Joomla! Discussion Forums

Before continuing, read:

http://forum.joomla.org/index.php/topic,81058.0.html

Thx for the responses so far... ( continued from http://forum.mamboserver.com/showthread ... post274363 )

in General, security can be increased by:

Index


• Joomla! / M$mb$
• .htaccess
  
• General




Joomla / M$mb$

run MSC component (mambo security check) which will check:

• your php.ini and chmod on files and tell you if anything might be a hazard there
• install ldap9 component along with a plug-in to allow a more secure level of authentication.

- As far as the paths. Here:


• media/
Writeable(0644)

• administrator/components/
Writeable(0644)

• components/
Writeable(0644)

• images/stories/
Writeable(0644)


It's my understanding that these can be set to 644 as well once u done customizing the site

More information on security on M$mb$/Joomla can be found on:

Quote:
:: documentation PDF by jascha from #localareasecurity (outdated by covers all the bases) on Mambo security:
http://mamboforge.net/frs/?group_id=131&release_id=355



.htaccess

Quote:
- Using secure passwords

• .htaccess file (turning off directory listings)
  
• all file attributes, especially configuration.php, set to 0644
• all folder attributes 0755
• edit your .htacces file, so the administrator backend is accessible from predefined IP-Addresses only.
• add some filtering options to your htaccess  against spambots.



on the .htaccess file
the folder to place it in is the mambo root folder?
Are the following lines sufficient to turn off directory listings, and are they inherited?

More info on .htaccess can be found on




MySQL
- make sure u have the latest mysql version

General:


Greetz Beuvema

I will keep this top file up to date to get an instant view of the safety settings needed.






This "Whitepaper" on M$mb$ and Joomla! Security is destilled from the posts of: (in order of appearance)
hazman, keliix06, DeanMarshall, d3vlabs, sc00zy, cmyksteve, elnino, TheSaint, brad,

Hello,

Just having the configuration.php set at 644 is enough? What about the other folders?

configuration.php is the only file that Mambo needs set to something other than 0644 to write to (in a default install, under some server setups).

So if I understand it correctly, in normal operation all files and folders in a mambo installation MUST be set to 644?

No. Files need to be at least 0644 and folders need to be at least 0755. Depending on your server environment that will allow Mambo to write to all files and folders and you will get server errors by changing anything to 0777.

On a related note:

One aspect of security that seemed particularly lax in 'the other place', was the frequency with which people would post error messages and config files with full server paths shown, together with domain names, paths to system folders, software version numbers, etc. There is frequently enough info there to give someone a good head start on accessing a system.

Whilst it can be necessary to disclose such info while seeking help I think posters should be encouraged to refrain from posting too much info of this nature too soon.

Perhaps once a solution is found they should be encouraged to edit their earlier posts to remove the path information. And along the same lines - perhaps others should be discouraged from quoting such data - that way  copies aren't left lying around that the original poster does not have authorisation to edit/obfuscate/remove.

Dean Marshall

you can also

add some filtering options to your htaccess  against spambots
set up an IP range which will have acess to admin backend
run MSC component (mambo security check) which will check your php.ini and chmod on files and tell you if anything might be a hazard there
install ldap9 component along with a plug-in to allow a more secure level of authentication.
get SSL ($44.99 is it) for your mambo's administrator area.
make sure u have the latest mysql version
go through cpanel and enable some stuff like hotlinking protection, spam assasinator or any other useful scripts you might have.


As far as the paths. Here:

media/ Writeable
administrator/components/ Writeable
components/ Writeable
images/stories/ Writeable

It's my understanding that these can be set to 644 as well once u done customizing the site

What risk do I take when I leave the folders and configuration.php writable?
My clients like to upload pictures themselves and change the the global configuration sometimes. I really don't want to bother them with the use of an FTP-client and changing the permissions on files and folders.

not much of a risk, u cant execute mambo php files directly anyways. I just took it from the list under install components menu. in fact you should just use your own logic when chmoding. only you know what you want to give access to public for

Ok, thanks. That's clear to me

Is this restriction setup in cPanel or Mambo?

