JaB11 - Joomla! Security 101
•Download as KEY, PDF•
3 likes•1,036 views
The complete set of slides from my J and Beyond 2011 presentation "Joomla! Security 101". Enjoy!
Recommended
More Related Content
Viewers also liked
Viewers also liked (19)
Recently uploaded
Recently uploaded (20)
JaB11 - Joomla! Security 101
- 1. Joomla! Security 101 What to do before disaster strikes http://akeeba.info/security-101
- 2. Hi, I’m Nicholas Dionysopoulos and I bet you can’t pronounce my last name http://akeeba.info/me
- 3. What is site security? And what Chuck Norris has to do with anything?!
- 4. Security is about... making it harder to infiltrate, not making it impossible
- 5. How do you do that? What stands between your site and hackers?
- 6. Security comes in layers Incoming request Firewall Web Server (Global) Web Server (.htaccess) Joomla! Extensions
- 7. Security comes in layers Incoming request Always managed by your host Firewall Web Server (Global) Web Server (.htaccess) Joomla! Extensions
- 8. Security comes in layers Incoming request Firewall mod_security, suPHP, … Web Server (Global) Web Server (.htaccess) Joomla! Extensions
- 9. Security comes in layers Incoming request Firewall Web Server (Global) The most basic protection Web Server (.htaccess) Joomla! Extensions
- 10. Security comes in layers Incoming request Firewall Web Server (Global) Web Server (.htaccess) Basic filtering Joomla! Extensions
- 11. Security comes in layers Incoming request Firewall Web Server (Global) Web Server (.htaccess) Joomla! These are ultimately responsible! Extensions
- 12. Security comes in layers Incoming request Firewall Web Server (Global) Web Server (.htaccess) Joomla! Extensions
- 13. Our scope today Incoming request Firewall Web Server (Global) Web Server (.htaccess) Joomla! Extensions
- 14. The basics What we’re supposed to do and rarely do it
- 15. Frequent, tested backups Would you jump off a plane without a parachute? http://akeeba.info/backup
- 16. Update, yesterday Yesterday’s code is tomorrow’s hack http://akeeba.info/basic-security
- 17. Protect your backend The login is not enough
- 18. 777: The number of the beast Permissions are doors; don’t leave them open http://akeeba.info/777
- 19. Sensible permissions Ask your host to enable suPHP or Apache’s mod_itk Site root 0755 or 0700 Directories 0755 Files 0644 If you “must” use 0777 (don’t!) protect with .htaccess: order deny, allow deny from all
- 20. Don’t be a sitting duck It’s duck season!
- 21. Mind your prefix Nobody wants to be a jos_ http://akeeba.info/prefix
- 22. 62 reasons to fire your Super Administrator or 42, depending on Joomla! version... http://akeeba.info/62-reasons
- 23. Security Kung-Fu You can’t kill a Ninja http://akeeba.info/ninja
- 24. Visual fingerprinting Seeing is believing and then some tm pl= offl ine tp =1 http://akeeba.info/ninja template =ja_purity
- 25. Visual fingerprinting RewriteCond %{QU ERY_STRING} (^| &)tmpl=(componen t|system) [NC] RewriteRule .* - [L] RewriteCond %{QU ERY_STRING} (^|& )t(p|emplate| mpl)= [NC] RewriteRule .* - [F] http://akeeba.info/ninja
- 26. PHP has a big mouth and that’s not water cooler gossip! http://akeeba.info/ninja
- 27. PHP has a big mouth http://akeeba.info/ninja
- 28. PHP has a big mouth RewriteCond %{QU ERY_STRING} =PH P[a-f0-9]{8}-[a- f0-9]{4}-[a-f0-9 ]{4}-[a-f0-9]{4} -[a-f0-9]{12} [NC] RewriteRule .* - [F] http://akeeba.info/ninja
- 29. Blind Elephant Meet your supervillain http://akeeba.info/ninja
- 31. Blind Elephant nicholas@teapot:~/blindelephant$ ./BlindElephant.py mysite.com joomla Loaded /home/nicholas/projects/3rdparty/blindelephant/trunk/src/build/lib.linux-x86_64-2.6/blindelephant/ dbs/joomla.pkl with 33 versions, 3696 differentiating paths, and 122 version groups. Starting BlindElephant fingerprint for version of joomla at http://joomla.ubuntu.web Hit http://joomla.ubuntu.web/media/system/js/validate.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/includes/js/joomla.javascript.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/media/system/js/caption.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/media/system/js/openid.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/templates/rhuk_milkyway/css/template.css Possible versions based on result: 1.5.17, 1.5.18 Fingerprinting resulted in: 1.5.17 1.5.18 Best Guess: 1.5.18 http://akeeba.info/ninja
- 32. Blind Elephant RewriteRule ^ima ges/stories/.*. (jp(e?g|2)?|png| gif|bmp|css|js|s wf|ico)$ - [L] RewriteCond %{HT TP_REFERER} . RewriteCond %{HT TP_REFERER} !^ht tps?://(www.)? example.com [NC] RewriteCond %{RE QUEST_FILENAME} -f RewriteRule .(j p(e?g|2)?|png|gi f|bmp|css|js| swf|ico)$ - [F] http://akeeba.info/ninja
- 33. There are more threats Cross-site scripting (XSS) Remote file inclusion (RFI) Local file inclusion (LFI) SQL injection (SQLi) Cross-site request forgery (CSRF) Brute force password cracking Spamming & e-mail harvesting
- 34. More protection for you f re e! 2 0€ 10€ The Master Admin Tools .htaccess Professional http://akeeba.info/master- http://akeeba.info/atpro htaccess Use coupon code JOSCAR for 50% off
- 35. One more thing... security is a process
- 36. Any questions?
