Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Joomla! sec...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
My name is ...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
My presenta...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Part I
Basi...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Why bother?...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
What is sec...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Common Joom...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Part II
Joo...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Joomla! sec...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Joomla! sec...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Joomla! sec...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Joomla! sec...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Joomla! sec...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Joomla! sec...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Joomla! sec...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Joomla! sec...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Joomla! sec...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Joomla! sec...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
General adv...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Part III
Ad...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
LAMP securi...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
UNIX file p...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Firewall
On...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Apache secu...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
PHP securit...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
PHP securit...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Too late .....
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
UNIX hackin...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
“Ignorance ...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
docs.joomla...
Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
any questio...
Upcoming SlideShare
Loading in …5
×

Joomla! security

2,888 views

Published on

Presentation on Joomla! security, both basic stuff as advanced techniques. Used during Joomla! User Group meeting in Den Bosch, NL (JUG073).

Published in: Technology
  • Be the first to comment

Joomla! security

  1. 1. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security
  2. 2. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo My name is Jisse Reitsma Joomla! enthousiast PHP programmer Lead developer of Yireo Joomla! templates-book (NL) Helping Tibet Support Group
  3. 3. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo My presentation Part I - Basics Part II - Joomla! security Part III - Advanced things
  4. 4. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Part I Basics of security
  5. 5. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Why bother? Everybody makes mistakes Joomla! is very popular ... also with hackers What can happen? Website defacement (damage to business image) Malware installed (viruses, exploits, zombie-software)
  6. 6. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo What is security? SQL injection POST spoofing Path traversal; Remote path inclusion Cross Site Scripting (XSS), CSRF Session hijacking, cookie theft Rootkits
  7. 7. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Common Joomla! attacks SQL injection http://localhost/joomla/index.php/weblinks-categories?id=0%20%29%20union %20select%20password%20from%20%60jos_users%60%20--%20%29 XSS vulnerability Textarea: <script>alert('test');</script>
  8. 8. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Part II Joomla! security
  9. 9. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (1) Strong passwords Beware for dictionary attacks At least 8 characters, preferably 16 :)
  10. 10. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (2) Do not pick just any extension Keep software up-to-date Joomla! core Joomla! extensions
  11. 11. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (3) Make sure .htaccess is in place Rename from “htaccess.txt” to “.htaccess” Includes quick protection for common attacks
  12. 12. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (4) Create a new Super User No username “admin” Other MySQL ID then 42 or 62
  13. 13. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (5) Backend protection jSecure, kSecure, BackendToken Scanning RsFirewall, jDefender, jHackGuard Joomla! ACLs (ACLmanager)
  14. 14. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (6) Remove the default META-tag generator <?php JFactory::getDocument()­>setGenerator('whatever'); ?>
  15. 15. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (7) Encrypt Joomla! Administrator access with (self-generated) SSL-certificate Use SFTP (or SSH) if available, and not FTP
  16. 16. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (8) Remove files you don't need 3rd party templates, 3rd party extensions Joomla! test setups (and other applications) CHANGELOG.php, CREDITS.php, INSTALL.php, configuration.php-dist, htaccess.txt, LICENSE.php, LICENSES.php phpinfo.php
  17. 17. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (9) Two Factor Authentication Google Authenticator Yubikey
  18. 18. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (10) Do not use Joomla! 1.5 Change database table prefix (Admintools) Do not allow user registration if you don't want it Apache HTTP authentication for backend
  19. 19. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo General advice Be careful with what you install Versioning system like Git Always test things first on testing environment (plg_system_httpauth) Create backups
  20. 20. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Part III Advanced security
  21. 21. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo LAMP security File permissions Firewall Apache settings PHP settings
  22. 22. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo UNIX file permissions Basic rules Three numbers: owner + group + world 4 = read, 2 = write, 1 = execute 644 = readwrite for owner; read for group; read for world Directory must always be executable (755 instead of 644) Do not use: 666 = read-write for owner; read-write for group; read-write for world 777 (same like files, but plus execution bit) Do use: 644 (files) 755 (directories)
  23. 23. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Firewall Only allow what you need HTTP, SSH, FTP, SMTP, DNS Block everything you don't need MySQL, IMAP, POP Check with Nmap
  24. 24. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Apache security Apache settings ServerTokens Prod ServerSignature off TraceEnable off Apache modules mod_rewrite mod_evasive mod_antiloris mod_security2
  25. 25. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo PHP security (1 of 2) PHP settings register_globals = Off expose_php = Off safe_mode = Off magic_quotes = Off allow_url_include = Off allow_url_fopen = On??? open_basedir = [yoursite]???
  26. 26. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo PHP security (2 of 2) PHP disable_functions show_source system, shell_exec, exec, passthru popen, proc_open phpinfo PHP modules Suhosin
  27. 27. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Too late ... maldet (malware detector) rkhunter (rootkit hunter) IDS (intrusion detection system) Tripwire Samhain
  28. 28. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo UNIX hacking ... the greatest game on the internet
  29. 29. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo “Ignorance is bliss” Google Hacking database makes it easy SSL-certificates are only secure, if SSL root-authority servers are We trust TCP/IP to be fairly secure, but is it? (slowloris) When the C-code of a rootkit is actually modified by a script-kiddie, it is no longer detected by rootkit-scanners - bummer, nobody knows if it's there
  30. 30. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo docs.joomla.org/Security
  31. 31. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo any questions?

×