Todo list for securing Your Joomla/Mambo installation against hackers

Requirements: having a valid login and password to your plesk account

How: http://yoursite.com:8443/

Go to main page, If your hosting company allow you to create many subdomains, click on the right one, here on www.waltercedric.com

On Plesk main page, click on domain, here waltercedric.com	on the next page, on Setup
Then enter New FTP password, and save

Requirements: having a valid login and password to your Joomla administrator account

How:

Go to Your administrator panel For ex http://yourhost/administrator/	click on your login name, here on admin
Enter a new password

Requirements: having a valid login and password to your Plesk administrator panel

Go to: http://yoursite.com:8443/ which is the default URL for Plesk, attention it may vary depending on your hosting company

On the main page, click on edit	And enter new password

How
Use the plesk administration panel

On Plesk main page, click on domain, here waltercedric.com	on the next page, click on Databases
Then on your Joomla database (here for me mos)	then click on the right user: here mosuser, Note that I have a special user for backup purpose with only select rights! and change password
Open the file /configuration.php and change the key mosConfig_password

a mySQL user may have following privileges:

This user, for example joomlaUser should ONLY have insert (new comment, guestbook) and delete and update rights on Joomla/Mambo database

SHOW GRANTS FOR ‘mosdev’@’%’;
GRANT ALTER,CREATE,CREATE TEMPORARY TABLES,CREATE VIEW,DROP,EXECUTE,LOCK TABLES,PROCESS,SHOW DATABASES,SHOW VIEW ON *.* TO ‘mosdev’@’%’ WITH GRANT OPTION;
FLUSH PRIVILEGES;

Do not allow drop or create table, normal operation of Joomla do not require it! Of course as soon as You want to install a new component, You will have to temporarly allow joomlaUser to create new table (if the component require it)

Heritage of UNIX, file rights are organized in 3 groups, user, group, all. Each group may be able to read (r) write (w) or execute (x) file individually. the combinaison rwx is read in octal rwx = 7 for each group, so 777 is the worse settings: anybody may be able to delete or change your file on server…

This is how look my file structure

How use an FTP tool like CuteFTP, on selected resources, use right click menu , and check the bit:

Example in cuteFTP, note the command is not recursive!

Side effects

• You wont be able to use the upload function of HTMLArea: impossible to upload images or file using the administrator articles editor.
• Each time You wan to publish a new articles with pictures inside, You’ll have to copy them with FTP before editing in order to be able to insert them into the text.
• In order to write a file into the directoy C in the path A/B/C, You will have to set temporary directory A and B and C to rwxr-xr-x rights (CHMOD 755)!

Requirements: Your provider must support .HTACCESS per directory

How:

Read my tutorial HERE

Side effects

• Some component or code trying to read file form the admin area (if protected by a htaccess file), may bring a popup login windows to your users, but it is possible to find these problems and solve them quickly. My plugin securityimages in its first version was also having this error (coding)

For added security, you can force users to access your pages using an SSL (Secure Socket Layer) connection. This means transmitted data is encrypted, so passwords and webpages cannot be read in cleartext over the internet.

Ideally only the administration part (all URL beginning with http://yousite/administrator/), or your whole site.

Why: if your site run in http mode, all password and fields submitted to the server are send in cleartext (can be read). an attacker may be able to intercept or fake user by rerouting the http request. In https mode, data are travelling encrypted on the network and a session key avoid replaying attacks. Moreover it is not realistic to have a commercial business on internet without running https

Requirements: Your provider/hosting company should allow it

How

Side effects

• If You install a new site, no problem
• If You have an existing homepage and are heaviliy indexed by Google and Co and/or many users have Bookmark You, Users will be disturbed to say the least, and Google may think You are using some spammer techniques (moving and creating/dissimulating new content)

if a SEO/SEF component is installed, You may be able to look at unusual or incorrect url. This typically can reveal some SQL or parameter injection in existing code.

SEO will in fact reject some URL and redirect user to your home root index.php, instead of displaying an error message or revealing informations about file structure, which is a positive side-effect

ex:

…/banner.php?id=120&client="select 1 from dual" someone is trying to test SQL injection in the component Banner

Search in log file about unusual behaviour, is someone accessing too often (in a small interval) to /index2.php (admin part of your site) -> this may be a brute force attack!