Thanks-
Steve

.htacess

Thanks d3vlabs.

I'll look into that. Would the cPanel forum be as good as any to find out how to set up htaccess, for this?

Here are some more recommendations on the issue.
Learn about .htaccess on forums here:

:: my personal favorite: http://www.apachefreaks.com
:: this can be a useful resource as well: http://www.weberforums.com/

:: visit #apache on freenode IRC with of 160+ users on average

As far as securing &ambo I used combination of

:: documentation PDF by jascha from #localareasecurity (outdated by covers all the bases) on Mambo security:
http://mamboforge.net/frs/?group_id=131&release_id=355

It will show you how to set up admin access by certain IP ranges as well as some extra pre-catuions like an extra login box before you reach the backend.

:: HTAccess Patch 1.0  -A new htaccess file, which protects your website against Spam spiders and leeching tools. Needs mod_rewrite to run from mamboportal.com

This one is outdated as well. But if you look at both the files above it will give you a pretty good idea on what to do with your .htaccess file

I use mine for following:

:: ReWriteEngine On and Redirect function to provide functionality given by some SEF components
:: mod_rewrite and a new url scheme to allow shorter urls to my image gallery
:: allow only users from certain IP ranges to access admin's backend
:: extra security login
:: deny certain file types
:: deny access to .htaccess file
:: list of known spambots to prevent them from harvesting my site
:: #php_value post_max_size // #php_value upload_max_filesize  to increase the 2MB per file limit enforced by  standard php.ini set-up

I would love to post my .htaccess file for informative purposes, but it has just too much personal information for me to clean up. Regardless I hope my post was helpful

Hi d3vlabs,

thx for the info, it's great to see the evolution on this "White paper" on M$Mb$ security is taken serious by you all.

Greetz Beuvema

Thanks again d3vlabs.

I started looking into htaccess last night and found a lot of dead ends. I'm sure your post will help, when I can get back to this and have a few more of the basics "under my belt".

Steve

I thought at one point I remember reading something on the forums that said any directory that needs to be writeable should be set to 707 instead of 755 because it would be a little more secure.  Is this true at all?

Based on my reading of this:
http://www.akamarketing.com/unix-files-permissions.html
I would say that in general we are only really looking at the first and last digits.  Your 707 is, as far as the world browsing your site(the third digit) are concerned, actually more open than the 755 that you are changing from. I think a directory needs to be BOTH readable and executable if it is to be accessible so 5 is the more secure option.

Dean.

Cool.  Thanks for the info Dean

What if my client has the FTP credentials (Username / Login), and I don't want him to be able to alter or view M$mb$ settings. Is there a way to compile the site somehow?

Grtz Beuvema

This thread has some great information in it. Could we consider it for a sticky? Also, if the original post could be edited to include the follow-up info it would help keep things a bit cleaner. Or, perhaps the moderator of this area could maintain a new sticky thread and start grabbing information from the various topics and compile a new list? We shouldn't let all this good information slip down the page.

To contact a moderator please use the report to moderator link. Not all moderators are able to read all threads.

Alright. I'm just a bit shy about using the report function lest I look like an attention grabbing bloke. Sometimes it seems more natural to get a consensus from your peers as to the usefulness of a sticky and then report the thread after the results are in. Regardless, a report has been filed for moderator review.

Hi Joomlads,

I promised to keep the first item up to date, but due to lack of expertise on the matter it is hard for me to see what is an what isn't important. Assistance, e.g. by making it a sticky, would be appreciated indeed!

Grtz Beuvema

Feel free to submit a new FAQ to the FAQ forum so a moderator from the Doc team can review.

Thanks for you help and suport.

Updated the first post, comments are welcome...

A table of contents at the top of the first post would be great.

Keeping the content to subject specific areas (CHMOD, .htaccess etc.) we should be in good shape.

Minor: Add a credits section at the bottom if you find you have too much time on your hands.

Check out the first post 

Grtz beuvema

I just an trying to bump this thread up - It's full of good info.

-A

Don't hesitate to add new info if neccessary....