Joomla! Security 101

Joomla! Security 101
What to do before disaster strikes
http://akeeba.info/security-101
Κυριακή, 08 Μαΐου 2011
Hi, I’m
Nicholas
Dionysopoulos
and I bet you can’t
pronounce my last
name
http://akeeba.info/me
Κυριακή, 08 Μαΐου 2011
What is site security?
And what Chuck Norris has to do with anything?!
Κυριακή, 08 Μαΐου 2011
Security is about...
making it harder
to infiltrate, not
making it impossible
Κυριακή, 08 Μαΐου 2011
How do you do that?
What stands between your site and hackers?
Κυριακή, 08 Μαΐου 2011
Security comes in layers
Incoming request
Firewall
Web Server (Global)
Web Server (.htaccess)
Joomla!
Extensions
Κυριακή, 08 Μαΐου 2011
Security comes in layers
Incoming request
Firewall
Web Server (Global)
Web Server (.htaccess)
Joomla!
Extensions
Κυριακή, 08 Μαΐου 2011
Always managed by your host
Security comes in layers
Incoming request
Firewall
Web Server (Global)
Web Server (.htaccess)
Joomla!
Extensions
Κυριακή, 08 Μαΐου 2011
mod_security, suPHP, …
Security comes in layers
Incoming request
Firewall
Web Server (Global)
Web Server (.htaccess)
Joomla!
Extensions
Κυριακή, 08 Μαΐου 2011
The most basic protection
Security comes in layers
Incoming request
Firewall
Web Server (Global)
Web Server (.htaccess)
Joomla!
Extensions
Κυριακή, 08 Μαΐου 2011
Basic filtering
Security comes in layers
Incoming request
Firewall
Web Server (Global)
Web Server (.htaccess)
Joomla!
Extensions
Κυριακή, 08 Μαΐου 2011
These are ultimately responsible!
Security comes in layers
Incoming request
Firewall
Web Server (Global)
Web Server (.htaccess)
Joomla!
Extensions
Κυριακή, 08 Μαΐου 2011
Our scope today
Incoming request
Firewall
Web Server (Global)
Web Server (.htaccess)
Joomla!
Extensions
Κυριακή, 08 Μαΐου 2011
The basics
What we’re supposed to do and rarely do it
Κυριακή, 08 Μαΐου 2011
Frequent, tested backups
Would you jump off a plane without a parachute?
http://akeeba.info/backup
Κυριακή, 08 Μαΐου 2011
Update, yesterday
Yesterday’s code is tomorrow’s hack
http://akeeba.info/basic-security
Κυριακή, 08 Μαΐου 2011
Protect your backend
The login is not enough
Κυριακή, 08 Μαΐου 2011
777: The number of the beast
Permissions are doors; don’t leave them open
http://akeeba.info/777
Κυριακή, 08 Μαΐου 2011
Sensible permissions
Ask your host to enable suPHP or Apache’s mod_itk
Site root 0755 or 0700
Directories 0755
Files 0644
If you “must” use 0777 (don’t!) protect with .htaccess:
order deny, allow
deny from all
Κυριακή, 08 Μαΐου 2011
Don’t be a sitting duck
It’s duck season!
Κυριακή, 08 Μαΐου 2011
Mind your prefix
Nobody wants to be a jos_
http://akeeba.info/prefix
Κυριακή, 08 Μαΐου 2011
62 reasons to fire your Super Administrator
or 42, depending on Joomla! version...
http://akeeba.info/62-reasons
Κυριακή, 08 Μαΐου 2011
Security Kung-Fu
You can’t kill a Ninja
http://akeeba.info/ninja
Κυριακή, 08 Μαΐου 2011
Visual fingerprinting
Seeing is believing and then some
tm
p
l=
of
fl
in
e
1
=
p
t
http://akeeba.info/ninja
Κυριακή, 08 Μαΐου 2011
ty
i
r
u
p
_
a
j
=
template
Visual fingerprinting
RewriteCond %{QU
ERY_STRING} (^|&
)tmpl=
(component|syste
m) [NC]
RewriteRule .* [L]
RewriteCond %{QU
ERY_STRING} (^|&
)t(p|emplate|
mpl)= [NC]
RewriteRule .* [F]
http://akeeba.info/ninja
Κυριακή, 08 Μαΐου 2011
PHP has a big mouth
and that’s not water cooler gossip!