Requirements: have a plesk access

How:

On Plesk main page, click on domain, here waltercedric.com	on the next page, on Log Manager
	The server access log records all requests processed by the server. Access log for http:// and access ssl log for https:// The server error log, whose name and location is set by the error log directive, is the most important log file. This is the place where Apache httpd will send diagnostic information and record any errors that it encounters in processing requests. It is the first place to look when a problem occurs with starting the server or with the operation of the server, since it will often contain details of what went wrong and how to fix it. The xferlog file contains logging information from the FTP server daemon, ftpd

Joke: "Real men don’t do backup but they often cry"

mySQL :
4 ways to automate MAMBO database backup..

Ftp
use any FTP tool to sync or Plesk backup function

Always use the latest version of Joomla: www.joomla.org Or the latest version of Mambo: www.mamboserver.com

As soon as a new version of Joomla/mambo is available, install it in the same day!

• Hacker will look at the patch and search for unpatched server! It has never been so easy to search for running version of a certain CMS version, thanks to search engine. For giving You an example, a hacker may search in Google (but any search engine will work) all site running Joomla/Mambo with allinurl: administrator/index2.php so install patches very fast!
• Make a backup (just in case), and install the new patch, you can also install the patch on your local running instance of Joomla

All actions below require some knowledge or time…

just in case, someone get Your password or part of it. Ideally You must change your password before a brute force can find it. Or as soon as logs reveal a possible attack just in case the hacker has not start doing something bad with Your account..

With decreasing frequency:

• Joomla Admin password
• mySQL user password
• Plesk admin password
• FTP user password

Definition:
M$ has a good article here (idea is not coming from them, but they are trying to evangelize a lot of developers with good articles)

So bugs/security issues can not exist in a code if the code do not exist on the server…. 🙂

Quite easy to understand but really difficult to achieve, here is a way to do it….

1. Define Your requirement, list all components/modules/mambots that you need to run.
2. Unpublish all components/modules/mambots
3. Test Your site,
4. If everything run correctly, remove one components/modules/mambots at a time, and test Your site
5. Take care when installing next CMS patch, that you do not copy uneeded files on your server. It may be surprising, but even if the component is not published but it’s code is physically present on server dissk, it may cause a security vulnerabilities.

You know have a customized version of Joomla/Mambo with a lot less code running and possibly a lot less unknow vulnerabilities! It will be a pain to maintain.

You may want to install of write a tool which parse automatically Apache, Tomcat, PHP, mySQL logs to monitor

Just to give you an overview of some crazy things that can be done….

• I’ve read some times ago, a person which have customized a linux version. In order to be sure that if someone ever get an access to the disk, it won’t be able to execute any command, he rename all files and commands on disk…This is also possible for Joomla. Write a JAVA/C#/other parser which rename all files/directories and changes all include, include_once, require, require_once with UUID. It is possible but surely (a pain to) maintain.
• If you have a full webserver for You, You can create a special user which will start PHP and Apache and not be able to write or erase file.
• The last crazy thing I can imagine (but with time I can be more creative 😉 ) would be to create release of  my homepage, burn it on a DVD (Read only) and publish it on the webserver.

Of course this latest example do not allow You to use the CMS normally, You have a bloody Read only site, but nobody will be able to tamper data…

• NEVER use any words that can be found in a dictionnary! common brute force program can try million of passwords in seconds
• Do not use your name, birthday, or part of your domain name
• A good password is at least 10 or more character long! (brute forcing entropy get too high after 7 characters)
• Use all character of keyboard! @#_! and use different case and number

Ex: dR2_z57zzU!s#P is not a bad password

• Beyond Compare from www.scootersoftware.com To deal with the huge amount of PHP files contained in Joomla/Mambo, and install more easily patches or synchronize folders, I strongly recommend You to try or buy a Beyond Compare Licence. This tool is able to compare directories, preview changes, and even compare a locale directory with a remote FTP server.

# Do not allow any user to access this file – to copy in all .htaccess
<Files .htaccess>
order allow,deny
deny from all
</Files>

#/administrator/.htaccess
RewriteEngine on
RewriteRule ^/$ /administrator/index.php
RewriteCond %{SERVER_PORT} !443$
RewriteRule ^(.*) https://www.waltercedric.com/administrator/$1 [R=301,L]