Sun, 03/20/2011 - 17:03 By donotuse

Joomla Security Primer

I wish security was measured on a scale of 1 to 10. But it’s not a scale, instead, it’s considered by most security experts as a total philosophy, and a set of tools and actions. This does not mean it cannot be measured, and taking singling Joomla out is foolish. But looking at Joomla as part of your total site security makeup is the right answer. It’s a good idea to measure security holistically because if any part of your security is weak, it weakens your entire infrastructure.

How to secure your Joomla site – First, Joomla is only as secure as the server platform it is on, the extensions installed on it, and the proper safeguards that are put in place. In fact, when a Joomla site is hacked ,in most cases it could be any number of things.  It’s not typically Joomla’s fault.  It’s many times the webmaster’s or administrator’s fault for failing in some basic areas. To be fair to the administrator, security is an entire practice itself, and in this article I will explain some basic concepts for securing Joomla and non-Joomla to help you understand how to secure your site.

File And Folder Permissions:

In most situations, a new Joomla user will install the software and occasionally run into trouble when file and folder permissions need to be modified manually.  They set permissions to 777 (r/w/x) for everyone and this is a BIG NO NO, AND A BIG RED FLAG.  Improperly configured server, and or extension(s), are the culprit here.  Don’t use a host that makes you set up your site this way, and avoid extensions that will ONLY run with 777.  While there are exceptions to this statement, overall it holds true.

NOTE: Always set the permission of folders to 755 and files to 644

Server Ownership/Permissions

This is usually a hosting related problem, or a hacker has been here.  But sometimes ownership of files (as seen from the Operating Systems Point of View), can cause weird problems, or in some cases expose the system.  Sometimes in shared hosting, you will see this problem.  The net is, if a bad guy gets in from this level, one you’re hosed… two it wasn’t Joomla.. ?

NOTE: Get a new host if they have trouble with basic server configuration. (I recommend our hosting – http://hosting.SaloneTech.com )

XSS/SQL Injections:

This one does show up frequently in the Joomla space, but also in every other web property.  However it’s one of the most prevalent attacks on the Internet. This is a direct result of the code, typically an extension, not checking its inputs for trouble.  For coders, it’s known as “Not sanitizing your inputs”. That’s a very simple explanation, but suffice to say, it happens a lot. Typically, the core Joomla code is scoured and tested with a commercial tool to check for XSS and SQL injections before it’s released and does not suffer from these.  Yet, when an extension has one, it Joomla!  That gets the wrap.

NOTE: Check the extensions by Googling for extension name and vulnerabilities. And check Joomla.org for up to date information.

Passwords:

Alright, guess what – P@ssw0rd does not make a good password. Neither do any of the words on DefaultPassword.com’s list. The bad guys have terrific tools, called Brute Force Tools and password crackers. They contain dictionaries of common passwords, combinations, and so forth. Using your dog’s name, such as Lassie1 is not acceptable.

NOTE: Craft a password that is VERY hard by creating it using numbers, letters, and symbols. Using upper and lower case. And change them every 30, 60, or 90 days

Patching:

One HUGE industry problem is patching. This is partly due to lack of a good plan to patch, and partly due to the volume of patches that are released. Patching is where older code is updated with new or fixed code.  Many times an upgrade will be just fine.  However it’s up to you to read “thechangelog” file to see what the developer changed.  If you see it contains a security fix, apply, test and release it.  One area that often gets missed is your server.  There are several easy methods to determine your current levels.  It’s solely your responsibility to keep up with the site, but the host has the responsibility to patch the servers. You would be surprised how hosts do not keep servers patched.

NOTE: Stay with a reputable host that offers 24×7 technical support and that will address issues you find wrong.

Basic Protection Layers Of Joomla:

The basic protections that are built into Joomla are fairly good, as long as the server they are on is PROPERLY configured.  Joomla uses the following means to keep itself secure:

  • Permissions are set to 755 for folders, 644 for files.
  • Apache has been configured to not allow browsing/indexing, etc.
  • Passwords are MD5 Encrypted + SALTED.
  • Database access is password protected at the MySQL level.

The basic authentication of Joomla is pretty good and that it’s easy to use, fairly hard to crack the passwords – in fact – it’s not very likely given the SALT. However for added level of protection, you may wish to look at a stronger authentication/encryption system. There are a few that exist but are beyond the scope of this article.

Database Security:

The database itself is typically MySql, so Joomla simply relies on the underlying security of the database.  While typically the database itself is not encrypted, the proper security around the db/web server should prevent access. Providing a strong password is many times sufficient – however – remember – a single SQL injection could result in the loss of your data. What I like about MySql is the various levels of inherent protection it offers.  Typically it’s configured straight out of the box properly and not too much needs to be done.  Again, the areas of concern are the server it is on.

NOTE: Make sure your Database port isn’t open to the world – a good tool for this is NMAP.

Scenarios where security of Joomla installations can break down:

First of all ANY site that is not patched, improperly setup, has vulnerable code, dedicated attackers are gunning for the site, then will get broken into. Joomla is not any different. Microsoft, Oracle, HP-UX have published vulnerabilities on a regular basis. And all at one time or another have had their share of troubles.

Here are some common scenarios that may help you be safer.

Scenario 1: Database exposed:

  • Let’s say that the 3306 port allows me to get in to the DB. I access it, dump the tables, and I find the admin user name, replace the password with my own salted + md5 password – upload and I’m in as the admin. Note – this is a VERY unlikely scenario, but possible. – Check your ports.

Scenario 2: Cross Site Scripting and Sql Injections

  • As we discussed, this is not reserved solely for Joomla, but in fact, is one of the most prevalent problems in websites – This is one of the MORE likely thing’s you might see.

The solution here is to

  1. Do a detailed code review on ANY extension put in – and
  2. Run a test suite, (several good ones available) to determine where the holes are.
  3. Fix or patch the code.
  4. Consider installing Securelive.net’s product for Joomla to protect against SQL Injections – you can learn more at their website.

Scenario 3: Malware

  • This is closely related to number 2. Joomla sites, when properly configured are pretty resilient to this type of attack. I suggest Kapersky virus scanning for your workstations to be sure you doesn’t receive or transmit Malware.

Scenario 4: Improper configuration of servers

  • This is one of the most common things I see in the Joomla world. The server is not patched or has open ports, or shared hosting that is weak.  This by far is the biggest issue I see.

Remedies for these scenarios :

  • Get the book – Joomla! Web Security book and ensure you have proper .htaccess, serverconfig, php.ini settings, you are at PHP 5.2.x or GREATER and the latest Apache. There are many other items in the book to help you stay secure.
  • Do a code review of extensions – ensure they have proper safeguards in place.
  • Add SecureLive Hacker Protection Software to your Joomla Installation – this will blockmalware, sql injections, xss and other hacks.  It also protects forums, blogs, shopping carts and more.
  • Monitor your logs – By learning to read the logs, you will be better prepared to see trouble before it harms you.
  • You may wish to add SSL to the site – and force Joomla into SSL mode for all logins. This will encrypt the traffic between the user login and the site. Of course any malware on the server or desktop could still see it.
  • Overall Joomla properly configured on a properly configured server is about as safe as any other off the shelf product. But – it’s only as safe as the weakest point, and while that sound cliché’ it’s often overlooked.
  • As you can see the admin has the heavy responsibility to ensure his or her site is properly patched, secured, and maintained. Taking care of these things will help to keep you safe when others are getting hacked.
Joomla Security Primer