Upload
akeebabackupcom
View
1.746
Download
0
Embed Size (px)
DESCRIPTION
How secure is your Joomla! site? Are you employing the most basic security principles to protect it? Learn all about it in an easy to follow presentation suitable even for beginners.
Citation preview
Joomla! Security 101What to do before disaster strikes
http://akeeba.info/security-101Πέμπτη, 31 Μαρτίου 2011
Hi, I’m Nicholas Dionysopoulosand I bet you can’t pronounce my last name
http://akeeba.info/meΠέμπτη, 31 Μαρτίου 2011
The basicsWhat we’re supposed to do and rarely do it
Πέμπτη, 31 Μαρτίου 2011
Frequent, tested backupsWould you jump off a plane without a parachute?
http://akeeba.info/backupΠέμπτη, 31 Μαρτίου 2011
Update, yesterdayYesterday’s code is tomorrow’s hack
http://akeeba.info/basic-securityΠέμπτη, 31 Μαρτίου 2011
Protect your backendThe login is not enough
Πέμπτη, 31 Μαρτίου 2011
777: The number of the beastPermissions are doors; don’t leave them open
http://akeeba.info/777Πέμπτη, 31 Μαρτίου 2011
Sensible permissions
Ask your host to enable suPHP or Apache’s mod_itk
Site root 0755 or 0700
Directories 0755
Files 0644
If you “must” use 0777 (don’t!) protect with .htaccess:
order deny, allowdeny from all
Πέμπτη, 31 Μαρτίου 2011
Don’t be a sitting duckIt’s duck season!
Πέμπτη, 31 Μαρτίου 2011
Mind your prefixNobody wants to be a jos_
http://akeeba.info/prefixΠέμπτη, 31 Μαρτίου 2011
62 reasons to fire your Super Administratoror 42, depending on Joomla! version...
http://akeeba.info/62-reasonsΠέμπτη, 31 Μαρτίου 2011
Security Kung-FuYou can’t kill a Ninja
http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011
Visual fingerprintingSeeing is believing and then some
tp=1
tmpl=offline
template=ja_puri
tyhttp://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011
Visual fingerprinting
RewriteCond %{QUERY_STRING} (&|%3F){1,1}tp= [OR]
RewriteCond %{QUERY_STRING} (&|%3F){1,1}template= [OR]RewriteCond %{QUERY_STRING} (&|%3F){1,1}tmpl= [NC]
RewriteRule ^(.*)$ - [R=404,L]
http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011
PHP has a big mouthand that’s not water cooler gossip!
http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011
PHP has a big mouth
http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011
PHP has a big mouth
http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011
RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [OR]RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F34-D428-11d2-A769-00AA001ACF42 [OR]RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F35-D428-11d2-A769-00AA001ACF42 [OR]RewriteCond %{QUERY_STRING} ^%3F=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000RewriteRule ^(.*)$ - [R=404,L]
PHP has a big mouth
http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011
Blind ElephantMeet your supervillain
http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011
Blind Elephant
http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011
Blind Elephantnicholas@teapot:~/blindelephant$ ./BlindElephant.py mysite.com joomlaLoaded /home/nicholas/projects/3rdparty/blindelephant/trunk/src/build/lib.linux-x86_64-2.6/blindelephant/dbs/joomla.pkl with 33 versions, 3696 differentiating paths, and 122 version groups.Starting BlindElephant fingerprint for version of joomla at http://joomla.ubuntu.web
Hit http://joomla.ubuntu.web/media/system/js/validate.jsPossible versions based on result: 1.5.17, 1.5.18
Hit http://joomla.ubuntu.web/includes/js/joomla.javascript.jsPossible versions based on result: 1.5.17, 1.5.18
Hit http://joomla.ubuntu.web/media/system/js/caption.jsPossible versions based on result: 1.5.17, 1.5.18
Hit http://joomla.ubuntu.web/media/system/js/openid.jsPossible versions based on result: 1.5.17, 1.5.18
Hit http://joomla.ubuntu.web/templates/rhuk_milkyway/css/template.cssPossible versions based on result: 1.5.17, 1.5.18
Fingerprinting resulted in:1.5.171.5.18
Best Guess: 1.5.18
http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011
RewriteRule ^(images/stories/*\.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|htm[l]?))$ $1 [L]RewriteCond %{REQUEST_FILENAME} -fRewriteCond %{HTTP_REFERER} !^http[s]{0,1}://(.+\.)?www\.example\.com [NC]RewriteRule \.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|htm[l]?)$ - [R=404,L]
Blind Elephant
http://akeeba.info/ninjaΠέμπτη, 31 Μαρτίου 2011
More protection for you
The Master.htaccess
http://akeeba.info/master-htaccess
Admin ToolsProfessional
http://akeeba.info/atpro
free!
15 €
use coupon code
JDNL11Πέμπτη, 31 Μαρτίου 2011
That’s me...and this is the perfect time to ask me questions!
Πέμπτη, 31 Μαρτίου 2011
That’s all folks!Want the slides? http://akeeba.info/security-101
Πέμπτη, 31 Μαρτίου 2011