Se ha denunciado esta presentación.
Se está descargando tu SlideShare. ×

Brendon Hatcher Joomla Security

Próximo SlideShare
Seurity In Vista
Seurity In Vista
Cargando en…3

Eche un vistazo a continuación

1 de 44 Anuncio

Más Contenido Relacionado

A los espectadores también les gustó (14)

Similares a Brendon Hatcher Joomla Security (20)


Más de Joomla Day South Africa (13)

Más reciente (20)


Brendon Hatcher Joomla Security

  1. 1. JoomlaSecurity<br />Bare essentials to serious measures<br />Brendon Hatcher<br />Technical Director<br />Photo:<br />
  2. 2. Understanding hackers and hacking<br />Definitions of “hacker”<br />Hacker’s motivations<br />Evidence of hacking<br />
  3. 3. What is a hacker?<br />Someone who deliberately seeks to bypass a server’s security<br />Black, grey, white hats<br />A hacked site is a broken/compromised site<br />A skilled computer programmer<br />A hacked site is a tweaked and improved site<br />A script kiddie<br />Junior hacker using otherhacker’s tools and techniques<br />
  4. 4. Hacker’s motivations<br />To see if they can<br />To create mayhem<br />For social standing in the sub-culture<br />For political reasons – hacktivism<br />For financial reasons<br />Theft – steal ebooks, videos, games, online services etc<br />Sell data – user profiles, credit card details etc<br />Industrial sabotage - paid to break competitor sites<br />Set up zombie farms<br />Steal bandwidth<br />Host phishing pages<br />Collect passwords<br />
  5. 5. Evidence of hacking<br />None!<br />Site trashed<br />Hacking message<br />High bandwidth use<br />Changed admin password<br />New user with admin rights<br />Server logs<br />
  6. 6. Why be concernedabout security?<br />No-one is safe <br />Hacking is actually quite easy<br />Fixing hacked sites is tricky<br />Hacked sites are a big problem <br />
  7. 7. No-one is safe<br />
  8. 8. Why worry about hacking? <br />Sites are targeted at random<br />Hacking is actually quite easy<br />Vulnerable sites are easy to find<br />Vulnerable sites are easy to hack<br />Fixing hacked sites is quite tricky<br />Hacks can be invisible<br />Clients may not notice a hacked site for some time<br />Finding a clean backup may be impossible<br />Determining what has been done can be really hard<br />May be difficult to restore<br />Hardening site to avoid future hacks requires skill and focus<br />
  9. 9. Why worry about hacking? <br />Hacked sites are a big problem<br />Business reputation<br />Angry clients<br />Site shutdown by host<br />Loss of business<br />Data theft<br />Photo:<br />
  10. 10. Hacking aJoomla site<br />Is Joomla less secure than other systems?<br />The site must be vulnerable<br />3 steps to hacking for fun and profit<br />
  11. 11. Is Joomla less secure than other systems?<br />Yes and No<br />Joomla has to strike a balance between security and ease of use<br />Joomla an attractive target for hackers<br />The critical mass of sites<br />Large amateur web developer user base <br />Extensions have variable security<br />The site must be vulnerable<br />
  12. 12. 3 steps to hacking for fun and profit<br />Find a vulnerability (and instructions on how to exploit it)<br />Find a vulnerable site<br />Hack the site<br />Then, sit back and enjoy fame and fortune!<br />
  13. 13. <br />Find a vulnerability<br />Security sites<br />,<br />Various hacking sites/forums<br />Joomlavulnerable extensions list<br /><br />
  14. 14. <br />Find a vulnerable site<br />Google Dork - a search phrase to find vulnerable sites<br />PHPInfo<br />intitle:phpinfo()<br />Vulnerable extensions<br />allinurl:com_acajoom<br />
  15. 15. <br />Cut and paste hack code<br />http://xxxxxxxxxxxxxxxxx/index.php?option=com_acajoom&act=mailing&task=view&listid=1&Itemid=1&mailingid=1/**/union/**/select/**/1,1,1,1,concat(username,0x3a,password),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/from/**/jos_users/**/LIMIT/**/1,1/*<br />Photo:<br />
  16. 16. Securityaction plan<br />Web sites are like onions<br />Levels of security<br />Web development tools<br />Strong, unique passwords everywhere<br />Continuous attention<br />
  17. 17. Web sites arelike onions<br />Server operating system<br />Apache<br />PHP + MySQL<br /><ul><li>Joomla
  18. 18. Extensions
  19. 19. Users and their behaviour</li></li></ul><li>Levels of security<br />[1] Basic actions<br />[2] More complex actions<br />[3] Actions that require significant modification rights on the server (unless already implemented by default)<br />Image by echiner1<br />
  20. 20. Web development tools<br />WHM – server administration<br />cPanel – hosting account administration<br />FileZilla – FTP app<br />Keepass – password vault<br />
  21. 21. General advice<br />Strong, unique passwords everywhere<br />A password vault removes the need to have a single, simple password<br />Continuous attention needed<br />
  22. 22. Creating a safehome for Joomla<br />Shared, VPS or dedicated servers?<br />Apache<br />PHP<br />MySQL<br />
  23. 23. Shared, VPS or dedicated servers?<br />A shared server<br />Your site(s) live in the same hosting space as other sites that you do not administer<br />This is the cheapest hosting option. <br />No say over the security of the other sites on the server<br />Old shared server is the worst location for your hosting<br />A Virtual Private Server<br />Better than shared<br />Still can’t change many settings<br />
