Joomla! Day Deutschland 2012 - Active Security
•Download as KEY, PDF•
4 likes•773 views
My presentation on Joomla! site security in Joomla! Day Deutschland 2012
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Similar to Joomla! Day Deutschland 2012 - Active Security
Similar to Joomla! Day Deutschland 2012 - Active Security (20)
More from Nicholas Dionysopoulos
More from Nicholas Dionysopoulos (8)
Recently uploaded
Recently uploaded (20)
Joomla! Day Deutschland 2012 - Active Security
- 1. Active security for Joomla! sites version 5.2
- 2. Mission: Impossible Talking in-depth about Joomla! security in 30 minutes or less... but I’ll try!
- 3. Put your pens away Sit back and enjoy
- 4. A site is like a building • Strong foundations • Careful construction • Active maintenance
- 5. Step 1: Strong foundations Your server setup - Geeky stuff ahead!
- 6. Updated server software PHP, MySQL, Apache, FTP Server...
- 7. Permissions & ownership Who can do what and where
- 8. Sane ownership & permissions All files and folders owned by the FTP user Use Joomla!’s FTP mode on shared hosts Folders 0755 permissions • Files 0644 permissions If you “must” use 0777 (don’t!), protect with .htaccess order deny, allow deny from all allow from none Better yet, use suPHP or FastCGI
- 9. Too much to remember? Akeeba Backup User’s Guide, Security Information https://www.akeebabackup.com/documentation/ akeeba-backup-documentation/security-info.html 777: The number of the beast http://www.dionysopoulos.me/blog/777-the-number- of-the-beast
- 10. Advanced methods for IT ninjas
- 11. mod_security for Apache Your server’s security guard
- 12. You need some rules Atomic (GotRoot) Rules: http://www.atomicorp.com/wiki/index.php/ Atomic_ModSecurity_Rules OWASP Rules: https://www.owasp.org/index.php/ Category:OWASP_ModSecurity_Core_Rule_Set_Projec t
- 13. Make it all happen The magic scripts
- 14. https://github.com/betweenbrain/ubuntu-web- server-build-script written by Matt Thomas (@betweenbrain)
- 15. Step 2: Careful construction Your site setup
- 16. Update, yesterday Joomla! & extensions
- 17. Think before installing Don’t be the mouse in the trap!
- 18. Length matters
- 19. Your Password’s length matters
- 20. A terrifying thought Password hacking super-computer: 2,700 USD (2 years ago; much cheaper now)
- 21. How safe is your password? Password Bits Iterations Time to crack 15082005 13.6 12416 0.00038 msec admin 15.9 61147 0.00185 msec ortrtaortftaaidbt 67.7 2.39E+20 228.95 years 0rtrTA0rtfTa&idbT 88.2 3.55E+26 340 million years horse correct battery stapler 107.2 1.86E+32 178179 billion years
- 22. How safe is your password? Password Bits Iterations Time to crack 15082005 13.6 12416 0.00038 msec admin 15.9 61147 0.00185 msec ortrtaortftaaidbt 67.7 2.39E+20 228.95 years 0rtrTA0rtfTa&idbT 88.2 3.55E+26 340 million years horse correct battery stapler 107.2 1.86E+32 178179 billion years
- 23. Lock it down Nothing on my site runs unless I say so
- 24. .htaccess Rules My Master .htaccess - FREE http://akeeba.assembla.com/code/master-htaccess/ git/nodes/htaccess.txt Admin Tools Professional https://www.akeebabackup.com/products/46- software/855-admintools.html
- 25. Armor up Protect your site
- 26. Step 3: Active maintenance Staying on top of it all
- 27. Backups Frequent, automated, off-site backups
- 28. Monitor file changes A changed file is usually a bad thing
- 29. Monitor it Keep an eye on the logs
- 30. In spite of it all…
- 31. Dammit! You got hacked, now what?
- 32. DON’T PANIC
- 33. We’ve got instructions Unhacking your site https://www.akeebabackup.com/documentation/ walkthroughs/item/1124-unhacking-your-site.html You do have backups, right? Make sure you read the instructions before getting hacked.
- 34. One more thing... security is a process
- 35. Questions?
- 37. Thank you for listening! Image credits: sxc.hu; istockphoto.com
Editor's Notes
- Scratches the surface\nImperative everyone follows this advice\n\nNext: Me\n
- \n
- \n
- Make it harder, not impossible\n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- Whitepixel + cheap hardware\nCosts $2,800\nBreaks 33.1 billion passwords / second\nNext: sample pw\n
- All about entropy.\nWords stronger than random garbage\nThere’s a catch. All words = 1 day. Add numbers/padding to increase entropy.\nNext: 777\n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- It’s not fire and forget. You have to work on it continuously as your site evolves.\n\nNext: questions\n
- Ask your questions!\n\nNext: QR-Code\n
- \n
- Thank you for listening\n\nTHE END\n