1-19-2012 avoid getting hacked joomla! web security northern virginia joomla users group january...
TRANSCRIPT
1-19-2012 www.ursamajorconsulting.com 1
Avoid Getting Hacked
Joomla! Web SecurityNorthern Virginia Joomla Users GroupJanuary 2012Dorothy Firsching, Ursa Major Consulting, [email protected]
1-19-2012 www.ursamajorconsulting.com 2
Agenda
Discuss Security Considerations and Approaches
Identify Resources and References Additional Programs / Presenters?
1-19-2012 www.ursamajorconsulting.com 3
Joomla! Web Security Discussion PHP-based / database driven sites are
vulnerable SQL Injections -- Commands where data
input is expected Validate Inputs and Enforce size Current version of PHP with appropriate
settings Secure coding practices --
http://joomladaymidwest.org/news/slides-and-video/2011/slides-jeff-channell-secure-php-coding-practices.html
1-19-2012 www.ursamajorconsulting.com 4
Pick a Good Host Shared Host Vulnerabilities
http://docs.joomla.org/Security_Checklist_2_-_Hosting_and_Server_Setup
Choose a good hosting provider – experienced in Joomla; responsiveness; forums /
helps Appropriate permissions
Directories = 755 Files = 644 .htaccess, configuration.php = 644
Webserver is set up to use user account as owner of PHP-created files
1-19-2012 www.ursamajorconsulting.com 5
Upgrade Regularly Upgrade to Latest Version of Joomla
Akeeba Admin Tools Use Safe Extensions Upgrade Extensions
Check the vulnerability list -- http://docs.joomla.org/Vulnerable_Extensions_List
Subscribe to updates Keep a spreadsheet of your sites
And the versions they use
1-19-2012 www.ursamajorconsulting.com 6
Joomla Setup Password protect folders in control panel Use a site-specific database username and
password Change jos_ table prefix Hide Admin login
jSecure Authentication Plugin add a suffix to your back-end URL to make it look
like this: http://www.mysite.com/administrator?199abbetc
1-19-2012 www.ursamajorconsulting.com 7
Access Control http://docs.joomla.org/Security_Checklist_4_-_Joomla_
Setup Strong Passwords Change Admin Username and Number
Default ID for admin user in Joomla is 62, and this may be used by a hacker Create a new super-administrator with another user
name and a strong password Log out and in again as this new user Change original admin user to a manager and save (you
are not allowed to delete a super-administrator). Delete original admin user (user ID 62) and rename
from the default Admin to a new one.
1-19-2012 www.ursamajorconsulting.com 8
Backups / Upgrades Akeeba Backup Multi-backup scheme Test restoration / upgrades
Test site is helpful Hosting provider backups Hosting provider virus scans or site backup
using local download / scan http://docs.joomla.org/Security_Checklist_6_
-_Site_Recovery
1-19-2012 www.ursamajorconsulting.com 9
Vulnerabilties
Old Joomla! versions Community Builder before 1.7.1 JCE before 2.0.19 Unchecked user input (SQL injection,
buffer overflows) eXtplorer left on site http://docs.joomla.org/
Vulnerable_Extensions_List
1-19-2012 www.ursamajorconsulting.com 10
Check What’s Happening
Logs / AWSTATS / other packages Google Analytics File Modification Dates / Contents
1-19-2012 www.ursamajorconsulting.com 11
Resources http://docs.joomla.org/Category:Security_C
hecklist http://joomladaymidwest.org/news/slides-
and-video/2011/slides-jeff-channell-secure-php-coding-practices.html
Securing PHP Web Applications, Tricia Ballard and William Ballard, 2009
Joomla! Web Security, Tom Canavan, Packt Publishing, 2008; out-of-date but still useful.