Download - Joomladay Switzerland - security
![Page 1: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/1.jpg)
![Page 2: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/2.jpg)
![Page 3: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/3.jpg)
Joomla! 1.5 Security
Joomla!day Presentation
Luzern, Switzerland
15 November 2008
![Page 4: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/4.jpg)
Is Joomla! safe?
![Page 5: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/5.jpg)
Is the World Wide Web Safe?
![Page 6: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/6.jpg)
You know, I don't mean any disrespect, but I had to chuckle by the question "Is Joomla! not safe?" since it reminded me of the movie The Marathon Man when the dentist is pulling Dustin Hoffman's teeth out, asking "Is it safe?" and he's so desperate to get the Dentist to stop that he says Yes or No or What do you want to hear?
Is Joomla! safe?
Quote taken from: http://forum.joomla.org/viewtopic.php?f=432&t=318351&st=0&sk=t&sd=a
![Page 7: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/7.jpg)
7
![Page 8: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/8.jpg)
I would say - anyone who tells a community that a Web site or a out of the box solution
is safe is not being responsible. No, it is not "safe" on the Internet.
8Quote taken from: http://forum.joomla.org/viewtopic.php?f=432&t=318351&st=0&sk=t&sd=a
![Page 9: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/9.jpg)
What is this presentation about?
![Page 10: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/10.jpg)
• Getting Started• Hosting and Server Setup• Joomla Setup• Site Administration• Site Recovery
Presentation overview
Presentation approach taken from http://docs.joomla.org/Category:Security_Checklist
![Page 11: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/11.jpg)
11
Getting started
![Page 12: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/12.jpg)
12
Getting started
![Page 13: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/13.jpg)
13
Getting started
![Page 14: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/14.jpg)
Some basic things before we go into details:• Report (possible) hack to JSST
http://developer.joomla.org/security/contact-the-team.html
• Please don’t report hacks or proof-of-concepts out in the open, also report them to JSST
• Stay informed!– Automatic Email Notification
http://feedburner.google.com/fb/a/mailverify?uri=JoomlaSecurityNews
– RSS feedhttp://feeds.joomla.org/JoomlaSecurityNews
14
Getting started
![Page 15: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/15.jpg)
15
Hosting and server set up
Shared hosting?
Or
Dedicated hosting?
![Page 16: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/16.jpg)
16
Hosting and server set up
“register_globals”
“open_basedir”
![Page 17: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/17.jpg)
• Configure Apache:– Secure important areas with .htaccess– Use mod_rewrite and mod_security to block
PHP attacks
• Configure MySQL– Implement user accounts with “need-to-know”
principle
• Configure PHP– Use PHP 5!– Configure your php.ini file properly (most of the
times limited with shared hosts)17
Hosting and server set up
![Page 18: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/18.jpg)
• Configure php.ini– Use “disable_functions” to disable dangerous
PHP functions that are not needed by your site.– “Use PHP open_basedir”– Don't use “PHP safe_mode” (it gives a false
sense of security)– Don't use “PHP register_globals”– Don't use “PHP allow_url_fopen”. This option
enables the URL-aware fopen wrappers that enable accessing URL object like files.
18
![Page 19: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/19.jpg)
19
Joomla! setup
![Page 20: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/20.jpg)
• Some basic rules to think about:– Only install official Joomla! versions!
– Change the default administrator username
– Protect directories and files• Move crucial files outside public directory
http://docs.joomla.org/Security_and_Performance_FAQs#How_do_I_move_confidential_files_outside_of_public_html.3F
• Ensure that all configurable paths to writable or uploadable directories
• Protect your log directory (moving it out of document root or .htaccess protect it)
– Adjust file and directory permissions• Set critical directories to 755
• Set file permissions to 644
– Remove unneeded files 20
Joomla! setup
![Page 21: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/21.jpg)
21
Joomla! setup
![Page 22: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/22.jpg)
• Before you install extensions– Always backup (even on your test system)– Always test before you install on your life server– Check for extension vulnerabilities– Download from trusted sites– User beware! Check the code quality– Test! Test! Test!– Remove junk files (all that is not needed)– Avoid encrypted code
22
Joomla! setup
![Page 23: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/23.jpg)
23
Site administration
![Page 24: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/24.jpg)
• Use well-formed passwords• Maintain a strong site backup process• Monitor crack attempts (tripwire, SAMHAIN)• Perform manual intrusion detection (manual
logfile scan)• Stay current with security patches and
upgrades
24
Site administration
![Page 25: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/25.jpg)
• Get help the right way• Follow a logical and rigorous recovery
process • Reset your administrator password (and all
admins/super admins)• Find exploit attempts using the *NIX shell
25
Site recovery
![Page 26: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/26.jpg)
26
Links
![Page 27: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/27.jpg)
• Documentation wiki : http://docs.joomla.org/Category:Security_Checklist
• Joomla! Security Strike Team (JSST): http://developer.joomla.org/security.html
• Report issues to JSST : http://developer.joomla.org/security/contact-the-team.html
27
Links
![Page 28: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/28.jpg)
Joomla! related
• www.joomla.org
• developer.joomla.org/security.html
• www.secunia.org
• www.milw0rm.com
Sites to put RSS feeds on
• http://feedburner.google.com/fb/a/mailverify?uri=JoomlaSecurityNews
General
• www.us-cert.gov
• www.frsirt.com
Operating systems related
• www.debian.org/security
• www.openbsd.org/security
• www.redhat.org/apps/support
28
Sites to monitor when you take security seriously
![Page 29: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/29.jpg)
Joomla!
“All together”
![Page 30: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/30.jpg)
30
Questions?
![Page 31: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/31.jpg)
![Page 32: Joomladay Switzerland - security](https://reader036.vdocument.in/reader036/viewer/2022062511/54bb55814a79597c0b8b46eb/html5/thumbnails/32.jpg)