f you're using a shared hosting provider, be sure other users on your server can't access your site's files. Usually a shell account is required for this level of access.

Sorry but that is just not true. Any good ISP will have set up their sharedhosting system in an environment that prevents other users accessing your files. Shell access is not required. Or did you mean that shell access was required to test for this?

rliskey wrote:
Be sure you know your ISP's backup procedures. Test the backup process before you really need it by requesting a specific file from the previous day.

Never rely on anyone else for backup. Take responsibilty for your own database and ensure that YOU keep it backed up.

brian wrote:

f you're using a shared hosting provider, be sure other users on your server can't access your site's files. Usually a shell account is required for this level of access.

Sorry but that is just not true. Any good ISP will have set up their sharedhosting system in an environment that prevents other users accessing your files. Shell access is not required. Or did you mean that shell access was required to test for this?

I believe he meant that a shell was usually required to test this.  While a shell makes this easier it is not necessary to test it.  Though, I won't get into how to get around that.

i thought he might. i just dont want to see people thinking that they need shell access

That's right, I only meant that using your own shell account is an easy way to check what users at your level can do with their shell accounts. Personally, I'd feel blind without shell account, but maybe "required" is too strong a word. If you don't have shell access, aren't you pretty much stuck with FTP for moving and renaming files, and for setting file permissions?

rliskey wrote:That's right, I only meant that using your own shell account is an easy way to check what users at your level can do with their shell accounts. Personally, I'd feel blind without shell account, but maybe "required" is too strong a word. If you don't have shell access, aren't you pretty much stuck with FTP for moving and renaming files, and for setting file permissions?

VPS' have a file manager.. moving files, uploading and downloading can be done as well as editing some files..
I also do not provide shell access unless my client has a specific need for it.

A step back, however... what is the setting that prevents users from accessing files not in their own account?

crash777 wrote:A step back, however... what is the setting that prevents users from accessing files not in their own account?

I didn't consider VPS management. That's a BIG, interesting subject that I think would have to go in a *NIX administrators topic. I was limiting this to basic Joomla! installation considerations.

But, if I understand your goal (to protect multiple users that you are hosting on your VPS), here are some links that may help:
How VPS works: http://www.webintellects.com/solutions/virtualprivateservers.htm
suEXEC: http://httpd.apache.org/docs/1.3/suexec.html
Apache Security: http://httpd.apache.org/docs/1.3/misc/security_tips.html
Apache Require Directive: http://httpd.apache.org/docs/2.2/mod/core.html#require

hmm.. thank you for the detailed links.. I will be reviewing them as well. 
I had thought you had a particular setting in mind like "Php open_basedir" that WHM can control. I was just curious if this is the setting that you might have been referring to...

Nope, sorry. Actually, you're way over my head. I haven't used a VPS yet, but have been planning to move that way someday. How do you like it so far?

Well, when it comes to something like that you have 3 options basically.  And they would probably be arranged as below in order of difficulty if the top is easiest and the bottom is the most difficult to implement correctly.

PHP open_basedir
PHP SafeMode
Apache suExec

Then of course, you can combine them as well for those little bits of extra security.

I think under Joomla extensions you could put a reminder to remove any unused extensions and double check that the folders and files were actually removed.


Also as an aside and a tip for newbies. I was a bit of a nervous wreck about a few sites I had done for clients until I took the time to test out the backups by getting an actual development server. It's only $3.95 per month on Godaddy and uploaded the sites there to see if the backups were OK and how tough it would be to restore, move a site to a new server etc.. I had one that was still on Mambo with an older version of Menalto Gallery. I uploaded and upgraded everything to Joomla on the development server without any real hitches, you just need to tweak a few configuration files in most cases. But by doing it all on a development server I'm pretty confident I should be able to handle a worst case scenario without to much difficulty. This makes me sleep better, but make sure you have good backups. 

brian wrote:

rliskey wrote:
Be sure you know your ISP's backup procedures. Test the backup process before you really need it by requesting a specific file from the previous day.

