Joomla! Security 101 What to do before disaster strikes http://akeeba.info/security-101 Κυριακή, 08 Μαΐου 2011 Hi, I’m Nicholas Dionysopoulos and I bet you can’t pronounce my last name http://akeeba.info/me Κυριακή, 08 Μαΐου 2011 What is site security? And what Chuck Norris has to do with anything?! Κυριακή, 08 Μαΐου 2011 Security is about... making it harder to infiltrate, not making it impossible Κυριακή, 08 Μαΐου 2011 How do you do that? What stands between your site and hackers? Κυριακή, 08 Μαΐου 2011 Security comes in layers Incoming request Firewall Web Server (Global) Web Server (.htaccess) Joomla! Extensions Κυριακή, 08 Μαΐου 2011 Security comes in layers Incoming request Firewall Web Server (Global) Web Server (.htaccess) Joomla! Extensions Κυριακή, 08 Μαΐου 2011 Always managed by your host Security comes in layers Incoming request Firewall Web Server (Global) Web Server (.htaccess) Joomla! Extensions Κυριακή, 08 Μαΐου 2011 mod_security, suPHP, … Security comes in layers Incoming request Firewall Web Server (Global) Web Server (.htaccess) Joomla! Extensions Κυριακή, 08 Μαΐου 2011 The most basic protection Security comes in layers Incoming request Firewall Web Server (Global) Web Server (.htaccess) Joomla! Extensions Κυριακή, 08 Μαΐου 2011 Basic filtering Security comes in layers Incoming request Firewall Web Server (Global) Web Server (.htaccess) Joomla! Extensions Κυριακή, 08 Μαΐου 2011 These are ultimately responsible! Security comes in layers Incoming request Firewall Web Server (Global) Web Server (.htaccess) Joomla! Extensions Κυριακή, 08 Μαΐου 2011 Our scope today Incoming request Firewall Web Server (Global) Web Server (.htaccess) Joomla! Extensions Κυριακή, 08 Μαΐου 2011 The basics What we’re supposed to do and rarely do it Κυριακή, 08 Μαΐου 2011 Frequent, tested backups Would you jump off a plane without a parachute? http://akeeba.info/backup Κυριακή, 08 Μαΐου 2011 Update, yesterday Yesterday’s code is tomorrow’s hack http://akeeba.info/basic-security Κυριακή, 08 Μαΐου 2011 Protect your backend The login is not enough Κυριακή, 08 Μαΐου 2011 777: The number of the beast Permissions are doors; don’t leave them open http://akeeba.info/777 Κυριακή, 08 Μαΐου 2011 Sensible permissions Ask your host to enable suPHP or Apache’s mod_itk Site root 0755 or 0700 Directories 0755 Files 0644 If you “must” use 0777 (don’t!) protect with .htaccess: order deny, allow deny from all Κυριακή, 08 Μαΐου 2011 Don’t be a sitting duck It’s duck season! Κυριακή, 08 Μαΐου 2011 Mind your prefix Nobody wants to be a jos_ http://akeeba.info/prefix Κυριακή, 08 Μαΐου 2011 62 reasons to fire your Super Administrator or 42, depending on Joomla! version... http://akeeba.info/62-reasons Κυριακή, 08 Μαΐου 2011 Security Kung-Fu You can’t kill a Ninja http://akeeba.info/ninja Κυριακή, 08 Μαΐου 2011 Visual fingerprinting Seeing is believing and then some tm p l= of fl in e 1 = p t http://akeeba.info/ninja Κυριακή, 08 Μαΐου 2011 ty i r u p _ a j = template Visual fingerprinting RewriteCond %{QU ERY_STRING} (^|& )tmpl= (component|syste m) [NC] RewriteRule .* [L] RewriteCond %{QU ERY_STRING} (^|& )t(p|emplate| mpl)= [NC] RewriteRule .* [F] http://akeeba.info/ninja Κυριακή, 08 Μαΐου 2011 PHP has a big mouth and that’s not water cooler gossip! http://akeeba.info/ninja Κυριακή, 08 Μαΐου 2011 PHP has a big mouth http://akeeba.info/ninja Κυριακή, 08 Μαΐου 2011 PHP has a big mouth http://akeeba.info/ninja Κυριακή, 08 Μαΐου 2011 PHP has a big mouth RewriteCond %{QU ERY_STRING} \=PH P[a-f0-9]{8}-[af0-9]{4}-[a-f0-9 ]{4}-[a-f0-9]{4} -[a-f0-9]{12} [NC] RewriteRule .* [F] http://akeeba.info/ninja Κυριακή, 08 Μαΐου 2011 Blind Elephant Meet your supervillain http://akeeba.info/ninja Κυριακή, 08 Μαΐου 2011 Blind Elephant http://akeeba.info/ninja Κυριακή, 08 Μαΐου 2011 Blind Elephant nicholas@teapot:~/blindelephant$ ./BlindElephant.py mysite.com joomla Loaded /home/nicholas/projects/3rdparty/blindelephant/trunk/src/build/lib.linux-x86_64-2.6/blindelephant/ dbs/joomla.pkl with 33 versions, 3696 differentiating paths, and 122 version groups. Starting BlindElephant fingerprint for version of joomla at http://joomla.ubuntu.web Hit http://joomla.ubuntu.web/media/system/js/validate.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/includes/js/joomla.javascript.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/media/system/js/caption.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/media/system/js/openid.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/templates/rhuk_milkyway/css/template.css Possible versions based on result: 1.5.17, 1.5.18 Fingerprinting resulted in: 1.5.17 1.5.18 Best Guess: 1.5.18 http://akeeba.info/ninja Κυριακή, 08 Μαΐου 2011 Blind Elephant RewriteRule ^ima ges/stories/.*\. (jp(e?g|2)?|png| gif|bmp|css|js|s wf|ico)$ - [L] RewriteCond %{HT TP_REFERER} . RewriteCond %{HT TP_REFERER} !^ht tps?://(www\.)? example\.com [NC] RewriteCond %{RE QUEST_FILENAME} -f RewriteRule \.(j p(e?g|2)?|png|gi f|bmp|css|js| swf|ico)$ - [F] http://akeeba.info/ninja Κυριακή, 08 Μαΐου 2011 There are more threats Cross-site scripting (XSS) Remote file inclusion (RFI) Local file inclusion (LFI) SQL injection (SQLi) Cross-site request forgery (CSRF) Brute force password cracking Spamming & e-mail harvesting Κυριακή, 08 Μαΐου 2011 More protection for you ! e e r f The Master € € 0 0 2 1 .htaccess Admin Tools Professional http://akeeba.info/masterhtaccess http://akeeba.info/atpro Use coupon code JOSCAR for 50% off Κυριακή, 08 Μαΐου 2011 One more thing... security is a process Κυριακή, 08 Μαΐου 2011 Any questions? Κυριακή, 08 Μαΐου 2011 That’s all folks! Κυριακή, 08 Μαΐου 2011 Want the slides? http://akeeba.info/security-101 Κυριακή, 08 Μαΐου 2011
© Copyright 2024 Paperzz