1 / 11

Avoid Getting Hacked

Avoid Getting Hacked. Joomla! Web Security Northern Virginia Joomla Users Group January 2012 Dorothy Firsching, Ursa Major Consulting, LLC dfirsching@ursamajorconsulting.com. Agenda. Discuss Security Considerations and Approaches Identify Resources and References

ambrose
Télécharger la présentation

Avoid Getting Hacked

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Avoid Getting Hacked Joomla! Web Security Northern Virginia Joomla Users Group January 2012 Dorothy Firsching, Ursa Major Consulting, LLC dfirsching@ursamajorconsulting.com www.ursamajorconsulting.com

  2. Agenda • Discuss Security Considerations and Approaches • Identify Resources and References • Additional Programs / Presenters? www.ursamajorconsulting.com

  3. Joomla! Web Security Discussion • PHP-based / database driven sites are vulnerable • SQL Injections -- Commands where data input is expected • Validate Inputs and Enforce size • Current version of PHP with appropriate settings • Secure coding practices -- http://joomladaymidwest.org/news/slides-and-video/2011/slides-jeff-channell-secure-php-coding-practices.html www.ursamajorconsulting.com

  4. Pick a Good Host • Shared Host Vulnerabilities • http://docs.joomla.org/Security_Checklist_2_-_Hosting_and_Server_Setup • Choose a good hosting provider • – experienced in Joomla; responsiveness; forums / helps • Appropriate permissions • Directories = 755 • Files = 644 • .htaccess, configuration.php = 644 • Webserver is set up to use user account as owner of PHP-created files www.ursamajorconsulting.com

  5. Upgrade Regularly • Upgrade to Latest Version of Joomla • Akeeba Admin Tools • Use Safe Extensions • Upgrade Extensions • Check the vulnerability list -- http://docs.joomla.org/Vulnerable_Extensions_List • Subscribe to updates • Keep a spreadsheet of your sites • And the versions they use www.ursamajorconsulting.com

  6. Joomla Setup • Password protect folders in control panel • Use a site-specific database username and password • Change jos_ table prefix • Hide Admin login • jSecure Authentication Plugin • add a suffix to your back-end URL to make it look like this: http://www.mysite.com/administrator?199abbetc www.ursamajorconsulting.com

  7. Access Control • http://docs.joomla.org/Security_Checklist_4_-_Joomla_Setup • Strong Passwords • Change Admin Username and Number • Default ID for admin user in Joomla is 62, and this may be used by a hacker • Create a new super-administrator with another user name and a strong password • Log out and in again as this new user • Change original admin user to a manager and save (you are not allowed to delete a super-administrator). • Delete original admin user (user ID 62) and rename from the default Admin to a new one. www.ursamajorconsulting.com

  8. Backups / Upgrades • Akeeba Backup • Multi-backup scheme • Test restoration / upgrades • Test site is helpful • Hosting provider backups • Hosting provider virus scans or site backup using local download / scan • http://docs.joomla.org/Security_Checklist_6_-_Site_Recovery www.ursamajorconsulting.com

  9. Vulnerabilties • Old Joomla! versions • Community Builder before 1.7.1 • JCE before 2.0.19 • Unchecked user input (SQL injection, buffer overflows) • eXtplorer left on site • http://docs.joomla.org/Vulnerable_Extensions_List www.ursamajorconsulting.com

  10. Check What’s Happening • Logs / AWSTATS / other packages • Google Analytics • File Modification Dates / Contents www.ursamajorconsulting.com

  11. Resources • http://docs.joomla.org/Category:Security_Checklist • http://joomladaymidwest.org/news/slides-and-video/2011/slides-jeff-channell-secure-php-coding-practices.html • Securing PHP Web Applications, Tricia Ballard and William Ballard, 2009 • Joomla! Web Security, Tom Canavan, Packt Publishing, 2008; out-of-date but still useful. www.ursamajorconsulting.com

More Related