NetArts

You are here News

JaB11 - Joomla! Security 101

JaB11 - Joomla! Security 101 - Presentation Transcript
1. Joomla! Security 101 What to do before disaster strikeshttp://akeeba.info/security-101
2. Hi, I’m Nicholas Dionysopoulos and I bet you can’t pronounce my last namehttp://akeeba.info/me
3. What is site security?And what Chuck Norris has to do with anything?!
4. Security is about... making it harder to infiltrate, not making it impossible
5. How do you do that?What stands between your site and hackers?
6. Security comes in layers Incoming request Firewall Web Server (Global)Web Server (.htaccess) Joomla! Extensions
7. Security comes in layers Incoming request Always managed by your host Firewall Web Server (Global)Web Server (.htaccess) Joomla! Extensions
8. Security comes in layers Incoming request Firewall mod_security, suPHP, … Web Server (Global)Web Server (.htaccess) Joomla! Extensions
9. Security comes in layers Incoming request Firewall Web Server (Global) The most basic protectionWeb Server (.htaccess) Joomla! Extensions
10. Security comes in layers Incoming request Firewall Web Server (Global)Web Server (.htaccess) Basic filtering Joomla! Extensions
11. Security comes in layers Incoming request Firewall Web Server (Global)Web Server (.htaccess) Joomla! These are ultimately responsible! Extensions
12. Security comes in layers Incoming request Firewall Web Server (Global)Web Server (.htaccess) Joomla! Extensions
13. Our scope today Incoming request Firewall Web Server (Global)Web Server (.htaccess) Joomla! Extensions
14. The basicsWhat we’re supposed to do and rarely do it
15. Frequent, tested backups Would you jump off a plane without a parachute?http://akeeba.info/backup
16. Update, yesterday Yesterday’s code is tomorrow’s hackhttp://akeeba.info/basic-security
17. Protect your backendThe login is not enough
18. 777: The number of the beast Permissions are doors; don’t leave them openhttp://akeeba.info/777
19. Sensible permissions Ask your host to enable suPHP or Apache’s mod_itk Site root 0755 or 0700 Directories 0755 Files 0644 If you “must” use 0777 (don’t!) protect with .htaccess: order deny, allow deny from all
20. Don’t be a sitting duckIt’s duck season!
21. Mind your prefix Nobody wants to be a jos_http://akeeba.info/prefix
22. 62 reasons to fire your Super Administrator or 42, depending on Joomla! version...http://akeeba.info/62-reasons
23. Security Kung-Fu You can’t kill a Ninjahttp://akeeba.info/ninja
24. Visual fingerprinting Seeing is believing and then some tm pl= offl ine tp =1http://akeeba.info/ninja template =ja_purity
25. Visual fingerprinting RewriteCond %{QU ERY_STRING} (^| &)tmpl=(componen t|system) [NC] RewriteRule .* - [L] RewriteCond %{QU ERY_STRING} (^|& )t(p|emplate| mpl)= [NC] RewriteRule .* - [F]http://akeeba.info/ninja
26. PHP has a big mouth and that’s not water cooler gossip!http://akeeba.info/ninja
27. PHP has a big mouthhttp://akeeba.info/ninja
28. PHP has a big mouth RewriteCond %{QU ERY_STRING} =PH P[a-f0-9]{8}-[a- f0-9]{4}-[a-f0-9 ]{4}-[a-f0-9]{4} -[a-f0-9]{12} [NC] RewriteRule .* - [F]http://akeeba.info/ninja
29. Blind Elephant Meet your supervillainhttp://akeeba.info/ninja
30. Blind Elephanthttp://akeeba.info/ninja
31. Blind Elephant nicholas@teapot:~/blindelephant$ ./BlindElephant.py mysite.com joomla Loaded /home/nicholas/projects/3rdparty/blindelephant/trunk/src/build/lib.linux-x86_64-2.6/blindelephant/ dbs/joomla.pkl with 33 versions, 3696 differentiating paths, and 122 version groups. Starting BlindElephant fingerprint for version of joomla at http://joomla.ubuntu.web Hit http://joomla.ubuntu.web/media/system/js/validate.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/includes/js/joomla.javascript.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/media/system/js/caption.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/media/system/js/openid.js Possible versions based on result: 1.5.17, 1.5.18 Hit http://joomla.ubuntu.web/templates/rhuk_milkyway/css/template.css Possible versions based on result: 1.5.17, 1.5.18 Fingerprinting resulted in: 1.5.17 1.5.18 Best Guess: 1.5.18http://akeeba.info/ninja
32. Blind Elephant RewriteRule ^ima ges/stories/.*. (jp(e?g|2)?|png| gif|bmp|css|js|s wf|ico)$ - [L] RewriteCond %{HT TP_REFERER} . RewriteCond %{HT TP_REFERER} !^ht tps?://(www.)? example.com [NC] RewriteCond %{RE QUEST_FILENAME} -f RewriteRule .(j p(e?g|2)?|png|gi f|bmp|css|js| swf|ico)$ - [F]http://akeeba.info/ninja
33. There are more threats Cross-site scripting (XSS) Remote file inclusion (RFI) Local file inclusion (LFI) SQL injection (SQLi) Cross-site request forgery (CSRF) Brute force password cracking Spamming & e-mail harvesting
34. More protection for youf re e! 2 0€ 10€ The Master Admin Tools .htaccess Professionalhttp://akeeba.info/master- http://akeeba.info/atpro htaccess Use coupon code JOSCAR for 50% off
35. One more thing... security is a process
36. Any questions?
37. That’s all folks!
38. Want the slides? http://akeeba.info/security-101

NetArts.it