Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
By Shaiffulnizam Mohamad
JOOMLA! SECURITY
...Security is a moving target, so
today's expert might be tomorrow's
victim...
Joomla!
Website’s
hacked?
Definition of “Hacker”
• Someone who deliberately seeks to bypass a server’s security
• Black, grey, white hats
• A hacked...
Hacking Motives?
• To see if they can
• To create mayhem
• For social standing in the sub-culture
• For political reasons ...
How do we know that
we’ve been hacked?
• Site trashed
• Hacking message
• High bandwidth use
• Changed admin password
• Ne...
Why do we care about
computer security?
No ONE is
SAFE!Type of site Motivation
Any site To see if they can
To create mayhem
Social standing
Post political message...
Why worry about being
hacked?
• Sites are targeted at random
• Hacking is actually quite easy
• Vulnerable sites are easy ...
Why worry about being
hacked?
Hacked sites are a big problem
• Business reputation
• Angry clients
• Site shutdown by host...
Hacking Joomla! sites
Is Joomla! Sites easy to
hack?• Yes and No
• Joomla has to strike a balance between
security and ease of use
• Joomla an a...
How do they hack?
1. Find a vulnerability (and instructions
on how to exploit it)
2. Find a vulnerable site
3. Hack the si...
1st Finding vulnerability
• Security sites
• www.exploit-db.com, www.secunia.com
• Various hacking sites/forums
• Joomla v...
2nd find a vulnerable
sites• Google Dork - a search phrase to find
vulnerable sites
• PHPInfo
• intitle:phpinfo()
• Vulner...
3rd cut n paste code!
http://xxxxxxxxxxxxxxxxx/index.php?option=com_acajoom
&act=mailing&task=view&listid=1&Itemid=1&maili...
Sometimes…
RFI = Remote file inclusions
Executing SHELL Files and taking control of the Server
What should we do to
prevent?
• Server operating system
• Server Software
• PHP + MySQL
 Joomla
 Extensions
 Users and ...
What should we do to
prevent?
1. Updating Your Server Operating System
2. Update your Server Software e.g. Apache, Nginx,
...
[1] Basic actions
[2] More complex actions
[3] Actions that require significant modification rights
on the server (unless ...
Joomla! Security
Server ~ shared, VPS and Dedicated
• A shared server
• Your site(s) live in the same hosting space as oth...
Joomla! Security
Server ~ shared, VPS and Dedicated
• A dedicated server
• Allow you to upgrade and tweak all the settings...
Joomla! Security
Server ~ Security
1. The underlying Operating System must be updated
2. Updating the Webserver
e.g. Apach...
Joomla! Security
Server ~ Security Hardening
1. Securing Apache Webserver
Adding web headers to block XSS etc.
<IfModule m...
Joomla! Security
Server ~ Security Hardening
3. Activating .htaccess override in Apache conf
• .htaccess files
• [1] Activ...
Joomla! Security
Server ~ Security Hardening
1. Hardening PHP with SUHOSIN
2. Use PHP Disable function
show_source, system...
Joomla! Security
Server ~ Security Hardening
• Globally reset all files
• Owner – AccountUsername:AccountUsername
chown -R...
Joomla! Security
Server ~ Security Hardening
1. Hardening MySQL server
2. Disable access from outside (allow local connect...
Joomla! Security
Server ~ Additional Security Hardening
1. Add additional firewall e.g. CSF firewall
2. Add modsecurity fi...
Joomla! Security
Use CDN for security
1. Prevent DDOS
2. Stop Hackers
3. Secure website from attack
Joomla! Security
Use CDN for security
1. Prevent DDOS
2. Stop Hackers
3. Secure website from attack
Joomla! Security
Use CDN for security
Joomla! Security
Use CDN for security
Joomla! Security Checklisthttps://docs.joomla.org/Security
Upgrade to the latest stable version of Joomla! as soon as possible.
Download Joomla! from official sites only, such as Jo...
Joomla! Security Checklisthttps://docs.joomla.org/Security
Default administrator username
Change the user name of the defa...
Joomla! Security Checklisthttps://docs.joomla.org/Security
Limit superadmin
Less superadmin, mean less problem
Disable reg...
Joomla! Security Checklisthttps://docs.joomla.org/Security
Protecting directories and files
All configurable path must be ...
Joomla! Security Checklisthttps://docs.joomla.org/Security
Remove all unneeded files and extensions
All unneeded and unuse...
Joomla! Security Checklisthttps://docs.joomla.org/Security
Installing Joomla! Extensions
1. Always backup
2. Check for ext...
Joomla! SecurityHow to secure Joomla!
[1] SEF all URLs
[2] Clear the default Joomla metatags
[3] Clear the default Home pa...
Joomla! SecurityHow to secure Joomla!
Two-Factor Authentication is a login method whereby a
person has to provide his/her ...
Joomla! SecurityHow to secure Joomla!
Trying to inject spam content onto your site
Targets Joomla core forms and extension...
Joomla! SecurityHow to secure Joomla!
Use security extensions
Joomla! SecurityHow to secure Joomla!
Disable FTP access from Joomla!
• If a hacker can obtain your FTP
password, they can...
Joomla! SecurityHow to secure Joomla!
Change temporary folder and logs path
Joomla! SecurityHow to secure Joomla!
Make sure to check for Joomla!/extensions
Update
Joomla! SecurityHow to secure Joomla!
Preparing for the Worst
Are you ready?
Joomla! SecurityHow to secure Joomla!
Preparing for the Worst
1. Site monitoring
2. Joomla site backups
3. Restoring a hac...
Joomla! Security Site monitoring
• Diagnostics
• Site down
• Home page content changes
• Mod_security logs (shows attempts...
Joomla! Security Joomla!
Backup
• Why backup?
• When should I backup my Joomla! site?
• How often should I backup my Jooml...
Joomla! Security Joomla!
Backup
How to backup?
1. Manual backup through command line. (database)
2. Using extensions such ...
• Fixes the obvious problems
• Does not address:
• Hidden hacks
• Shell scripts
• Backdoors
• Zombies
• Continuing vulnera...
The End
Shaiffulnizam Mohamad
OWASP Members since 2010
Involved in all Joomla Day Malaysia since
2007
Specializing in Joom...
Upcoming SlideShare
Loading in …5
×

