Joomla! security 101

Joomla! security 101What to do before disaster strikes

That’s me

I am Nicholas K. Dionysopoulos, the lead developer of Akeeba Backup and contributing author at the

Joomla! Community Magazine.

THE BASICS…or what you are supposed to do and rarely remember to

do it

Backup, backup and backup

Update, yesterday

Multifactor back-end authentication

Password protection Secret URL parameter Use your host’s

Control Panel, or .htaccess

Best protection Doesn’t cost More difficult to

setup

Use jSecure Authentication

Very easy to setup

Costs money Doesn’t protect

against direct access to files

Permissions must make sense

Site RootDirectori

esFiles

• 0755• 0700 for suPHP• 0755• Except special

cases

• 0644

Should I 0777 anything?

• Generally an extremely bad idea!• Better enable Joomla!’s FTP layer.• Only required by badly written

extensions.• tmp, logs, cache and administrator/cache

directories.• If you do that, make sure you install

this .htaccess in each and every of them:order deny, allowdeny from all

THE ADVANCED STUFF…which every site builder should do on every site he

builds

We are all sitting ducksKnown prefix, jos_ and known ID 62 make me

saywhat the quack…?!

The prefix matters

jos_ is insecure

Keep it short and unique

It’s never too late to change it

62 reasons to fire your Super Admin

User ID 62 is insecure

Use one in the 1-61 range

It’s never too late to change it

ONLY A NINJA CAN KILL ANOTHER NINJACrash course to .htaccess Kung-Fu

Visual fingerprinting

Plain ?tp=1Plain ?template=fooPlain ?tmpl=offline

RewriteCond %{QUERY_STRING} (&|%3F){1,1}tp= [OR]RewriteCond %{QUERY_STRING} (&|%3F){1,1}template= [OR]RewriteCond %{QUERY_STRING} (&|%3F){1,1}tmpl= [NC]RewriteRule ^(.*)$ - [R=404,L]

PHP has a big mouthRewriteCond %{QUERY_STRING} ^%3F=PHPE9568F36-D428-11d2-A769-00AA001ACF42 [OR]RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F34-D428-11d2-A769-00AA001ACF42 [OR]RewriteCond %{QUERY_STRING} ^%3F=PHPE9568F35-D428-11d2-A769-00AA001ACF42 [OR]RewriteCond %{QUERY_STRING} ^%3F=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 [OR]RewriteRule ^(.*)$ - [R=404,L]

Blind the elephant before it stomps younicholas@teapot:~/blindelephant$ ./BlindElephant.py mysite.com joomla

Loaded /home/nicholas/projects/3rdparty/blindelephant/trunk/src/build/lib.linux-x86_64-2.6/blindelephant/dbs/joomla.pkl with 33 versions, 3696 differentiating paths, and 122 version groups.Starting BlindElephant fingerprint for version of joomla at http://joomla.ubuntu.web

Hit http://joomla.ubuntu.web/media/system/js/validate.jsPossible versions based on result: 1.5.17, 1.5.18

Hit http://joomla.ubuntu.web/includes/js/joomla.javascript.jsPossible versions based on result: 1.5.17, 1.5.18

Hit http://joomla.ubuntu.web/media/system/js/caption.jsPossible versions based on result: 1.5.17, 1.5.18

Hit http://joomla.ubuntu.web/media/system/js/openid.jsPossible versions based on result: 1.5.17, 1.5.18

Hit http://joomla.ubuntu.web/templates/rhuk_milkyway/css/template.cssPossible versions based on result: 1.5.17, 1.5.18

Fingerprinting resulted in:1.5.171.5.18

Best Guess: 1.5.18

NEWSFLASH:Hackers easily find out which

Joomla! version you are using on

your site

RewriteRule ^(images/stories/*\.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|htm[l]?))$ $1 [L]RewriteCond %{REQUEST_FILENAME} -fRewriteCond %{HTTP_REFERER} !^http[s]{0,1}://(.+\.)?www\.example\.com [NC]RewriteRule \.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|htm[l]?)$ - [R=404,L]

More .htaccess rules for further protection in my

Master .htaccess:http://snipt.net/nikosdion/the-master-htaccess

Ask the geek

That’s all, folks!