http://akeeba.info/ninja
Κυριακή, 08 Μαΐου 2011
PHP has a big mouth
http://akeeba.info/ninja
Κυριακή, 08 Μαΐου 2011
PHP has a big mouth
http://akeeba.info/ninja
Κυριακή, 08 Μαΐου 2011
PHP has a big mouth
RewriteCond %{QU
ERY_STRING} \=PH
P[a-f0-9]{8}-[af0-9]{4}-[a-f0-9
]{4}-[a-f0-9]{4}
-[a-f0-9]{12}
[NC]
RewriteRule .* [F]
http://akeeba.info/ninja
Κυριακή, 08 Μαΐου 2011
Blind Elephant
Meet your supervillain
http://akeeba.info/ninja
Κυριακή, 08 Μαΐου 2011
Blind Elephant
http://akeeba.info/ninja
Κυριακή, 08 Μαΐου 2011
Blind Elephant
nicholas@teapot:~/blindelephant$ ./BlindElephant.py mysite.com joomla
Loaded /home/nicholas/projects/3rdparty/blindelephant/trunk/src/build/lib.linux-x86_64-2.6/blindelephant/
dbs/joomla.pkl with 33 versions, 3696 differentiating paths, and 122 version groups.
Starting BlindElephant fingerprint for version of joomla at http://joomla.ubuntu.web
Hit http://joomla.ubuntu.web/media/system/js/validate.js
Possible versions based on result: 1.5.17, 1.5.18
Hit http://joomla.ubuntu.web/includes/js/joomla.javascript.js
Possible versions based on result: 1.5.17, 1.5.18
Hit http://joomla.ubuntu.web/media/system/js/caption.js
Possible versions based on result: 1.5.17, 1.5.18
Hit http://joomla.ubuntu.web/media/system/js/openid.js
Possible versions based on result: 1.5.17, 1.5.18
Hit http://joomla.ubuntu.web/templates/rhuk_milkyway/css/template.css
Possible versions based on result: 1.5.17, 1.5.18
Fingerprinting resulted in:
1.5.17
1.5.18
Best Guess: 1.5.18
http://akeeba.info/ninja
Κυριακή, 08 Μαΐου 2011
Blind Elephant
RewriteRule ^ima
ges/stories/.*\.
(jp(e?g|2)?|png|
gif|bmp|css|js|s
wf|ico)$ - [L]
RewriteCond %{HT
TP_REFERER} .
RewriteCond %{HT
TP_REFERER} !^ht
tps?://(www\.)?
example\.com [NC]
RewriteCond %{RE
QUEST_FILENAME}
-f
RewriteRule \.(j
p(e?g|2)?|png|gi
f|bmp|css|js|
swf|ico)$ - [F]
http://akeeba.info/ninja
Κυριακή, 08 Μαΐου 2011
There are more threats
Cross-site scripting (XSS)
Remote file inclusion (RFI)
Local file inclusion (LFI)
SQL injection (SQLi)
Cross-site request forgery (CSRF)
Brute force password cracking
Spamming & e-mail harvesting
Κυριακή, 08 Μαΐου 2011
More protection for you
!
e
e
r
f The Master
€
€
0
0
2 1
.htaccess
Admin Tools
Professional
http://akeeba.info/masterhtaccess
http://akeeba.info/atpro
Use coupon code
JOSCAR for 50% off
Κυριακή, 08 Μαΐου 2011
One more thing...
security is a
process
Κυριακή, 08 Μαΐου 2011
Any questions?
Κυριακή, 08 Μαΐου 2011
That’s all folks!
Κυριακή, 08 Μαΐου 2011
Want the slides? http://akeeba.info/security-101
Κυριακή, 08 Μαΐου 2011