Joomla! security jday2015

1,319 views

Published on

Joomla Security Joomla Day Malaysia

Published in: Technology
  • Be the first to comment

Joomla! security jday2015

  1. 1. By Shaiffulnizam Mohamad JOOMLA! SECURITY ...Security is a moving target, so today's expert might be tomorrow's victim...
  2. 2. Joomla! Website’s hacked?
  3. 3. Definition of “Hacker” • Someone who deliberately seeks to bypass a server’s security • Black, grey, white hats • A hacked site is a broken/compromised site • A skilled computer programmer • A hacked site is a tweaked and improved site • A script kiddie • Junior hacker using other hacker’s tools and techniques
  4. 4. Hacking Motives? • To see if they can • To create mayhem • For social standing in the sub-culture • For political reasons – hacktivism • For financial reasons • Theft – steal ebooks, videos, games, online services etc • Sell data – user profiles, credit card details etc • Industrial sabotage - paid to break competitor sites • Set up zombie farms • Steal bandwidth • Host phishing pages • Collect passwords
  5. 5. How do we know that we’ve been hacked? • Site trashed • Hacking message • High bandwidth use • Changed admin password • New user with admin rights • Server logs
  6. 6. Why do we care about computer security?
  7. 7. No ONE is SAFE!Type of site Motivation Any site To see if they can To create mayhem Social standing Post political messages Zombie farms Steal bandwidth Host phishing pages Any membership site Sell user profiles to marketers Obtain usernames and passwords Some ecommerce sites Sell credit card details to thieves Sell order history and contact details to marketers
  8. 8. Why worry about being hacked? • Sites are targeted at random • Hacking is actually quite easy • Vulnerable sites are easy to find • Vulnerable sites are easy to hack • Fixing hacked sites is quite tricky • Hacks can be invisible • Clients may not notice a hacked site for some time • Finding a clean backup may be impossible • Determining what has been done can be really hard • May be difficult to restore • Hardening site to avoid future hacks requires skill and focus
  9. 9. Why worry about being hacked? Hacked sites are a big problem • Business reputation • Angry clients • Site shutdown by host • Loss of business • Data theft
  10. 10. Hacking Joomla! sites
  11. 11. Is Joomla! Sites easy to hack?• Yes and No • Joomla has to strike a balance between security and ease of use • Joomla an attractive target for hackers • The critical mass of sites • Large amateur web developer user base • Extensions have variable security • The site must be vulnerable
  12. 12. How do they hack? 1. Find a vulnerability (and instructions on how to exploit it) 2. Find a vulnerable site 3. Hack the site
  13. 13. 1st Finding vulnerability • Security sites • www.exploit-db.com, www.secunia.com • Various hacking sites/forums • Joomla vulnerable extensions list • docs.joomla.org/Vulnerable_Extensions_List
  14. 14. 2nd find a vulnerable sites• Google Dork - a search phrase to find vulnerable sites • PHPInfo • intitle:phpinfo() • Vulnerable extensions • allinurl:com_acajoom
  15. 15. 3rd cut n paste code! http://xxxxxxxxxxxxxxxxx/index.php?option=com_acajoom &act=mailing&task=view&listid=1&Itemid=1&mailingid=1/* */union/**/select/**/1,1,1,1,concat(username,0x3a,passw ord),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/from/**/jos_users/* */LIMIT/**/1,1/*
  16. 16. Sometimes… RFI = Remote file inclusions Executing SHELL Files and taking control of the Server
  17. 17. What should we do to prevent? • Server operating system • Server Software • PHP + MySQL  Joomla  Extensions  Users and their behaviour Joomla! Security Involves
  18. 18. What should we do to prevent? 1. Updating Your Server Operating System 2. Update your Server Software e.g. Apache, Nginx, IIS, Litespeed etc 3. Update Your PHP & MySQL Server 4. Secure Your Server Security Action plan
  19. 19. [1] Basic actions [2] More complex actions [3] Actions that require significant modification rights on the server (unless already implemented by default) Image by echiner1 What should we do to prevent?
  20. 20. Joomla! Security Server ~ shared, VPS and Dedicated • A shared server • Your site(s) live in the same hosting space as other sites that you do not administer • This is the cheapest hosting option. • No say over the security of the other sites on the server • Old shared server is the worst location for your hosting • A Virtual Private Server • Better than shared • Still can’t change many settings
