25
Joomla! Security 101 What to do before disaster strikes http://akeeba.info/security-101 Πέμπτη, 31 Μαρτίου 2011

JD11NL - Joomla! Security 101

Embed Size (px)

DESCRIPTION

How secure is your Joomla! site? Are you employing the most basic security principles to protect it? Learn all about it in an easy to follow presentation suitable even for beginners.

Citation preview

Page 1: JD11NL - Joomla! Security 101

Joomla! Security 101What to do before disaster strikes

http://akeeba.info/security-101Πέμπτη, 31 Μαρτίου 2011

Page 2: JD11NL - Joomla! Security 101

Hi, I’m Nicholas Dionysopoulosand I bet you can’t pronounce my last name

http://akeeba.info/meΠέμπτη, 31 Μαρτίου 2011

Page 3: JD11NL - Joomla! Security 101

The basicsWhat we’re supposed to do and rarely do it

Πέμπτη, 31 Μαρτίου 2011

Page 4: JD11NL - Joomla! Security 101

Frequent, tested backupsWould you jump off a plane without a parachute?

http://akeeba.info/backupΠέμπτη, 31 Μαρτίου 2011

Page 5: JD11NL - Joomla! Security 101

Update, yesterdayYesterday’s code is tomorrow’s hack

http://akeeba.info/basic-securityΠέμπτη, 31 Μαρτίου 2011

Page 6: JD11NL - Joomla! Security 101

Protect your backendThe login is not enough

Πέμπτη, 31 Μαρτίου 2011

Page 7: JD11NL - Joomla! Security 101

777: The number of the beastPermissions are doors; don’t leave them open

http://akeeba.info/777Πέμπτη, 31 Μαρτίου 2011

Page 8: JD11NL - Joomla! Security 101

Sensible permissions

Ask your host to enable suPHP or Apache’s mod_itk

Site root 0755 or 0700

Directories 0755

Files 0644

If you “must” use 0777 (don’t!) protect with .htaccess:

order deny, allowdeny from all

Πέμπτη, 31 Μαρτίου 2011

Page 9: JD11NL - Joomla! Security 101

Don’t be a sitting duckIt’s duck season!

Πέμπτη, 31 Μαρτίου 2011

Page 10: JD11NL - Joomla! Security 101

Mind your prefixNobody wants to be a jos_

http://akeeba.info/prefixΠέμπτη, 31 Μαρτίου 2011

Page 11: JD11NL - Joomla! Security 101

62 reasons to fire your Super Administratoror 42, depending on Joomla! version...

http://akeeba.info/62-reasonsΠέμπτη, 31 Μαρτίου 2011

Page 12: JD11NL - Joomla! Security 101

Security Kung-FuYou can’t kill a Ninja

http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011

Page 13: JD11NL - Joomla! Security 101

Visual fingerprintingSeeing is believing and then some

tp=1

tmpl=offline

template=ja_puri

tyhttp://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011

Page 14: JD11NL - Joomla! Security 101

Visual fingerprinting

RewriteCond %{QUERY_STRING} (&|%3F){1,1}tp= [OR]

RewriteCond %{QUERY_STRING} (&|%3F){1,1}template= [OR]RewriteCond %{QUERY_STRING} (&|%3F){1,1}tmpl= [NC]

RewriteRule ^(.*)$ - [R=404,L]

http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011

Page 15: JD11NL - Joomla! Security 101

PHP has a big mouthand that’s not water cooler gossip!

http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011

Page 16: JD11NL - Joomla! Security 101

PHP has a big mouth

http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011

Page 17: JD11NL - Joomla! Security 101

PHP has a big mouth

http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011

Page 18: JD11NL - Joomla! Security 101

RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [OR]RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F34-D428-11d2-A769-00AA001ACF42 [OR]RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F35-D428-11d2-A769-00AA001ACF42 [OR]RewriteCond %{QUERY_STRING} ^%3F=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000RewriteRule ^(.*)$ - [R=404,L]

PHP has a big mouth

http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011

Page 19: JD11NL - Joomla! Security 101

Blind ElephantMeet your supervillain

http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011

Page 20: JD11NL - Joomla! Security 101

Blind Elephant

http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011

Page 21: JD11NL - Joomla! Security 101

Blind Elephantnicholas@teapot:~/blindelephant$ ./BlindElephant.py mysite.com joomlaLoaded /home/nicholas/projects/3rdparty/blindelephant/trunk/src/build/lib.linux-x86_64-2.6/blindelephant/dbs/joomla.pkl with 33 versions, 3696 differentiating paths, and 122 version groups.Starting BlindElephant fingerprint for version of joomla at http://joomla.ubuntu.web

Hit http://joomla.ubuntu.web/media/system/js/validate.jsPossible versions based on result: 1.5.17, 1.5.18

Hit http://joomla.ubuntu.web/includes/js/joomla.javascript.jsPossible versions based on result: 1.5.17, 1.5.18

Hit http://joomla.ubuntu.web/media/system/js/caption.jsPossible versions based on result: 1.5.17, 1.5.18

Hit http://joomla.ubuntu.web/media/system/js/openid.jsPossible versions based on result: 1.5.17, 1.5.18

Hit http://joomla.ubuntu.web/templates/rhuk_milkyway/css/template.cssPossible versions based on result: 1.5.17, 1.5.18

Fingerprinting resulted in:1.5.171.5.18

Best Guess: 1.5.18

http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011

Page 22: JD11NL - Joomla! Security 101

RewriteRule ^(images/stories/*\.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|htm[l]?))$ $1 [L]RewriteCond %{REQUEST_FILENAME} -fRewriteCond %{HTTP_REFERER} !^http[s]{0,1}://(.+\.)?www\.example\.com [NC]RewriteRule \.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|htm[l]?)$ - [R=404,L]

Blind Elephant

http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011

Page 23: JD11NL - Joomla! Security 101

More protection for you

The Master.htaccess

http://akeeba.info/master-htaccess

Admin ToolsProfessional

http://akeeba.info/atpro

free!

15 €

use coupon code

JDNL11Πέμπτη, 31 Μαρτίου 2011

Page 24: JD11NL - Joomla! Security 101

That’s me...and this is the perfect time to ask me questions!

Πέμπτη, 31 Μαρτίου 2011

Page 25: JD11NL - Joomla! Security 101

That’s all folks!Want the slides? http://akeeba.info/security-101

Πέμπτη, 31 Μαρτίου 2011