Todo list for securing Your Joomla/Mambo installation against hackers
A lot of Mambo/Joomla site has been hacked last week, since I’ve already help someone hardening an installation (mambo 22.214.171.124), I’ve decide to write a tutorial for the benefit of the open source community…
Some steps are common sense while others are not.
- Do not think that doing all steps below will protect You! nothing is secure in the computer world! or not very long…
- Do not think that after doing all steps below, #Joomla will be as user friendly for You as before! we are restricting rights, changing some behaviours of the webserver, it will be more difficult to publish content, on the other side, articles and content will be safer.
- Security come always with a pain!.
Consider this page as a work in progress, feedback is as usual welcomed. Click read more for the article
|Choose a (better) FTP password for accessing your Homepage which is not trivial! using rules in annexe A|
Requirements: having a valid login and password to your plesk account
Go to main page, If your hosting company allow you to create many subdomains, click on the right one, here on www.waltercedric.com
|Choose a DIFFERENT Joomla/Mambo administration password using rules in annexe A|
Requirements: having a valid login and password to your Joomla administrator account
|Choose a DIFFERENT Plesk password for the administration of Your site using rules in annexe A|
Requirements: having a valid login and password to your Plesk administrator panel
Go to: http://yoursite.com:8443/ which is the default URL for Plesk, attention it may vary depending on your hosting company
|Choose a DIFFERENT mySQL password for the Joomla/Mambo table using the rules in annexe A|
|Adapt user rights of the mySQL Joomla user|
a mySQL user may have following privileges:
This user, for example joomlaUser should ONLY have insert (new comment, guestbook) and delete and update rights on Joomla/Mambo database
SHOW GRANTS FOR ‘mosdev’@’%’;
Do not allow drop or create table, normal operation of Joomla do not require it! Of course as soon as You want to install a new component, You will have to temporarly allow joomlaUser to create new table (if the component require it)
|Adapt files right on your server|
Heritage of UNIX, file rights are organized in 3 groups, user, group, all. Each group may be able to read (r) write (w) or execute (x) file individually. the combinaison rwx is read in octal rwx = 7 for each group, so 777 is the worse settings: anybody may be able to delete or change your file on server…
This is how look my file structure
|Protect some part of Joomla using additionnal password like .htaccess|
Requirements: Your provider must support .HTACCESS per directory
Read my tutorial HERE
|Run a part or your site in HTTPS mode|
For added security, you can force users to access your pages using an SSL (Secure Socket Layer) connection. This means transmitted data is encrypted, so passwords and webpages cannot be read in cleartext over the internet.
Ideally only the administration part (all URL beginning with http://yousite/administrator/), or your whole site.
Why: if your site run in http mode, all password and fields submitted to the server are send in cleartext (can be read). an attacker may be able to intercept or fake user by rerouting the http request. In https mode, data are travelling encrypted on the network and a session key avoid replaying attacks. Moreover it is not realistic to have a commercial business on internet without running https
Requirements: Your provider/hosting company should allow it
|Review OpenSEF/SEF 404 logs |
if a SEO/SEF component is installed, You may be able to look at unusual or incorrect url. This typically can reveal some SQL or parameter injection in existing code.
SEO will in fact reject some URL and redirect user to your home root index.php, instead of displaying an error message or revealing informations about file structure, which is a positive side-effect
…/banner.php?id=120&client="select 1 from dual" someone is trying to test SQL injection in the component Banner
|Review access logs |
Search in log file about unusual behaviour, is someone accessing too often (in a small interval) to /index2.php (admin part of your site) -> this may be a brute force attack!
Requirements: have a plesk access
Joke: "Real men don’t do backup but they often cry"
|Keep Your Joomla/mambo installation up to date.|
As soon as a new version of Joomla/mambo is available, install it in the same day!
|For paranoid or How to push security even higher|
All actions below require some knowledge or time…
|Change regurly ALL password above!|
just in case, someone get Your password or part of it. Ideally You must change your password before a brute force can find it. Or as soon as logs reveal a possible attack just in case the hacker has not start doing something bad with Your account..
With decreasing frequency:
|Attack surface reduction (ASR)Definition:|
M$ has a good article here (idea is not coming from them, but they are trying to evangelize a lot of developers with good articles)
So bugs/security issues can not exist in a code if the code do not exist on the server…. 🙂
Quite easy to understand but really difficult to achieve, here is a way to do it….
You know have a customized version of Joomla/Mambo with a lot less code running and possibly a lot less unknow vulnerabilities! It will be a pain to maintain.
|Log are always telling the truth! (sometimes)|
You may want to install of write a tool which parse automatically Apache, Tomcat, PHP, mySQL logs to monitor
|Just for FUN….|
Just to give you an overview of some crazy things that can be done….
Of course this latest example do not allow You to use the CMS normally, You have a bloody Read only site, but nobody will be able to tamper data…
Normally Your provider is already doing a lot under the scene, and may have done some stuff for You. It can be useful to contact him for asking what it is already monitoring or doing from preventing Your site from being hacked.
Congratulations, You have now a lot more secure Joomla/Mambo secure homepage!
Comments are as usual welcomed, use the contact section of this site!
|A. Choosing a good password|
Ex: dR2_z57zzU!s#P is not a bad password
|B How to store all passwords||Create a Text file, and crypt it with www.truecrypt.com or www.pgp.com (pgpdisk)|
|C Class of attacks||I’ve write a small article, listing all web vulnerabilities (HTML partiel) and (PDF complete)|
|D Some tools|
|E https rewriting for admin panel||create a file .htaccess and copy it in /administrator, if a file already exist (it should!), add lines which ae missing in it|
# Do not allow any user to access this file – to copy in all .htaccess