Joomla! Day Poland 2012 - Active Security for Joomla! sites
3 likes•1,283 views
This document provides an overview of active security measures for Joomla sites. It discusses establishing strong foundations by ensuring servers have updated software and proper permissions and ownership of files. It also recommends installing security rules and scripts. For site setup, it advises keeping Joomla and extensions updated and carefully considering installed extensions. It also stresses the importance of password length and complexity. Additional steps include using .htaccess rules to lock down sites, installing armor, performing backups, monitoring file changes and logs, and having a plan for if a site becomes hacked. It concludes by providing resources and discount information.
Joomla! Day Poland 2012 - Active Security for Joomla! sites
- 1. Active security for Joomla! sites version 5.2
- 2. Mission: Impossible Talking in-depth about Joomla! security in 30 minutes or less... but I’ll try!
- 3. Put your pens away Sit back and enjoy
- 4. A site is like a building • Strong foundations • Careful construction • Active maintenance
- 5. Step 1: Strong foundations Your server setup - Geeky stuff ahead!
- 6. Updated server software PHP, MySQL, Apache, FTP Server...
- 7. mod_security for Apache Your server’s security guard
- 8. You need some rules Atomic (GotRoot) Rules: http://www.atomicorp.com/wiki/index.php/ Atomic_ModSecurity_Rules OWASP Rules: https://www.owasp.org/index.php/ Category:OWASP_ModSecurity_Core_Rule_Set_Projec t
- 9. Permissions & ownership Who can do what and where
- 10. Sane ownership & permissions All files and folders owned by the FTP user Folders: 0755 permissions Files: 0644 permissions Use Joomla!’s FTP mode on shared hosts Better yet, use suPHP or FastCGI
- 11. Too much to remember? Akeeba Backup User’s Guide, Security Information https://www.akeebabackup.com/documentation/ akeeba-backup-documentation/security-info.html 777: The number of the beast http://www.dionysopoulos.me/blog/777-the-number- of-the-beast
- 12. Make it all happen The magic script
- 13. https://github.com/betweenbrain/ubuntu-web- server-build-script written by Matt Thomas (@betweenbrain)
- 14. Step 2: Careful construction Your site setup
- 15. Update, yesterday Joomla! & extensions
- 16. Think before installing Don’t be the mouse in the trap!
- 17. Length matters
- 18. Your Password’s length matters
- 19. A terrifying thought Password hacking super-computer: 2,700 USD (2 years ago; much cheaper now)
- 20. How safe is your password? Password Bits Iterations Time to crack 15082005 13.6 12416 0.00038 msec admin 15.9 61147 0.00185 msec ortrtaortftaaidbt 67.7 2.39E+20 228.95 years 0rtrTA0rtfTa&idbT 88.2 3.55E+26 340 million years horse correct battery stapler 107.2 1.86E+32 178179 billion years
- 21. Lock it down Nothing on my site runs unless I say so
- 22. .htaccess Rules My Master .htaccess - FREE http://akeeba.assembla.com/code/master-htaccess/ git/nodes/htaccess.txt Admin Tools Professional - 20€ https://www.akeebabackup.com/products/46- software/855-admintools.html
- 23. Armor up Protect your site
- 24. Step 3: Active maintenance Staying on top of it all
- 25. Backups Frequent, automated, off-site backups
- 26. Monitor file changes A changed file is usually a bad thing
- 27. Monitor it Keep an eye on the logs
- 28. In spite of it all…
- 29. Dammit! You got hacked, now what?
- 30. DON’T PANIC
- 31. We’ve got instructions Unhacking your site https://www.akeebabackup.com/documentation/ walkthroughs/item/1124-unhacking-your-site.html You do have backups, right? Make sure you read the instructions before getting hacked.
- 32. Questions?
- 33. LE SS ME ! HA UG S PL 20% discount on all subscriptions Use coupon code JD12PL on https://www.AkeebaBackup.com/subscribe
- 34. “Quick! Snatch this presentation before I do!” http://akeeba.info/asjd12pl
- 35. Thank you for listening! Image credits: sxc.hu; istockphoto.com
Editor's Notes
- #2: Scratches the surface\nImperative everyone follows this advice\n\nNext: Me\n
- #3: \n
- #4: \n
- #5: Make it harder, not impossible\n
- #6: \n
- #7: \n
- #8: \n
- #9: \n
- #10: \n
- #11: \n
- #12: \n
- #13: \n
- #14: \n
- #15: \n
- #16: \n
- #17: \n
- #18: \n
- #19: \n
- #20: Whitepixel + cheap hardware\nCosts $2,800\nBreaks 33.1 billion passwords / second\nNext: sample pw\n
- #21: All about entropy.\nWords stronger than random garbage\nThere’s a catch. All words = 1 day. Add numbers/padding to increase entropy.\nNext: 777\n
- #22: \n
- #23: \n
- #24: \n
- #25: \n
- #26: \n
- #27: \n
- #28: \n
- #29: \n
- #30: \n
- #31: \n
- #32: \n
- #33: Ask your questions!\n\nNext: QR-Code\n
- #34: \n
- #35: Ask your questions!\n\nNext: QR-Code\n
- #36: Thank you for listening\n\nTHE END\n