Embed Size (px)
DESCRIPTION
Presentation on Joomla! security, both basic stuff as advanced techniques. Used during Joomla! User Group meeting in Den Bosch, NL (JUG073).
Citation preview
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Joomla! security
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
My name is J isse Reitsma
Joomla! enthousiast
PHP programmer
Lead developer of Yireo
Joomla! templates-book (NL)
Helping Tibet Support Group
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
My presentation
Part I - Basics
Part II - Joomla! security
Part III - Advanced things
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Part IBasics of security
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Why bother?
Everybody makes mistakes
Joomla! is very popular ... also with hackers
What can happen?Website defacement (damage to business image)
Malware installed (viruses, exploits, zombie-software)
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
What is security?
SQL injection
POST spoofing
Path traversal; Remote path inclusion
Cross Site Scripting (XSS), CSRF
Session hijacking, cookie theft
Rootkits
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Common Joomla! attacks
SQL injectionhttp://localhost/joomla/index.php/weblinks-categories?id=0%20%29%20union%20select%20password%20from%20%60jos_users%60%20--%20%29
XSS vulnerabilityTextarea: <script>alert('test');</script>
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Part IIJoomla! security
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Joomla! security (1)
Strong passwordsBeware for dictionary attacks
At least 8 characters, preferably 16 :)
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Joomla! security (2)
Do not pick just any extension
Keep software up-to-dateJoomla! core
Joomla! extensions
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Joomla! security (3)
Make sure .htaccess is in placeRename from “htaccess.txt” to “.htaccess”
Includes quick protection for common attacks
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Joomla! security (4)
Create a new Super UserNo username “admin”
Other MySQL ID then 42 or 62
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Joomla! security (5)
Backend protectionjSecure, kSecure, BackendToken
ScanningRsFirewall, jDefender, jHackGuard
Joomla! ACLs (ACLmanager)
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Joomla! security (6)Remove the default META-tag generator<?php JFactory::getDocument()>setGenerator('whatever'); ?>
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Joomla! security (7)Encrypt Joomla! Administrator access with (self-generated) SSL-certificate
Use SFTP (or SSH) if available, and not FTP
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Joomla! security (8)Remove files you don't need
3rd party templates, 3rd party extensions
Joomla! test setups (and other applications)
CHANGELOG.php, CREDITS.php, INSTALL.php, configuration.php-dist, htaccess.txt, LICENSE.php, LICENSES.php
phpinfo.php
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Joomla! security (9)Two Factor Authentication
Google Authenticator
Yubikey
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Joomla! security (10)Do not use Joomla! 1.5
Change database table prefix (Admintools)
Do not allow user registration if you don't want it
Apache HTTP authentication for backend
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
General adviceBe careful with what you install
Versioning system like Git
Always test things first on testing environment (plg_system_httpauth)
Create backups
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Part IIIAdvanced security
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
LAMP security
File permissions
Firewall
Apache settings
PHP settings
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
UNIX fi le permissionsBasic rules
Three numbers: owner + group + world
4 = read, 2 = write, 1 = execute
644 = readwrite for owner; read for group; read for world
Directory must always be executable (755 instead of 644)
Do not use:666 = read-write for owner; read-write for group; read-write for world
777 (same like files, but plus execution bit)
Do use:644 (files)
755 (directories)
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Firewall
Only allow what you needHTTP, SSH, FTP, SMTP, DNS
Block everything you don't needMySQL, IMAP, POP
Check with Nmap
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Apache security
Apache settingsServerTokens Prod
ServerSignature off
TraceEnable off
Apache modulesmod_rewrite
mod_evasive
mod_antiloris
mod_security2
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
PHP security (1 of 2)
PHP settingsregister_globals = Off
expose_php = Off
safe_mode = Off
magic_quotes = Off
allow_url_include = Off
allow_url_fopen = On???
open_basedir = [yoursite]???
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
PHP security (2 of 2)
PHP disable_functionsshow_source
system, shell_exec, exec, passthru
popen, proc_open
phpinfo
PHP modulesSuhosin
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
Too late . . .
maldet (malware detector)
rkhunter (rootkit hunter)
IDS (intrusion detection system)Tripwire
Samhain
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
UNIX hacking...
the greatest game on the internet
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
“ Ignorance is bliss”
Google Hacking database makes it easy
SSL-certificates are only secure, if SSL root-authority servers are
We trust TCP/IP to be fairly secure, but is it? (slowloris)
When the C-code of a rootkit is actually modified by a script-kiddie, it is no longer detected by rootkit-scanners - bummer, nobody knows if it's there
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
docs.joomla.org/Security
Presentation “Joomla! Security” - http://slideshare.net/yireoJisse Reitsma ([email protected]) - Twitter @yireo
any questions?