  24. 24. Shared, VPS or dedicated servers?<br />A dedicated server<br />Still a “shared” server<br />Allow you to upgrade and tweak all the settings on a dedicated server<br />Host retains responsibility for maintenance<br />
  25. 25. Additional security<br />Suhosin – hardens PHP<br />Samhain or Tripwire<br />Configserver firewall<br />
  26. 26. Apache<br />[3] suExec<br />CGI scripts run under the user of the website instead of the Apache user<br />[3] Mod_security<br />Intrusion detection and prevention engine<br />
  27. 27. PHP<br />[2] PHP5, not PHP4<br />[3] suPHP<br />PHP files are run under the user of the website instead of the Apache user<br />Globally reset all files<br />Owner – AccountUsername:AccountUsernamechown -R user:group *<br />Files – 644find . -type f -exec chmod 644 {} <br />Folders – 755find . -type d -exec chmod 755 {} <br />
  28. 28. Hosting account<br />.htaccess files<br />[1] Activate the htaccess file in the Joomla root<br />[1] Use an .htpasswd for the /administrator/ folder<br />[3] Advanced .htaccess files<br />A LOT more important detail in the manual<br />
  29. 29. Keeping up to date<br />Avoiding the obvious<br />Hide, and be very, very quiet<br />Spam form submissions<br />Install sh404SEF<br /><br />Securing aJoomla site<br />
  30. 30. Keeping up to date<br />Must update Joomla core and extensions<br />Remove unused extensions<br />
  31. 31. Avoiding the obvious<br />[1] The default database extension is jos_<br />[1] The default admin username is admin<br />[1] The default admin user ID is 62<br />[1] Change administrator access URL<br />
  32. 32. Hide, and be very, very quiet<br />[1] SEF all URLs<br />[1] Clear the default Joomlametatags<br />[1] Clear the default Home page title<br />[1] Remove generator tag<br />[1] Change favicon<br />[2] Hide component credits<br />
  33. 33. Spam form submissions<br />Trying to inject spam content onto your site<br />Targets Joomla core forms and extension forms<br />Install a captcha system<br />
  34. 34. Install sh404SEF<br />SEF URLS hide from Google Dorks<br />Flood control<br />Other security settings<br />
  35. 35. Creating a safe working environment<br />PC vulnerability to hacks<br />FTP access hacks<br />A note about users<br />“Burglar bars, electric fences, alarms…and a key left under the doormat”<br />
  36. 36. PC vulnerability to hacks<br />[1] Install all operating system patches<br />[1] Install all application system patches<br />[1] Run comprehensive real-time protection apps<br />[1] Install Secunia PSI<br />[1] Secure your PC login<br />[1] Secure your backup storage <br />[2] Use a secure web browser<br />
  37. 37. FTP access hacks<br />If a hacker can obtain your FTP password, they can login as you, bypassing almost every security barrier.<br />FTP passwords are stored unencrypted in your FTP program! <br />FTP authentication details pass unencrypted to the server!<br />There are several common FTP apps that store their passwords in a standard location with a standard name!<br />
  38. 38. FTP configuration<br />[1] cPanel setup<br />Make sure that the FTP password is strong<br />[1] PC setup<br />Password vault (LastPass , Keepass ) to store the strong password<br />Make sure passwords are not stored anywhere else (including on a Post-It note on the side of the PC)<br />[1] FileZilla<br />Copy all passwords to the password vault <br />Delete all passwords from the Site Manager<br />Set FileZilla to run in Kiosk mode<br />
  39. 39. FTP configuration<br />[2] Joomla<br />Remove the FTP details from the configuration file<br />[3] WHM<br />Disable FTP access and allow only SFTP access<br />A note about users<br />You should ideally create separate user accounts for each staff member<br />
  40. 40. Preparing forthe worst<br />Site monitoring<br />A disaster recovery plan<br />Joomla site backups<br />Restoring a hacked site<br />
  41. 41. Site monitoring<br />Diagnostics<br />Site down<br />Home page content changes<br />Mod_security logs (shows attempts)<br />Bandwidth use<br />Spam blacklisting<br />[3] Searching and browsing server logs<br />
  42. 42. Disaster Recovery Plan<br />Depending on how central your web site is to your business, you may need a DRP<br />See Tom Canavan’s presentation<br /><br />Photo:<br />
  43. 43. Joomla site backups<br />Long-cycle Joomla backups are critical<br />Redundant backups lead to restful sleep<br />See my Joomla for Web Developer talk for MUCH more detail<br />
  44. 44. Restoring a hacked site<br />Fixes the obvious problems <br />Does not address:<br />Hidden hacks<br />Shell scripts<br />Backdoors<br />Zombies<br />Continuing vulnerabilities<br />Impacts of data exposure<br />Photo:<br />
  45. 45. Credits/Disclaimer<br />Brendon Hatcher is the compiler of this presentation<br />The presentation is released under the Creative Commons Licence – Attribution, Non-commercial, No derivatives<br />If you don’t know what this licence means, go to<br />The content is provided without warranty. It is a work in progress and represents my current understanding of Joomla security.<br />

Notas del editor

  • Balaclava -
  • Pickpocket -
  • Onion -
  • Shhh -