32

Joomladay Switzerland - security

Tags:

Embed Size (px)

DESCRIPTION

Joomladay Switzerland - security.ppt

Citation preview

Page 1: Joomladay Switzerland - security
Page 2: Joomladay Switzerland - security
Page 3: Joomladay Switzerland - security

Joomla! 1.5 Security

Joomla!day Presentation

Luzern, Switzerland

15 November 2008

Page 4: Joomladay Switzerland - security

Is Joomla! safe?

Page 5: Joomladay Switzerland - security

Is the World Wide Web Safe?

Page 6: Joomladay Switzerland - security

You know, I don't mean any disrespect, but I had to chuckle by the question "Is Joomla! not safe?" since it reminded me of the movie The Marathon Man when the dentist is pulling Dustin Hoffman's teeth out, asking "Is it safe?" and he's so desperate to get the Dentist to stop that he says Yes or No or What do you want to hear?

Is Joomla! safe?

Quote taken from: http://forum.joomla.org/viewtopic.php?f=432&t=318351&st=0&sk=t&sd=a

Page 7: Joomladay Switzerland - security

7

Page 8: Joomladay Switzerland - security

I would say - anyone who tells a community that a Web site or a out of the box solution

is safe is not being responsible. No, it is not "safe" on the Internet.

8Quote taken from: http://forum.joomla.org/viewtopic.php?f=432&t=318351&st=0&sk=t&sd=a

Page 9: Joomladay Switzerland - security

What is this presentation about?

Page 10: Joomladay Switzerland - security

• Getting Started• Hosting and Server Setup• Joomla Setup• Site Administration• Site Recovery

Presentation overview

Presentation approach taken from http://docs.joomla.org/Category:Security_Checklist

Page 11: Joomladay Switzerland - security

11

Getting started

Page 12: Joomladay Switzerland - security

12

Getting started

Page 13: Joomladay Switzerland - security

13

Getting started

Page 14: Joomladay Switzerland - security

Some basic things before we go into details:• Report (possible) hack to JSST

http://developer.joomla.org/security/contact-the-team.html

• Please don’t report hacks or proof-of-concepts out in the open, also report them to JSST

• Stay informed!– Automatic Email Notification

http://feedburner.google.com/fb/a/mailverify?uri=JoomlaSecurityNews

– RSS feedhttp://feeds.joomla.org/JoomlaSecurityNews

14

Getting started

Page 15: Joomladay Switzerland - security

15

Hosting and server set up

Shared hosting?

Or

Dedicated hosting?

Page 16: Joomladay Switzerland - security

16

Hosting and server set up

“register_globals”

“open_basedir”

Page 17: Joomladay Switzerland - security

• Configure Apache:– Secure important areas with .htaccess– Use mod_rewrite and mod_security to block

PHP attacks

• Configure MySQL– Implement user accounts with “need-to-know”

principle

• Configure PHP– Use PHP 5!– Configure your php.ini file properly (most of the

times limited with shared hosts)17

Hosting and server set up

Page 18: Joomladay Switzerland - security

• Configure php.ini– Use “disable_functions” to disable dangerous

PHP functions that are not needed by your site.– “Use PHP open_basedir”– Don't use “PHP safe_mode” (it gives a false

sense of security)– Don't use “PHP register_globals”– Don't use “PHP allow_url_fopen”. This option

enables the URL-aware fopen wrappers that enable accessing URL object like files.

18

Page 19: Joomladay Switzerland - security

19

Joomla! setup

Page 20: Joomladay Switzerland - security

• Some basic rules to think about:– Only install official Joomla! versions!

– Change the default administrator username

– Protect directories and files• Move crucial files outside public directory

http://docs.joomla.org/Security_and_Performance_FAQs#How_do_I_move_confidential_files_outside_of_public_html.3F

• Ensure that all configurable paths to writable or uploadable directories

• Protect your log directory (moving it out of document root or .htaccess protect it)

– Adjust file and directory permissions• Set critical directories to 755

• Set file permissions to 644

– Remove unneeded files 20

Joomla! setup

Page 21: Joomladay Switzerland - security

21

Joomla! setup

Page 22: Joomladay Switzerland - security

• Before you install extensions– Always backup (even on your test system)– Always test before you install on your life server– Check for extension vulnerabilities– Download from trusted sites– User beware! Check the code quality– Test! Test! Test!– Remove junk files (all that is not needed)– Avoid encrypted code

22

Joomla! setup

Page 23: Joomladay Switzerland - security

23

Site administration

Page 24: Joomladay Switzerland - security

• Use well-formed passwords• Maintain a strong site backup process• Monitor crack attempts (tripwire, SAMHAIN)• Perform manual intrusion detection (manual

logfile scan)• Stay current with security patches and

upgrades

24

Site administration

Page 25: Joomladay Switzerland - security

• Get help the right way• Follow a logical and rigorous recovery

process • Reset your administrator password (and all

admins/super admins)• Find exploit attempts using the *NIX shell

25

Site recovery

Page 26: Joomladay Switzerland - security

26

Links

Page 27: Joomladay Switzerland - security

• Documentation wiki : http://docs.joomla.org/Category:Security_Checklist

• Joomla! Security Strike Team (JSST): http://developer.joomla.org/security.html

• Report issues to JSST : http://developer.joomla.org/security/contact-the-team.html

27

Links

Page 28: Joomladay Switzerland - security

Joomla! related

• www.joomla.org

• developer.joomla.org/security.html

• www.secunia.org

• www.milw0rm.com

Sites to put RSS feeds on

• http://feedburner.google.com/fb/a/mailverify?uri=JoomlaSecurityNews

General

• www.us-cert.gov

• www.frsirt.com

Operating systems related

• www.debian.org/security

• www.openbsd.org/security

• www.redhat.org/apps/support

28

Sites to monitor when you take security seriously

Page 29: Joomladay Switzerland - security

Joomla!