- 38. Want the slides? http://akeeba.info/security-101
Editor's Notes
- Scratches the surface\nImperative everyone follows this advice\n\nNext: Me\n
- 30-y.o. Mech Engineer turned web dev\nInto PHP for > 10 years\nLead dev of Akeeba Backup and Admin Tools\n\nNext: Basic Security\n
- What is it?\nIs it Chuck Norris on your site?\nMaking site unhackable?\n
- Make it harder, not impossible\n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- Everyone knows these things have to be done\nWe rarely do them because we’re bored\n\nNext: Backups\n
- Use Akeeba Backup or any other tool for at least daily backups\nTest restore backups every week or after installing a new release\n\nNext: Updates\n
- Always update on the same day\nKeep an eye on JVEL\nSubscribe to ahead warning service like SalvusAlerting\n\nNext: backend protection\n
- Password-protect administrator\nAdd secret key to administrator (jSecure, Admin Tools Professional, etc)\n\nNext: 777\n
- Why 0777 is a bad idea (hack from the inside)\nSane perms on next slide\n\nNext: perms\n
- Use suPHP/mod_itk if possible\nRoot 0755 / 0700 (disables 0777)\nDirs 0755, Files 0644\nYou never “must” use 0777. If you do, use .htaccess\n\nNext: sitting duck\n
- Default Joomla! settings = sitting duck\nIt’s duck hunting season; you don’t want to be a duck\n\nNext: prefix\n
- Prefix has nothing to do with telephony\nDefault jos_ table prefix is evil\nUse something random; use Admin Tools for easy change\nDanger, Will Robinson: some extensions might break\n\nNext: Super Admin ID\n
- Default SA ID is 62/42. Used in direct SQLi attacks.\nDo not just create a new user, equally unsafe.\nCreate a “low ID” user; use Admin Tools\n\nNext: Ninja!\n
- How the big boys deal with security\nSome tips are over the top\nYou can never be too paranoid w/ security\n\nNext: Visual fingerprinting\n
- Appending parameters can reveal too much\nUsed to identify your site as a Joomla! site = potential target\nSecurity through obscurity; not THE solution, but it helps\n\nNext: solution\n
- These rules in my Master .htaccess\n\nNext: PHP has a big mouth\n
- Appending parameters can reveal too much\nUsed to identify your PHP version\nCan deliver non-Joomla! specific exploits\n\nNext: demonstration\n
- This is what it looks like\nEach version has a different image!\n\nNext: solution\n
- These rules are in my master .htaccess\n\nNext: Blind Elephant\n
- No, you’re not going to the circus; or a safari.\nA blind elephant is after you and will stomp you.\nSee for yourself! (next slide)\n\nNext: BlindElephant run\n
- Typical blind elephant run\nIt’s not the only fingerprinting script\nThey’re moderately to very accurate\n\nNext: solution\n
- These rules are in my master .htaccess\n\nNext: More protection\n
- \n
- My master .htaccess is free, reqs expert knowledge, no support\nATPro is easier for site builders, has docs, support\n\nNext: security is a process\n
- It’s not fire and forget. You have to work on it continuously as your site evolves.\n\nNext: questions\n
- Ask your questions!\n\nNext: the end\n
- Thank you for listening\nVisit the URL for the slides in PDF format\n\nTHE END\n
- Thank you for listening\nVisit the URL for the slides in PDF format\n\nTHE END\n