Successfully reported this slideshow.
Your SlideShare is downloading. ×

JaB11 - Joomla! Security 101

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 38 Ad

More Related Content

Recently uploaded (20)

Advertisement

JaB11 - Joomla! Security 101

  1. 1. Joomla! Security 101 What to do before disaster strikes http://akeeba.info/security-101
  2. 2. Hi, I’m Nicholas Dionysopoulos and I bet you can’t pronounce my last name http://akeeba.info/me
  3. 3. What is site security? And what Chuck Norris has to do with anything?!
  4. 4. Security is about... making it harder to infiltrate, not making it impossible
  5. 5. How do you do that? What stands between your site and hackers?
  6. 6. Security comes in layers Incoming request Firewall Web Server (Global) Web Server (.htaccess) Joomla! Extensions
  7. 7. Security comes in layers Incoming request Always managed by your host Firewall Web Server (Global) Web Server (.htaccess) Joomla! Extensions
  8. 8. Security comes in layers Incoming request Firewall mod_security, suPHP, … Web Server (Global) Web Server (.htaccess) Joomla! Extensions
  9. 9. Security comes in layers Incoming request Firewall Web Server (Global) The most basic protection Web Server (.htaccess) Joomla! Extensions
  10. 10. Security comes in layers Incoming request Firewall Web Server (Global) Web Server (.htaccess) Basic filtering Joomla! Extensions
  11. 11. Security comes in layers Incoming request Firewall Web Server (Global) Web Server (.htaccess) Joomla! These are ultimately responsible! Extensions
  12. 12. Security comes in layers Incoming request Firewall Web Server (Global) Web Server (.htaccess) Joomla! Extensions
  13. 13. Our scope today Incoming request Firewall Web Server (Global) Web Server (.htaccess) Joomla! Extensions
  14. 14. The basics What we’re supposed to do and rarely do it
  15. 15. Frequent, tested backups Would you jump off a plane without a parachute? http://akeeba.info/backup
  16. 16. Update, yesterday Yesterday’s code is tomorrow’s hack http://akeeba.info/basic-security
  17. 17. Protect your backend The login is not enough
  18. 18. 777: The number of the beast Permissions are doors; don’t leave them open http://akeeba.info/777
  19. 19. Sensible permissions Ask your host to enable suPHP or Apache’s mod_itk Site root 0755 or 0700 Directories 0755 Files 0644 If you “must” use 0777 (don’t!) protect with .htaccess: order deny, allow deny from all
  20. 20. Don’t be a sitting duck It’s duck season!
  21. 21. Mind your prefix Nobody wants to be a jos_ http://akeeba.info/prefix
  22. 22. 62 reasons to fire your Super Administrator or 42, depending on Joomla! version... http://akeeba.info/62-reasons
  23. 23. Security Kung-Fu You can’t kill a Ninja http://akeeba.info/ninja
  24. 24. Visual fingerprinting Seeing is believing and then some tm pl= offl ine tp =1 http://akeeba.info/ninja template =ja_purity
  25. 25. Visual fingerprinting RewriteCond %{QU ERY_STRING} (^| &)tmpl=(componen t|system) [NC] RewriteRule .* - [L] RewriteCond %{QU ERY_STRING} (^|& )t(p|emplate| mpl)= [NC] RewriteRule .* - [F] http://akeeba.info/ninja
  26. 26. PHP has a big mouth and that’s not water cooler gossip! http://akeeba.info/ninja
  27. 27. PHP has a big mouth http://akeeba.info/ninja
  28. 28. PHP has a big mouth RewriteCond %{QU ERY_STRING} =PH P[a-f0-9]{8}-[a- f0-9]{4}-[a-f0-9 ]{4}-[a-f0-9]{4} -[a-f0-9]{12} [NC] RewriteRule .* - [F] http://akeeba.info/ninja
  29. 29. Blind Elephant Meet your supervillain http://akeeba.info/ninja
  30. 30. Blind Elephant http://akeeba.info/ninja
  31. 31. Blind Elephant nicholas@teapot:~/blindelephant$ ./BlindElephant.py mysite.com joomla Loaded /home/nicholas/projects/3rdparty/blindelephant/trunk/src/build/lib.linux-x86_64-2.6/blindelephant/ dbs/joomla.pkl with 33 versions, 3696 differentiating paths, and 122 version groups. Starting BlindElephant fingerprint for version of joomla at http://joomla.ubuntu.web Hit http://joomla.ubuntu.web/media/system/js/validate.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/includes/js/joomla.javascript.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/media/system/js/caption.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/media/system/js/openid.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/templates/rhuk_milkyway/css/template.css Possible versions based on result: 1.5.17, 1.5.18 Fingerprinting resulted in: 1.5.17 1.5.18 Best Guess: 1.5.18 http://akeeba.info/ninja
  32. 32. Blind Elephant RewriteRule ^ima ges/stories/.*. (jp(e?g|2)?|png| gif|bmp|css|js|s wf|ico)$ - [L] RewriteCond %{HT TP_REFERER} . RewriteCond %{HT TP_REFERER} !^ht tps?://(www.)? example.com [NC] RewriteCond %{RE QUEST_FILENAME} -f RewriteRule .(j p(e?g|2)?|png|gi f|bmp|css|js| swf|ico)$ - [F] http://akeeba.info/ninja
  33. 33. There are more threats Cross-site scripting (XSS) Remote file inclusion (RFI) Local file inclusion (LFI) SQL injection (SQLi) Cross-site request forgery (CSRF) Brute force password cracking Spamming & e-mail harvesting
  34. 34. More protection for you f re e! 2 0€ 10€ The Master Admin Tools .htaccess Professional http://akeeba.info/master- http://akeeba.info/atpro htaccess Use coupon code JOSCAR for 50% off
  35. 35. One more thing... security is a process
  36. 36. Any questions?
  37. 37. That’s all folks!
  38. 38. Want the slides? http://akeeba.info/security-101

