18. 777: The number of the beast
Permissions are doors; don’t leave them open
http://akeeba.info/777
19. Sensible permissions
Ask your host to enable suPHP or Apache’s mod_itk
Site root 0755 or 0700
Directories 0755
Files 0644
If you “must” use 0777 (don’t!) protect with .htaccess:
order deny, allow
deny from all
31. Blind Elephant
nicholas@teapot:~/blindelephant$ ./BlindElephant.py mysite.com joomla
Loaded /home/nicholas/projects/3rdparty/blindelephant/trunk/src/build/lib.linux-x86_64-2.6/blindelephant/
dbs/joomla.pkl with 33 versions, 3696 differentiating paths, and 122 version groups.
Starting BlindElephant fingerprint for version of joomla at http://joomla.ubuntu.web
Hit http://joomla.ubuntu.web/media/system/js/validate.js
Possible versions based on result: 1.5.17, 1.5.18
Hit http://joomla.ubuntu.web/includes/js/joomla.javascript.js
Possible versions based on result: 1.5.17, 1.5.18
Hit http://joomla.ubuntu.web/media/system/js/caption.js
Possible versions based on result: 1.5.17, 1.5.18
Hit http://joomla.ubuntu.web/media/system/js/openid.js
Possible versions based on result: 1.5.17, 1.5.18
Hit http://joomla.ubuntu.web/templates/rhuk_milkyway/css/template.css
Possible versions based on result: 1.5.17, 1.5.18
Fingerprinting resulted in:
1.5.17
1.5.18
Best Guess: 1.5.18
http://akeeba.info/ninja
33. There are more threats
Cross-site scripting (XSS)
Remote file inclusion (RFI)
Local file inclusion (LFI)
SQL injection (SQLi)
Cross-site request forgery (CSRF)
Brute force password cracking
Spamming & e-mail harvesting
34. More protection for you
f re e! 2 0€ 10€
The Master Admin Tools
.htaccess Professional
http://akeeba.info/master-
http://akeeba.info/atpro
htaccess
Use coupon code
JOSCAR for 50% off
Why 0777 is a bad idea (hack from the inside)\nSane perms on next slide\n\nNext: perms\n
Use suPHP/mod_itk if possible\nRoot 0755 / 0700 (disables 0777)\nDirs 0755, Files 0644\nYou never “must” use 0777. If you do, use .htaccess\n\nNext: sitting duck\n
Default Joomla! settings = sitting duck\nIt’s duck hunting season; you don’t want to be a duck\n\nNext: prefix\n
Prefix has nothing to do with telephony\nDefault jos_ table prefix is evil\nUse something random; use Admin Tools for easy change\nDanger, Will Robinson: some extensions might break\n\nNext: Super Admin ID\n
Default SA ID is 62/42. Used in direct SQLi attacks.\nDo not just create a new user, equally unsafe.\nCreate a “low ID” user; use Admin Tools\n\nNext: Ninja!\n
How the big boys deal with security\nSome tips are over the top\nYou can never be too paranoid w/ security\n\nNext: Visual fingerprinting\n
Appending parameters can reveal too much\nUsed to identify your site as a Joomla! site = potential target\nSecurity through obscurity; not THE solution, but it helps\n\nNext: solution\n
These rules in my Master .htaccess\n\nNext: PHP has a big mouth\n
Appending parameters can reveal too much\nUsed to identify your PHP version\nCan deliver non-Joomla! specific exploits\n\nNext: demonstration\n
This is what it looks like\nEach version has a different image!\n\nNext: solution\n
These rules are in my master .htaccess\n\nNext: Blind Elephant\n
No, you’re not going to the circus; or a safari.\nA blind elephant is after you and will stomp you.\nSee for yourself! (next slide)\n\nNext: BlindElephant run\n
Typical blind elephant run\nIt’s not the only fingerprinting script\nThey’re moderately to very accurate\n\nNext: solution\n
These rules are in my master .htaccess\n\nNext: More protection\n
\n
My master .htaccess is free, reqs expert knowledge, no support\nATPro is easier for site builders, has docs, support\n\nNext: security is a process\n
It’s not fire and forget. You have to work on it continuously as your site evolves.\n\nNext: questions\n
Ask your questions!\n\nNext: the end\n
Thank you for listening\nVisit the URL for the slides in PDF format\n\nTHE END\n
Thank you for listening\nVisit the URL for the slides in PDF format\n\nTHE END\n