Never rely on anyone else for backup. Take responsibilty for your own database and ensure that YOU keep it backed up.

I have to concur with Brian on this, and I cannot stress it enough!  Each person as an individual is responsible for their own backups, both files and databases, in fact every host I have ever hosted with insists on this in their terms of service.  That is not to say that they did not or do not have backup systems in place, but those backup are for their own use to restore their servers in case of mishap.  They are not responsible for restoring your site, or any file that you wish to have restored on a whim, as this takes a huge amount of time for them.  Some hosts may help you out if you have issues, and some will charge you for restoration services, but I have never seen a terms of service that stated they are responsible for backing up your files.  People make this mistake all of the time, please don't perpetuate the notion that hosts are responsible for backing up people's websites, as it is incorrect.

The backup process that I have seen in the user control panels I have used are almost always a one click solution.  Click on backup, the backup is created in a zip file.  Download the zip file.  Same with databases.  You can then download the backup and check for integrity. 

Please change or even better remove the reference to hosts being responsible for backing up websites. Individuals and only individuals are responsible for their site's data.  I don't know of any host's terms of service that does not specifically state this. 

Edit: Just a clarification:  I don't know of any reputable hosts that do not specifically state in their terms of service that the account holder is responsible for their own data backups. 

We have managed servers (this means that there's another company who manage our servers).
Our hosting service include raid1 mirroring and daily incremental backup + total backup every 15 days on a different machine used only for backups. Disaster recovery service and restore on demand are included.

We have a specific contract with the external company just for backup service.

This not to make spam of course (I won't write any url), just to say that there are many levels of service.

I still say that you should NOT rely on anyone else to do your backups no matter what you pay them.

Hmmm... is simply outsourcing like many other services, like fiscal stuff, safety, security. Why is normal to rely on others about fiscal, safety, security and not backup?

Here in Italy we have strict laws about privacy that involve backup policies (among many other things), so is easier to give backup responsability to who manages servers - speaking about online data - (this way they MUST assure a good backup policy according to the law: if something goes worng, not only they break the contract but the law too!)

If you have specifically contracted an agency to handle your backups then you are taking responsiblity for your own backups. Please do not confuse what I posted, with someone having specifically contracted someone else to do their backups.  It is not the same thing. 

Most hosting companies have it specifically in their terms of service that they are not responsible for data loss. 

The backup issue generated the most debate so far. I've strengthened the wording in response.

I think being personally responsible for backups means different things in different situations, which may partly explain the range of opinions. But all agree that backups are vital.

Seems best for the checklist to stress the vital importance of backups as well as the ultimate inescapability of personal responsibility--no matter how that responsibility is managed.

I wholeheartedly agree with Brian and Mmmedia. Things can and will go wrong. You can be protected by whatever law or contract made with a 3rd party, in the case of trouble this doesn't get your site or data back. Even working at big customer sites, I don't fully trust backup systems and always take copies of my own documents

To re-emphasise why you should never rely on anyone else for backups (even if you contract them to do so) read this http://usertools.plus.net/status/archive/1154603560.htm

Which goes on to tell the customers of a major isp that they have irretreviably lost 700gb of clients email.

I get your point, but managing backup by yourself is possible (but still very expensive in term of time) only for small sites, considering a daily backup.

I've a friend whose db is about 200Mb (e-commerce + forum). Obviously is a pain to dump such a big db, not speaking about bandwidth: 200x30 = 6Gb month just for db backup.

And if you manage 10/50/100 sites?

With our data on 2 hd (raid1) and on a different machine (not online) I feel quite safe.

At the end is only a matter of costs and benefits.

Of course I totally agree with the importance of paying attention to which level of service your hosting provider offers.

