View
3.591
Download
0
Category
Preview:
Citation preview
Joomla! 1.5 Security
Joomla!day Presentation
Utrecht, Netherlands
12 june 2009
Is Joomla! safe?
Is the World Wide Web Safe?
You know, I don't mean any disrespect, but I had to chuckle by the question "Is Joomla! not safe?" since it reminded me of the movie The Marathon Man when the dentist is pulling Dustin Hoffman's teeth out, asking "Is it safe?" and he's so desperate to get the Dentist to stop that he says Yes or No or What do you want to hear?
Is Joomla! safe?
Quote taken from:http://forum.joomla.org/viewtopic.php?f=432&t=318351&st=0&sk=t&sd=a
5
I would say - anyone who tells a community that a Web site or a out of the box solution
is safe is not being responsible. No, it is not "safe" on the Internet.
6
What is this presentation about?
Getting StartedHosting and Server SetupJoomla SetupSite AdministrationSite Recovery
Presentation overview
9
Getting started
10
Getting started
11
Getting started
Some basic things before we go into details:Report (possible) hack to JSSThttp://developer.joomla.org/security/contact-the-team.html
Please don’t report hacks or proof-of-concepts out in the open, also report them to JSSTStay informed! Automatic Email Notificationhttp://feedburner.google.com/fb/a/mailverify?uri=JoomlaSecurityNews
RSS feedhttp://feeds.joomla.org/JoomlaSecurityNews
12
Getting started
13
Hosting and server set up
Shared hosting?
Or
Dedicated hosting?
14
Hosting and server set up
“register_globals”
“open_basedir”
Configure Apache:Secure important areas with .htaccessUse mod_rewrite and mod_security to block PHP attacks
Configure MySQLImplement user accounts with “need-to-know” principle
Configure PHPUse PHP 5!Configure your php.ini file properly (most of the times limited with shared hosts)
15
Hosting and server set up
Configure php.iniUse “disable_functions” to disable dangerous PHP functions that are not needed by your site.“Use PHP open_basedir”Don't use “PHP safe_mode” (it gives a false sense of security)Don't use “PHP register_globals”Don't use “PHP allow_url_fopen”. This option enables the URL-aware fopen wrappers that enable accessing URL object like files.
16
17
Joomla! setup
Some basic rules to think about:Only install official Joomla! versions!Change the default administrator usernameProtect directories and filesMove crucial files outside public directoryhttp://docs.joomla.org/Security_and_Performance_FAQs#How_do_I_move_confidential_files_outside_of_public_html.3F
Ensure that all configurable paths to writable or uploadable directories
Protect your log directory (moving it out of document root or .htaccess protect it)
Adjust file and directory permissionsSet critical directories to 755
Set file permissions to 644
Remove unneeded files18
Joomla! setup
Before you install extensionsAlways backup (even on your test system)Always test before you install on your life serverCheck for extension vulnerabilitiesDownload from trusted sitesUser beware! Check the code qualityTest! Test! Test!Remove junk files (all that is not needed)Avoid encrypted code
19
Joomla! setup
20
Site administration
Use well-formed passwordsMaintain a strong site backup processMonitor crack attempts (tripwire, SAMHAIN)Perform manual intrusion detection (manual logfile scan)Stay current with security patches and upgrades
21
Site administration
Get help the right wayFollow a logical and rigorous recovery process Reset your administrator password (and all admins/super admins)Find exploit attempts using the *NIX shell
22
Site recovery
23
Links
Documentation wiki : http://docs.joomla.org/Category:Security_Checklist
Joomla! Security Strike Team (JSST): http://developer.joomla.org/security.html
Report issues to JSST : http://developer.joomla.org/security/contact-the-team.html
24
Links
Joomla! related
www.joomla.org
developer.joomla.org/security.html
www.secunia.org
www.milw0rm.com
Sites to put RSS feeds on
http://feedburner.google.com/fb/a/mailverify?uri=JoomlaSecurityNews
General
www.us-cert.gov
www.frsirt.com
Operating systems related
www.debian.org/security
www.openbsd.org/security
www.redhat.org/apps/support
25
Sites to monitor when you take security seriously
26
Questions?
Recommended