hidden secrets for a hack-proof joomla! site
DESCRIPTION
This presentation provides information about the most common Joomla! attacks and how to protect from them. The basics of securing Joomla! sites are covered in details.TRANSCRIPT
HIDDEN SECRETS FOR A HACK-PROOF JOOMLA!
Daniel Kanchev @dvkanchev
BEFORE WE BEGIN …
✓ 7+ Years Of Joomla! Experience
✓ 6 Years With SiteGround
✓ Love Travelling The World
✓ Addicted To Extreme Sports
✓ Application/Extension Developers
✓ Hosting Providers/System Administrators
✓ YOU (End Joomla! Users)
WHO SHOULD CARE ABOUT SECURITY ?
✓Application/Extension Developers
✓Hosting Providers/System Administrators
✓YOU (End Joomla! Users)
WHO SHOULD CARE ABOUT SECURITY ?
EVERYONE
WHY SHOULD YOU CARE ?
✓ Be Trustworthy By Protecting Your Clients’ Data
✓ Have A Healthy Site - Avoid Substantial Data
Loss/Downtime
HOW HACKERS WORK?
EVERYONE’S RESPONSIBLE!
!!
KEEP
CALM IT’S NOT
ROCKET
SCIENCE
SECURITY IS A PROCESS!
IS YOUR SERVER SETUP RIGHT?
SERVER CONFIG & TIPS✓ Always Update Your Server Software
✓ Harden The Linux Kernel - grsecurity
✓ Chroot Processes
✓ Provide Only Restricted Shell Access
✓ Disable/Remove Unused Services
SOLUTIONS: 1H Hive, Better Linux, CloudLinux
PROTECT YOUR WEB SERVER
✓ OWASP Rules - http://goo.gl/rC7Uz
✓ Atomic Rules - http://goo.gl/Fv3Vn
✓ Trustwave Paid Rules - http://goo.gl/9IAaB
PROTECT JOOMLA!
#1: UPDATE EVERYTHING!
SITEGROUND AUTO UPDATES
#2: DO THE BASICS
✓ Change The Default “admin” username
✓ Change The Default “jos_” DB Prefix
✓ Password Protect Your Administrator Folder
#3: RESTRICT THE ADMIN AREA BY IP
✓ Step 1: Check Your IP: whatismyip.com
✓ Add This Rule To Your .htaccess File
deny from all allow from YOUR_IP_ADDRESS
#4: KEEP PHP SCRIPTS IN THE RIGHT FOLDERS
<Files *.php> deny from all </Files>
✓ Avoid password generators
✓ Don’t use common words
✓ Avoid personal info, names
and significant dates:
daniel123
#5: USE BULLET-PROOF PASSWORDS
THE PERFECT PASSWORD✓ Choose A Favourite (Not Famous) Movie
Quote/Phrase From A Book:
✓ Add Punctuation Symbols (?!.,:) And Capital Letters,
Remove Whitespaces:
We all go a little mad sometimes
We.all?go!AlittleMad2sometimes
#6: CHECK YOUR EXTENSIONS
✓Joomla! Vulnerable Extensions List (VEL): http://vel.joomla.org/
✓National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/search
#7: STAY ON TOP OF SECURITY UPDATES
✓http://feeds.joomla.org/JoomlaSecurityNews
✓http://feeds.joomla.org/
JoomlaSecurityVulnerableExtensions
#8: FIX YOUR PERMISSIONS AND OWNERSHIP
✓Folders: 0755
✓Files: 0644
✓All files/folders should be owned by your
main FTP user
✓NEVER EVER USE 777 permissions
#9: ADDITIONAL PROTECTION THROUGH .htaccess FILE
✓ Remove PHP Sensitive Information
✓ Avoid Visual FingerPrinting
✓ Block Some Popular Tools Used By Hackers
How To Do It: http://is.gd/pGfVXQ
#10: USE JOOMLA! SECURITY EXTENSIONS FOR IDS/IPS
✓ jHackGuard
✓ Akeeba Admin Tools
✓ jomDefender
✓ jSecure
SQL INJECTIONSELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';
jHackGuard SETUP
✓ SQL Injections
✓ Remote URL/File Inclusions
✓ Remote Code Execution
✓ XSS Based Attacks
#11: BACKUP! BACKUP! BACKUP!
NOW WHAT?
DON’T PANIC!
DISASTER RECOVERY PLAN1. Create A Copy Of The Hacked Site + All Logs
2. Restore From A Clean Backup
3. Quarantine Your Site - Maintenance Mode
4. Check The Logs For The Malicious Code
5. Resolve The Security Issues/Clean Malicious Code
6. Unquarantine Your Site
FEW THINGS TO TAKE AWAY
✓ Security Is About Making It Harder To
Infiltrate - Not Making It Impossible
✓ Security Is An Ongoing Process
✓ Everyone Is Involved
QUESTIONS ?
THANK YOU!Daniel Kanchev @dvkanchev