  21. 21. Joomla! Security Server ~ shared, VPS and Dedicated • A dedicated server • Allow you to upgrade and tweak all the settings on a dedicated server • Host retains responsibility for maintenance
  22. 22. Joomla! Security Server ~ Security 1. The underlying Operating System must be updated 2. Updating the Webserver e.g. Apache, Nginx etc 3. Updating the PHP and MySQL 4. Securing the Above 5. Installing additional Security layers
  23. 23. Joomla! Security Server ~ Security Hardening 1. Securing Apache Webserver Adding web headers to block XSS etc. <IfModule mod_headers.c> Header set X-XSS-Protection: "1; mode=block" Header set X-Content-Security-Policy: "allow 'self'; options inline-script; img$ Header set Strict-Transport-Security: "max-age=43200; includeSubDomains" Header set Cache-Control: "max-age=3600, public, must-revalidate" Header set X-frame-options: "deny" Header set X-Content-Type-Options: "nosniff" #Header set X-Content-Security-Policy: "default-src 'self'" Header unset X-Powered-By Header unset X-Pingback </IfModule> 2. Hide Server Signature
  24. 24. Joomla! Security Server ~ Security Hardening 3. Activating .htaccess override in Apache conf • .htaccess files • [1] Activate the htaccess file in the Joomla root • [1] Use an .htpasswd for the /administrator/ folder • [3] Advanced .htaccess files
  25. 25. Joomla! Security Server ~ Security Hardening 1. Hardening PHP with SUHOSIN 2. Use PHP Disable function show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open 3. Do not expose PHP Version expose_php = off 4. Use open_basedir (restriction file handling functions)
  26. 26. Joomla! Security Server ~ Security Hardening • Globally reset all files • Owner – AccountUsername:AccountUsername chown -R user:group * • Files – 644 find . -type f -exec chmod 644 {} ; • Folders – 755 find . -type d -exec chmod 755 {} ; Use suPHP PHP files are run under the user of the website instead of the Apache user
  27. 27. Joomla! Security Server ~ Security Hardening 1. Hardening MySQL server 2. Disable access from outside (allow local connections) 3. Make sure using Password or after setup, run mysql_secure_installation command
  28. 28. Joomla! Security Server ~ Additional Security Hardening 1. Add additional firewall e.g. CSF firewall 2. Add modsecurity firewall ~ apache module that helps to protect your website from various attacks. It is used to block commonly known exploits by use of regular expressions and rule sets 3. Install Malware detector such as maldet 4. Install rootkit detector 5. Install fail2ban / IDS (intrusion detector)
  29. 29. Joomla! Security Use CDN for security 1. Prevent DDOS 2. Stop Hackers 3. Secure website from attack
  30. 30. Joomla! Security Use CDN for security 1. Prevent DDOS 2. Stop Hackers 3. Secure website from attack
  31. 31. Joomla! Security Use CDN for security
  32. 32. Joomla! Security Use CDN for security
  33. 33. Joomla! Security Checklisthttps://docs.joomla.org/Security
  34. 34. Upgrade to the latest stable version of Joomla! as soon as possible. Download Joomla! from official sites only, such as JoomlaCode.org, and check the MD5 hash. Use Web Page Diagnostic Tools, i.e. Firefox Firebug, IE Web Developer Toolbar, Opera Dragonfly, etc. to ensure that all files were installed correctly. Joomla! Security Checklisthttps://docs.joomla.org/Security Install official versions of Joomla! http://www.joomla.org/download.html Install official Updates from Joomla! To avoid breaking your site, search the forums for reports of incompatible extensions before upgrading to a new version of Joomla.
  35. 35. Joomla! Security Checklisthttps://docs.joomla.org/Security Default administrator username Change the user name of the default admin user. This simple step effectively increases the security of this critical account 50% by modifying one of the two variables attackers must know to gain access. Never use easy to guess passwords, avoid at no cost. e.g. admin123, passwords, 123456 Use mix characters (upper and lower case) with special characters. e.g F1$hn3Tw0Rk, use more than 8 digits Administrator passwords
