Joomla! Day Deutschland 2012 - Active Security

989 views

Published on

My presentation on Joomla! site security in Joomla! Day Deutschland 2012

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
989
On SlideShare
0
From Embeds
0
Number of Embeds
18
Actions
Shares
0
Downloads
45
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • Scratches the surface\nImperative everyone follows this advice\n\nNext: Me\n
  • \n
  • \n
  • Make it harder, not impossible\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Whitepixel + cheap hardware\nCosts $2,800\nBreaks 33.1 billion passwords / second\nNext: sample pw\n
  • All about entropy.\nWords stronger than random garbage\nThere’s a catch. All words = 1 day. Add numbers/padding to increase entropy.\nNext: 777\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • It’s not fire and forget. You have to work on it continuously as your site evolves.\n\nNext: questions\n
  • Ask your questions!\n\nNext: QR-Code\n
  • \n
  • Thank you for listening\n\nTHE END\n
  • Joomla! Day Deutschland 2012 - Active Security

    1. 1. Active securityfor Joomla! sites version 5.2
    2. 2. Mission: ImpossibleTalking in-depth about Joomla! security in 30 minutesor less... but I’ll try!
    3. 3. Put your pens awaySit back and enjoy
    4. 4. A site is like a building• Strong foundations• Careful construction• Active maintenance
    5. 5. Step 1: Strong foundationsYour server setup - Geeky stuff ahead!
    6. 6. Updated server softwarePHP, MySQL, Apache, FTP Server...
    7. 7. Permissions & ownershipWho can do what and where
    8. 8. Sane ownership &permissionsAll files and folders owned by the FTP userUse Joomla!’s FTP mode on shared hostsFolders 0755 permissions • Files 0644 permissionsIf you “must” use 0777 (don’t!), protect with .htaccessorder deny, allowdeny from allallow from noneBetter yet, use suPHP or FastCGI
    9. 9. Too much to remember?Akeeba Backup User’s Guide, SecurityInformationhttps://www.akeebabackup.com/documentation/akeeba-backup-documentation/security-info.html777: The number of the beasthttp://www.dionysopoulos.me/blog/777-the-number-of-the-beast
    10. 10. Advanced methodsfor IT ninjas
    11. 11. mod_security for ApacheYour server’s security guard
    12. 12. You need some rulesAtomic (GotRoot) Rules:http://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_RulesOWASP Rules:https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
    13. 13. Make it all happenThe magic scripts
    14. 14. https://github.com/betweenbrain/ubuntu-web-server-build-scriptwritten by Matt Thomas (@betweenbrain)
    15. 15. Step 2: Careful constructionYour site setup
    16. 16. Update, yesterdayJoomla! & extensions
    17. 17. Think before installingDon’t be the mouse in the trap!
    18. 18. Length matters
    19. 19. Your Password’s length matters
    20. 20. A terrifying thoughtPassword hacking super-computer: 2,700 USD(2 years ago; much cheaper now)
    21. 21. How safe is your password? Password Bits Iterations Time to crack15082005 13.6 12416 0.00038 msecadmin 15.9 61147 0.00185 msecortrtaortftaaidbt 67.7 2.39E+20 228.95 years0rtrTA0rtfTa&idbT 88.2 3.55E+26 340 million yearshorse correct battery stapler 107.2 1.86E+32 178179 billion years
    22. 22. How safe is your password? Password Bits Iterations Time to crack15082005 13.6 12416 0.00038 msecadmin 15.9 61147 0.00185 msecortrtaortftaaidbt 67.7 2.39E+20 228.95 years0rtrTA0rtfTa&idbT 88.2 3.55E+26 340 million yearshorse correct battery stapler 107.2 1.86E+32 178179 billion years
    23. 23. Lock it downNothing on my site runs unless I say so
    24. 24. .htaccess RulesMy Master .htaccess - FREEhttp://akeeba.assembla.com/code/master-htaccess/git/nodes/htaccess.txtAdmin Tools Professionalhttps://www.akeebabackup.com/products/46-software/855-admintools.html
    25. 25. Armor upProtect your site
    26. 26. Step 3: Active maintenanceStaying on top of it all
    27. 27. BackupsFrequent, automated, off-site backups
    28. 28. Monitor file changesA changed file is usually a bad thing
    29. 29. Monitor itKeep an eye on the logs
    30. 30. In spite of it all…
    31. 31. Dammit!You got hacked, now what?
    32. 32. DON’TPANIC
    33. 33. We’ve got instructions Unhacking your site https://www.akeebabackup.com/documentation/ walkthroughs/item/1124-unhacking-your-site.html You do have backups, right? Make sure you read the instructions before getting hacked.
    34. 34. One more thing... security is a process
    35. 35. Questions?
    36. 36. Download this presentationhttp://akeeba.info/asjd12de
    37. 37. Thank you for listening!Image credits: sxc.hu; istockphoto.com

    ×