“All together”

Page 30: Joomladay Switzerland - security

30

Questions?

Page 31: Joomladay Switzerland - security
Page 32: Joomladay Switzerland - security

SEO In Joomla - Patrick Jackson (JoomlaDay Sydney 2009)

SEO In Joomla - Patrick Jackson (JoomlaDay Sydney 2009)

Documents
Joomladay denmark-2010-16

Joomladay denmark-2010-16

Technology
JoomlaDay UK 2016 Presentation

JoomlaDay UK 2016 Presentation

Internet
J! Extensions - JoomlaDay France 2014

J! Extensions - JoomlaDay France 2014

Internet
Joomladay Netherlands - Security

Joomladay Netherlands - Security

Technology
Where is joomla! going @ JoomlaDay™ Poland 2014

Where is joomla! going @ JoomlaDay™ Poland 2014

Presentations & Public Speaking
Where is joomla! going - JoomlaDay Prague 2014

Where is joomla! going - JoomlaDay Prague 2014

Technology
Analitica web, los origenes JoomlaDay Guatemala

Analitica web, los origenes JoomlaDay Guatemala

Education
L'accessibilité du Web Joomladay FR 2012 - Version annotée

L'accessibilité du Web Joomladay FR 2012 - Version annotée

Education
Joomladay Es 2009 - Nooku Framework

Joomladay Es 2009 - Nooku Framework

Technology
Joomladay 2014 - Open source licenses

Joomladay 2014 - Open source licenses

Technology
Joomla! 1 - JoomlaDay Bangkok 2012

Joomla! 1 - JoomlaDay Bangkok 2012

Documents
JoomlaDay Madrid,Spain 2014 - Joomla! community - that rocks!

JoomlaDay Madrid,Spain 2014 - Joomla! community - that rocks!

Presentations & Public Speaking
Joomladay Netherlands 2012 - Joomla in the Cloud

Joomladay Netherlands 2012 - Joomla in the Cloud

Technology
Two-factor authentication w Joomla! - JoomlaDay Polska 2015

Two-factor authentication w Joomla! - JoomlaDay Polska 2015

Internet
Social security in Switzerland - AHV/IV

Social security in Switzerland - AHV/IV

Documents
Webzurich - The State of Web Security in Switzerland

Webzurich - The State of Web Security in Switzerland

Technology
JoomlaDay™ Bangkok 2013 - FLEXIcontent CCK for Joomla

JoomlaDay™ Bangkok 2013 - FLEXIcontent CCK for Joomla

Technology
Joomla SEO Presentation at Joomladay UK 2011

Joomla SEO Presentation at Joomladay UK 2011

Technology
Joomladay UK SEO presentation

Joomladay UK SEO presentation

Design
How IT works - Joomladay Germany 2014

How IT works - Joomladay Germany 2014

Technology
Switzerland: Data Protection & Cyber Security€¦ · Switzerland: Data Protection & Cyber Security This country-specific Q&A provides an overview to data protection and cyber security

Switzerland: Data Protection & Cyber Security€¦ · Switzerland: Data Protection & Cyber Security This country-specific Q&A provides an overview to data protection and cyber security

Documents
Troubleshooting Joomla! problems - Joomladay Germany 2014

Troubleshooting Joomla! problems - Joomladay Germany 2014

Technology
DOMESTIC SECURITY REPORT SWITZERLAND 2004

DOMESTIC SECURITY REPORT SWITZERLAND 2004

Documents
Joomladay UK 2014 - You gotta know !!

Joomladay UK 2014 - You gotta know !!

Internet
Developing new feature in Joomla - Joomladay UK 2016

Developing new feature in Joomla - Joomladay UK 2016

Technology
MU Company Profile 2020 · JoomlaDay KL – Main Sponsor WordCamp KL 2017 – Silver Sponsor WordPress Meetups – Venue Sponsor 2016 JoomlaDay KL – Gold Sponsor WordPress Meetups

MU Company Profile 2020 · JoomlaDay KL – Main Sponsor WordCamp KL 2017 – Silver Sponsor WordPress Meetups – Venue Sponsor 2016 JoomlaDay KL – Gold Sponsor WordPress Meetups

Documents
Joomladay NL 2011 - Belgium Police and Joomla

Joomladay NL 2011 - Belgium Police and Joomla

Technology
Security Concept of Switzerland

Security Concept of Switzerland

Documents
Joomla wireframing Template - Joomladay Netherlands 2014 #jd14nl

Joomla wireframing Template - Joomladay Netherlands 2014 #jd14nl

Technology