  36. 36. Joomla! Security Checklisthttps://docs.joomla.org/Security Limit superadmin Less superadmin, mean less problem Disable registration, if you are not running social sites, or if your website is limited to your employee If you are not running Social site, disable registration
  37. 37. Joomla! Security Checklisthttps://docs.joomla.org/Security Protecting directories and files All configurable path must be rewritable Must never use chmod 777, chmod 755 is sufficient for directories and 644 for files. Use .htaccess to disable directories such as images and download from running php files. # secure directory by disabling script execution AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI
  38. 38. Joomla! Security Checklisthttps://docs.joomla.org/Security Remove all unneeded files and extensions All unneeded and unused files and extensions must be remove In general, do not leave any unneeded files (compressed or otherwise) on a public server. Each unused (and perhaps long forgotten) file is a potential security hole.
  39. 39. Joomla! Security Checklisthttps://docs.joomla.org/Security Installing Joomla! Extensions 1. Always backup 2. Check for extension vulnerabilities 3. Download from trusted site 4. Check code quality of the extensions 5. Test on development site 6. Remove junk 7. Avoid encrypted code
  40. 40. Joomla! SecurityHow to secure Joomla! [1] SEF all URLs [2] Clear the default Joomla metatags [3] Clear the default Home page title [4] Remove generator tag [5] Change favicon [6] Hide component credits Less information provided about Joomla!, means much difficult to attack
  41. 41. Joomla! SecurityHow to secure Joomla! Two-Factor Authentication is a login method whereby a person has to provide his/her user name, password and a random generated OTP (One Time Password). OTP is six numeric digit code, generated by cryptographic functions in a short interval. Even if a hacker was to guess your Joomla Administrator username and password correctly, they would still require the OTP to login. To enabled Two-Factor Authentication requires Joomla 3.2.0 or higher. 1.Login into the Administration area. 2.Click on Components >> Post-installation Messages. 3.Click on Enable two-factor authentication. 4.Install a Google Authenticator compatible client for your device. Implement 2 factor Authentication
  42. 42. Joomla! SecurityHow to secure Joomla! Trying to inject spam content onto your site Targets Joomla core forms and extension forms Use captcha to fight against automated spammers
  43. 43. Joomla! SecurityHow to secure Joomla! Use security extensions
  44. 44. Joomla! SecurityHow to secure Joomla! Disable FTP access from Joomla! • If a hacker can obtain your FTP password, they can login as you, bypassing almost every security barrier. • FTP passwords are stored unencrypted in your FTP program! • FTP authentication details pass unencrypted to the server! • There are several common FTP apps that store their passwords in a standard location with a standard name!
  45. 45. Joomla! SecurityHow to secure Joomla! Change temporary folder and logs path
  46. 46. Joomla! SecurityHow to secure Joomla! Make sure to check for Joomla!/extensions Update
  47. 47. Joomla! SecurityHow to secure Joomla! Preparing for the Worst Are you ready?
  48. 48. Joomla! SecurityHow to secure Joomla! Preparing for the Worst 1. Site monitoring 2. Joomla site backups 3. Restoring a hacked site
  49. 49. Joomla! Security Site monitoring • Diagnostics • Site down • Home page content changes • Mod_security logs (shows attempts) • Bandwidth use • Spam blacklisting • [3] Searching and browsing server logs
  50. 50. Joomla! Security Joomla! Backup • Why backup? • When should I backup my Joomla! site? • How often should I backup my Joomla! site? • How to backup?
  51. 51. Joomla! Security Joomla! Backup How to backup? 1. Manual backup through command line. (database) 2. Using extensions such as Akeeba Backup, EJB and XCloner What to backup? 1. All files 2. Images or docs REMEMBER TO TEST YOUR BACKUP
  52. 52. • Fixes the obvious problems • Does not address: • Hidden hacks • Shell scripts • Backdoors • Zombies • Continuing vulnerabilities • Impacts of data exposure Photo: flickr.com/photos/andreweason Joomla! Security
  53. 53. The End Shaiffulnizam Mohamad OWASP Members since 2010 Involved in all Joomla Day Malaysia since 2007 Specializing in Joomla! And Security. shaifful.md@gmail.com / 0129531452 Joomla! Security

×