Editor's Notes

  • Scratches the surface\nImperative everyone follows this advice\n\nNext: Me\n
  • 30-y.o. Mech Engineer turned web dev\nInto PHP for > 10 years\nLead dev of Akeeba Backup and Admin Tools\n\nNext: Basic Security\n
  • What is it?\nIs it Chuck Norris on your site?\nMaking site unhackable?\n
  • Make it harder, not impossible\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Everyone knows these things have to be done\nWe rarely do them because we’re bored\n\nNext: Backups\n
  • Use Akeeba Backup or any other tool for at least daily backups\nTest restore backups every week or after installing a new release\n\nNext: Updates\n
  • Always update on the same day\nKeep an eye on JVEL\nSubscribe to ahead warning service like SalvusAlerting\n\nNext: backend protection\n
  • Password-protect administrator\nAdd secret key to administrator (jSecure, Admin Tools Professional, etc)\n\nNext: 777\n
  • Why 0777 is a bad idea (hack from the inside)\nSane perms on next slide\n\nNext: perms\n
  • Use suPHP/mod_itk if possible\nRoot 0755 / 0700 (disables 0777)\nDirs 0755, Files 0644\nYou never “must” use 0777. If you do, use .htaccess\n\nNext: sitting duck\n
  • Default Joomla! settings = sitting duck\nIt’s duck hunting season; you don’t want to be a duck\n\nNext: prefix\n
  • Prefix has nothing to do with telephony\nDefault jos_ table prefix is evil\nUse something random; use Admin Tools for easy change\nDanger, Will Robinson: some extensions might break\n\nNext: Super Admin ID\n
  • Default SA ID is 62/42. Used in direct SQLi attacks.\nDo not just create a new user, equally unsafe.\nCreate a “low ID” user; use Admin Tools\n\nNext: Ninja!\n
  • How the big boys deal with security\nSome tips are over the top\nYou can never be too paranoid w/ security\n\nNext: Visual fingerprinting\n
  • Appending parameters can reveal too much\nUsed to identify your site as a Joomla! site = potential target\nSecurity through obscurity; not THE solution, but it helps\n\nNext: solution\n
  • These rules in my Master .htaccess\n\nNext: PHP has a big mouth\n
  • Appending parameters can reveal too much\nUsed to identify your PHP version\nCan deliver non-Joomla! specific exploits\n\nNext: demonstration\n
  • This is what it looks like\nEach version has a different image!\n\nNext: solution\n
  • These rules are in my master .htaccess\n\nNext: Blind Elephant\n
  • No, you’re not going to the circus; or a safari.\nA blind elephant is after you and will stomp you.\nSee for yourself! (next slide)\n\nNext: BlindElephant run\n
  • Typical blind elephant run\nIt’s not the only fingerprinting script\nThey’re moderately to very accurate\n\nNext: solution\n
  • These rules are in my master .htaccess\n\nNext: More protection\n
  • \n
  • My master .htaccess is free, reqs expert knowledge, no support\nATPro is easier for site builders, has docs, support\n\nNext: security is a process\n
  • It’s not fire and forget. You have to work on it continuously as your site evolves.\n\nNext: questions\n
  • Ask your questions!\n\nNext: the end\n
  • Thank you for listening\nVisit the URL for the slides in PDF format\n\nTHE END\n
  • Thank you for listening\nVisit the URL for the slides in PDF format\n\nTHE END\n

×