Some points about this sticky:
1. good idea, should be integrated as default content in installer sql! Just so it's right there in your face, instead of somewhat hidden here.
2. but: some of the things in there should be explained, for example:
* i have no idea what shell access is and can be used for
* i have absolutely no idea how to "Use an Intrusion Prevention/Detection Systems to block/alert on malicious HTTP requests", no idea what that could be.. (yeah, go ahead and hack my site now.. )
* i have no idea how to "Check the "raw logs" for real detail", dunno what "raw logs" are, and what "real detail" I should be looking for!
* how do I "Configure Apache mod_security and mod_rewrite filters to block PHP attacks"? no idea!
* most stuff listed under "PHP"  wouldn't know how/what to do..

About 3P extensions: how do I know if I can trust a site? If I click a download link here on the extensions site, and it takes me to another website, is that to be trusted because it's linked here? Or is there a list somewhere?

And all the interesting things listed under "Joomla! Hardening" would be cool to use, except I got no clue how, for ex. "Move configuration files above Web root using symlinks or modified path variables" sounds like something I'd want to do too..

So, it all sounds very interesting for someone who knows how to DO all this stuff, but there's all the details missing for all those who don't..

Well, in reality most of those things go well beyond the scope of a Joomla! article and in that fashion, most of them have several thousands of pages worth of documentation and howtos available elsewhere on the web.  It would take quite seriously, a book, to explain all of that stuff in enough detail to make it useable to everyone.  However, I am sure that you can find lots of information regarding those suggestions by utilizing your favorite search engine.  And if that won't work, there is always the option of hiring a security professional to do it for you.  (Also suggested in that checklist).

No book needed, just adding links to relevant readings might do it.
As it is now, it's like a TOC both no pages after.
These things might go beyond the scope of this list, but I don't see why more information about some points couldn't be available here (or in Help or Dev), as Security concerns seem to be getting stronger after all those hacks lately. One short intro article per item, expaining what it is/means/does and where to look for more info.
I think it is disappointing to tell users: you should really secure your site by doing all these things, but not telling them how, no?
And what about "trusted sites"?

The reason this list exists as a forum post is so we can quickly benefit from our collective knowledge. It is not an official Joomla! document; it is just my best shot at collecting and sharing what I have learned and been told by others.

The best way to improve this list is to contribute to it. If you find important information that should be here, you could PM me or post it to this topic. I watch this topic daily and incorporate suggestions into the list as soon as possible.

I agree that tight summary paragraphs for each item would be a great addition. If anyone has deep knowledge of particular items and would like to write a summary, I'm sure thousands of worried Joomla! administrators would be very grateful.

Thanks rliskey,
I understand how this list was meant and appreciate you doing this, its just as you say: reading it leaves you somewhat worried as to what and how to do. And hiring a security expert for a personal site is not really an option..
So I do hope there are some experts willing to contribute a few more details/ links to post with how-tos or other explanations.
thanks

eyezberg wrote:And what about "trusted sites"?

A "trusted site" is one that *you* trust. Examples of sites *I* trust include:
    http://forge.joomla.org  -- Added by popular demand.  Didn't mean for this to become an official list!
    http://www.joomla.org
    http://www.apache.org
    http://www.php.net
    http://www.mysql.com
    http://www.gnu.org
    http://www.truthout.org
Your list may vary. There are very few sites hosting third party extensions that I trust. I don't think you should either.

What about http://forge.joomla.org ?

Regarding Forge. All components that are in Robs list and are still having security issues that are know, have been set to "project member access" only. I am in the process of searching for projects that also distribute an (old) Joomla distribution (and searching for empty projects).

Thanks Tonie, efforts much appreciated.
Maybe should be announced somewhere so dev's (and downloaders) are aware of that?

Good idea. I will create a sticky in the Forge forum later on.

I do use the developer contact information in Forge to contact the developer when a security issue has been found. The current Robs list has been done last week. When a new one has been found, a developer can receive two mails, extensions and Forge.