Upload
wilco-jansen
View
3.218
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Joomladay Switzerland - security.ppt
Citation preview
Joomla! 1.5 Security
Joomla!day Presentation
Luzern, Switzerland
15 November 2008
Is Joomla! safe?
Is the World Wide Web Safe?
You know, I don't mean any disrespect, but I had to chuckle by the question "Is Joomla! not safe?" since it reminded me of the movie The Marathon Man when the dentist is pulling Dustin Hoffman's teeth out, asking "Is it safe?" and he's so desperate to get the Dentist to stop that he says Yes or No or What do you want to hear?
Is Joomla! safe?
Quote taken from: http://forum.joomla.org/viewtopic.php?f=432&t=318351&st=0&sk=t&sd=a
7
I would say - anyone who tells a community that a Web site or a out of the box solution
is safe is not being responsible. No, it is not "safe" on the Internet.
8Quote taken from: http://forum.joomla.org/viewtopic.php?f=432&t=318351&st=0&sk=t&sd=a
What is this presentation about?
• Getting Started• Hosting and Server Setup• Joomla Setup• Site Administration• Site Recovery
Presentation overview
Presentation approach taken from http://docs.joomla.org/Category:Security_Checklist
11
Getting started
12
Getting started
13
Getting started
Some basic things before we go into details:• Report (possible) hack to JSST
http://developer.joomla.org/security/contact-the-team.html
• Please don’t report hacks or proof-of-concepts out in the open, also report them to JSST
• Stay informed!– Automatic Email Notification
http://feedburner.google.com/fb/a/mailverify?uri=JoomlaSecurityNews
– RSS feedhttp://feeds.joomla.org/JoomlaSecurityNews
14
Getting started
15
Hosting and server set up
Shared hosting?
Or
Dedicated hosting?
16
Hosting and server set up
“register_globals”
“open_basedir”
• Configure Apache:– Secure important areas with .htaccess– Use mod_rewrite and mod_security to block
PHP attacks
• Configure MySQL– Implement user accounts with “need-to-know”
principle
• Configure PHP– Use PHP 5!– Configure your php.ini file properly (most of the
times limited with shared hosts)17
Hosting and server set up
• Configure php.ini– Use “disable_functions” to disable dangerous
PHP functions that are not needed by your site.– “Use PHP open_basedir”– Don't use “PHP safe_mode” (it gives a false
sense of security)– Don't use “PHP register_globals”– Don't use “PHP allow_url_fopen”. This option
enables the URL-aware fopen wrappers that enable accessing URL object like files.
18
19
Joomla! setup
• Some basic rules to think about:– Only install official Joomla! versions!
– Change the default administrator username
– Protect directories and files• Move crucial files outside public directory
http://docs.joomla.org/Security_and_Performance_FAQs#How_do_I_move_confidential_files_outside_of_public_html.3F
• Ensure that all configurable paths to writable or uploadable directories
• Protect your log directory (moving it out of document root or .htaccess protect it)
– Adjust file and directory permissions• Set critical directories to 755
• Set file permissions to 644
– Remove unneeded files 20
Joomla! setup
21
Joomla! setup
• Before you install extensions– Always backup (even on your test system)– Always test before you install on your life server– Check for extension vulnerabilities– Download from trusted sites– User beware! Check the code quality– Test! Test! Test!– Remove junk files (all that is not needed)– Avoid encrypted code
22
Joomla! setup
23
Site administration
• Use well-formed passwords• Maintain a strong site backup process• Monitor crack attempts (tripwire, SAMHAIN)• Perform manual intrusion detection (manual
logfile scan)• Stay current with security patches and
upgrades
24
Site administration
• Get help the right way• Follow a logical and rigorous recovery
process • Reset your administrator password (and all
admins/super admins)• Find exploit attempts using the *NIX shell
25
Site recovery
26
Links
• Documentation wiki : http://docs.joomla.org/Category:Security_Checklist
• Joomla! Security Strike Team (JSST): http://developer.joomla.org/security.html
• Report issues to JSST : http://developer.joomla.org/security/contact-the-team.html
27
Links
Joomla! related
• www.joomla.org
• developer.joomla.org/security.html
• www.secunia.org
• www.milw0rm.com
Sites to put RSS feeds on
• http://feedburner.google.com/fb/a/mailverify?uri=JoomlaSecurityNews
General
• www.us-cert.gov
• www.frsirt.com
Operating systems related
• www.debian.org/security
• www.openbsd.org/security
• www.redhat.org/apps/support
28
Sites to monitor when you take security seriously
Joomla!
“All together”
30
Questions?