Transcript
Joomla! security 101What to do before disaster strikes
That’s me
I am Nicholas K. Dionysopoulos, the lead developer of Akeeba Backup and contributing author at the
Joomla! Community Magazine.
THE BASICS…or what you are supposed to do and rarely remember to
do it
Backup, backup and backup
Update, yesterday
Multifactor back-end authentication
Password protection Secret URL parameter Use your host’s
Control Panel, or .htaccess
Best protection Doesn’t cost More difficult to
setup
Use jSecure Authentication
Very easy to setup
Costs money Doesn’t protect
against direct access to files
Permissions must make sense
Site RootDirectori
esFiles
• 0755• 0700 for suPHP• 0755• Except special
cases
• 0644
Should I 0777 anything?
• Generally an extremely bad idea!• Better enable Joomla!’s FTP layer.• Only required by badly written
extensions.• tmp, logs, cache and administrator/cache
directories.• If you do that, make sure you install
this .htaccess in each and every of them:order deny, allowdeny from all
THE ADVANCED STUFF…which every site builder should do on every site he
builds
We are all sitting ducksKnown prefix, jos_ and known ID 62 make me
saywhat the quack…?!
The prefix matters
jos_ is insecure
Keep it short and unique
It’s never too late to change it
62 reasons to fire your Super Admin
User ID 62 is insecure
Use one in the 1-61 range
It’s never too late to change it
ONLY A NINJA CAN KILL ANOTHER NINJACrash course to .htaccess Kung-Fu
Visual fingerprinting
Plain ?tp=1Plain ?template=fooPlain ?tmpl=offline
RewriteCond %{QUERY_STRING} (&|%3F){1,1}tp= [OR]RewriteCond %{QUERY_STRING} (&|%3F){1,1}template= [OR]RewriteCond %{QUERY_STRING} (&|%3F){1,1}tmpl= [NC]RewriteRule ^(.*)$ - [R=404,L]
PHP has a big mouthRewriteCond %{QUERY_STRING} ^%3F=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [OR]RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F34-D428-11d2-A769-00AA001ACF42 [OR]RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F35-D428-11d2-A769-00AA001ACF42 [OR]RewriteCond %{QUERY_STRING} ^%3F=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 [OR]RewriteRule ^(.*)$ - [R=404,L]
Blind the elephant before it stomps younicholas@teapot:~/blindelephant$ ./BlindElephant.py mysite.com joomla
Loaded /home/nicholas/projects/3rdparty/blindelephant/trunk/src/build/lib.linux-x86_64-2.6/blindelephant/dbs/joomla.pkl with 33 versions, 3696 differentiating paths, and 122 version groups.Starting BlindElephant fingerprint for version of joomla at http://joomla.ubuntu.web
Hit http://joomla.ubuntu.web/media/system/js/validate.jsPossible versions based on result: 1.5.17, 1.5.18
Hit http://joomla.ubuntu.web/includes/js/joomla.javascript.jsPossible versions based on result: 1.5.17, 1.5.18
Hit http://joomla.ubuntu.web/media/system/js/caption.jsPossible versions based on result: 1.5.17, 1.5.18
Hit http://joomla.ubuntu.web/media/system/js/openid.jsPossible versions based on result: 1.5.17, 1.5.18
Hit http://joomla.ubuntu.web/templates/rhuk_milkyway/css/template.cssPossible versions based on result: 1.5.17, 1.5.18
Fingerprinting resulted in:1.5.171.5.18
Best Guess: 1.5.18
NEWSFLASH:Hackers easily find out which
Joomla! version you are using on
your site
RewriteRule ^(images/stories/*\.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|htm[l]?))$ $1 [L]RewriteCond %{REQUEST_FILENAME} -fRewriteCond %{HTTP_REFERER} !^http[s]{0,1}://(.+\.)?www\.example\.com [NC]RewriteRule \.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|htm[l]?)$ - [R=404,L]
More .htaccess rules for further protection in my
Master .htaccess:http://snipt.net/nikosdion/the-master-htaccess
Ask the geek
That’s all, folks!
top related