!) protect with .htaccess: order deny, allow deny from all
  20. 20. Don’t be a sitting duckIt’s duck season!
  21. 21. Mind your prefix Nobody wants to be a jos_http://akeeba.info/prefix
  22. 22. 62 reasons to fire your Super Administrator or 42, depending on Joomla! version...http://akeeba.info/62-reasons
  23. 23. Security Kung-Fu You can’t kill a Ninjahttp://akeeba.info/ninja
  24. 24. Visual fingerprinting Seeing is believing and then some tm pl= offl ine tp =1http://akeeba.info/ninja template =ja_purity
  25. 25. Visual fingerprinting RewriteCond %{QU ERY_STRING} (^| &)tmpl=(componen t|system) [NC] RewriteRule .* - [L] RewriteCond %{QU ERY_STRING} (^|& )t(p|emplate| mpl)= [NC] RewriteRule .* - [F]http://akeeba.info/ninja
  26. 26. PHP has a big mouth and that’s not water cooler gossip!http://akeeba.info/ninja
  27. 27. PHP has a big mouthhttp://akeeba.info/ninja
  28. 28. PHP has a big mouth RewriteCond %{QU ERY_STRING} =PH P[a-f0-9]{8}-[a- f0-9]{4}-[a-f0-9 ]{4}-[a-f0-9]{4} -[a-f0-9]{12} [NC] RewriteRule .* - [F]http://akeeba.info/ninja
  29. 29. Blind Elephant Meet your supervillainhttp://akeeba.info/ninja
  30. 30. Blind Elephanthttp://akeeba.info/ninja
  31. 31. Blind Elephant nicholas@teapot:~/blindelephant$ ./BlindElephant.py mysite.com joomla Loaded /home/nicholas/projects/3rdparty/blindelephant/trunk/src/build/lib.linux-x86_64-2.6/blindelephant/ dbs/joomla.pkl with 33 versions, 3696 differentiating paths, and 122 version groups. Starting BlindElephant fingerprint for version of joomla at http://joomla.ubuntu.web Hit http://joomla.ubuntu.web/media/system/js/validate.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/includes/js/joomla.javascript.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/media/system/js/caption.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/media/system/js/openid.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/templates/rhuk_milkyway/css/template.css Possible versions based on result: 1.5.17, 1.5.18 Fingerprinting resulted in: 1.5.17 1.5.18 Best Guess: 1.5.18http://akeeba.info/ninja
  32. 32. Blind Elephant RewriteRule ^ima ges/stories/.*. (jp(e?g|2)?|png| gif|bmp|css|js|s wf|ico)$ - [L] RewriteCond %{HT TP_REFERER} . RewriteCond %{HT TP_REFERER} !^ht tps?://(www.)? example.com [NC] RewriteCond %{RE QUEST_FILENAME} -f RewriteRule .(j p(e?g|2)?|png|gi f|bmp|css|js| swf|ico)$ - [F]http://akeeba.info/ninja
  33. 33. There are more threats Cross-site scripting (XSS) Remote file inclusion (RFI) Local file inclusion (LFI) SQL injection (SQLi) Cross-site request forgery (CSRF) Brute force password cracking Spamming & e-mail harvesting
  34. 34. More protection for youf re e! 2 0€ 10€ The Master Admin Tools .htaccess Professionalhttp://akeeba.info/master- http://akeeba.info/atpro htaccess Use coupon code JOSCAR for 50% off
  35. 35. One more thing... security is a process
  36. 36. Any questions?
  37. 37. That’s all folks!
  38. 38. Want the slides? http://akeeba.info/security-101

×