2. Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
My name is Jisse Reitsma
Joomla! enthousiast
PHP programmer
Lead developer of Yireo
Joomla! templates-book (NL)
Helping Tibet Support Group
3. Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
My presentation
Part I - Basics
Part II - Joomla! security
Part III - Advanced things
4. Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Part I
Basics of security
5. Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Why bother?
Everybody makes mistakes
Joomla! is very popular
... also with hackers
What can happen?
Website defacement
(damage to business image)
Malware installed
(viruses, exploits, zombie-software)
6. Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
What is security?
SQL injection
POST spoofing
Path traversal; Remote path inclusion
Cross Site Scripting (XSS), CSRF
Session hijacking, cookie theft
Rootkits
8. Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Part II
Joomla! security
9. Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Joomla! security (1)
Strong passwords
Beware for dictionary attacks
At least 8 characters, preferably 16 :)
10. Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Joomla! security (2)
Do not pick just any extension
Keep software up-to-date
Joomla! core
Joomla! extensions
11. Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Joomla! security (3)
Make sure .htaccess is in place
Rename from “htaccess.txt” to “.htaccess”
Includes quick protection for common attacks
12. Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Joomla! security (4)
Create a new Super User
No username “admin”
Other MySQL ID then 42 or 62
18. Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Joomla! security (10)
Do not use Joomla! 1.5
Change database table prefix (Admintools)
Do not allow user registration if you don't want it
Apache HTTP authentication for backend
19. Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
General advice
Be careful with what you install
Versioning system like Git
Always test things first on testing environment (plg_system_httpauth)
Create backups
20. Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Part III
Advanced security
22. Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
UNIX file permissions
Basic rules
Three numbers: owner + group + world
4 = read, 2 = write, 1 = execute
644 = readwrite for owner; read for group; read for world
Directory must always be executable (755 instead of 644)
Do not use:
666 = read-write for owner; read-write for group; read-write for world
777 (same like files, but plus execution bit)
Do use:
644 (files)
755 (directories)
23. Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
Firewall
Only allow what you need
HTTP, SSH, FTP, SMTP, DNS
Block everything you don't need
MySQL, IMAP, POP
Check with Nmap
28. Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
UNIX hacking
...
the greatest game on the internet
29. Presentation “Joomla! Security” - http://slideshare.net/yireo
Jisse Reitsma (jisse@yireo.com) - Twitter @yireo
“Ignorance is bliss”
Google Hacking database makes it easy
SSL-certificates are only secure, if SSL
root-authority servers are
We trust TCP/IP to be fairly secure, but is
it? (slowloris)
When the C-code of a rootkit is actually
modified by a script-kiddie, it is no
longer detected by rootkit-scanners -
bummer, nobody knows if it's there