The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  [ 19 posts ] 
Author Message
PostPosted: Mon Nov 05, 2012 8:42 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Oct 16, 2012 11:07 pm
Posts: 10
Hi all,

Are there any articles that can help me to understand what functions need to enabled/disabled on php.ini to maximize my php security?

I found the following article but it's recommended for older version of joomla and I'm not sure if I should follow this or not?

http://kb.siteground.com/article/Recomm ... urity.html

Please advise.


Last edited by imanickam on Tue Nov 06, 2012 2:47 am, edited 1 time in total.
Moved topic » from General Questions/New to Joomla! 3.0 to Security in Joomla! 3.0


Top
 Profile  
 
PostPosted: Thu Nov 08, 2012 5:46 am 
Joomla! Ace
Joomla! Ace

Joined: Sat Jan 21, 2006 8:42 pm
Posts: 1113
mikeali wrote:
I found the following article but it's recommended for older version of joomla and I'm not sure if I should follow this or not?
You should not
register_globals -> default to off since php4.2, now deprecated and removed in 5.4
magic_quotes_gpc -> deprecated 5.3, removed 5.4 and Joomla3 requirement is off not on
allow_url_fopen -> some say turn it off, some say it`s ok being on blabla,
my setting is on and allow_url_include is off
expose_php -> well hide the php version with this, that you use php on the server everybody knows when looking at your site

and pls dont take this as an advise! there are more than 4 settings when it comes to security and there where always more than 4!
So if you are the admin of your live server, my advise is to get a managed one


Top
 Profile  
 
PostPosted: Wed Nov 14, 2012 1:30 am 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Jun 20, 2012 5:47 am
Posts: 45
Location: Goshen, Utah, USA
Put this into your .htaccess file. You can use this same method to prevent access to a file through the browser for any files on your hosting account.

Code:
<Files php.ini>
  order allow,deny
  deny from all
</Files>

_________________
============
John Boone
http://www.boonewebmaster.com - Web Design - Joomla 3.x
http://www.genealogyarticles.com - Articles about Genealogy - Joomla 2.5.x


Top
 Profile  
 
PostPosted: Wed Nov 14, 2012 3:05 am 
Joomla! Ace
Joomla! Ace

Joined: Sat Jan 21, 2006 8:42 pm
Posts: 1113
You just made my day :laugh:


Top
 Profile  
 
PostPosted: Wed Nov 28, 2012 9:29 pm 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Nov 20, 2012 9:03 pm
Posts: 7
Location: Swindon, Wiltshire, UK
jdbdrwho wrote:
Put this into your .htaccess file

oohhh Trust The Doctor! Do you get that on TV in the US?


Top
 Profile  
 
PostPosted: Tue Jan 15, 2013 7:39 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Oct 16, 2012 11:07 pm
Posts: 10
Thank you all


Top
 Profile  
 
PostPosted: Sat Feb 16, 2013 4:41 am 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Sat Nov 10, 2012 6:17 pm
Posts: 9
Location: Sampaloc
Quote:
<Files php.ini>
order allow,deny
deny from all
</Files>

Yup, that's the most popular way of doing this. ;)
It will show you a 403 message.

Another way of doing this is to make chmod 600 on that file.

I prefer a better way though:
I match it on a regex and show a 404: ;D
Code:
RedirectMatch 404 .*php\.ini


This would also help if you got some copies in different places.
Some servers could create php.ini.bak/bkup files, from which the first method would not protect you :geek:

_________________
My laminine blog @ http://mlmvikings.com/


Top
 Profile  
 
PostPosted: Sat Feb 16, 2013 1:46 pm 
Joomla! Virtuoso
Joomla! Virtuoso

Joined: Sat Oct 01, 2011 7:06 pm
Posts: 3925
You also have one for php5.ini ?


Top
 Profile  
 
PostPosted: Mon Feb 18, 2013 4:32 am 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Jun 20, 2012 5:47 am
Posts: 45
Location: Goshen, Utah, USA
Davv wrote:
Quote:
<Files php.ini>
order allow,deny
deny from all
</Files>


Code:
RedirectMatch 404 .*php\.ini



Google Looks Down on 404 pages. 404 pages are not SEO friendly. I use "php 5.4 Single ini," which means I only have one php.ini file. I keep my web site data clean of extra garbage.

And I write perl scripts to help me with verify that all my php scripts are up to date, WordPress and Joomla. I love to write perl scripts ;)

Best protection against getting hacked is to keep your websites up to date and don't use any plugin or component just because it has some fancy bells and whistles. Best to check out the Joomla vulnerability list before installing a particular component.
======
In answer to a previous question about DrWho. (Doctor who fan since the early 70's.)

Yes I get Doctor Who from Amazon.com on my HD TV :D

_________________
============
John Boone
http://www.boonewebmaster.com - Web Design - Joomla 3.x
http://www.genealogyarticles.com - Articles about Genealogy - Joomla 2.5.x


Top
 Profile  
 
PostPosted: Mon Feb 18, 2013 6:51 am 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Jun 20, 2012 5:47 am
Posts: 45
Location: Goshen, Utah, USA
sovainfo wrote:
You also have one for php5.ini ?

Code:
<Files php5.ini>
order allow,deny
deny from all
</Files>


This code you can use for any file you which to block access. The .htaccess file can be used in various methods to secure your website. However with the use of FTP (File Transfer Protocol) connections, you can access any file as the .htaccess file does not safe guard against ftp access.

Changing file permissions really doesn't do much of anything to protect yourself from hackers. You can set the file permissions to 000 - no rights at all. If I have access to the file system I can issue a chmod command to change the permissions to any setting I want, including 777 which is full rewrite and execute permissions.

The "deny all" .htaccess to deny access to a particular file has the same pitfall. If a hacker gains access to your file system. Then the hacker can access your files and can change the contents of the .htaccess file, change permissions and can destroy files, rewrite code and hack all your files.

The best protection -- Is to always keep your web content up to date. Be careful of which plugins and components you install and --- ALWAYS --- Backup your web content.

Never rely on your hosting provider to do your backups for you. Do your own backups and store them offline where you can restore a backup if needed.

http://docs.joomla.org/Security
http://docs.joomla.org/Category:Security_Checklist
http://docs.joomla.org/Vulnerable_Extensions_List

Do not use anything on the Joomla Vulnerability list that shows up as "Red". If you can, avoid adding too many components. If you can get by without a particular plugin, it is better than expanding your potential php vulnerability.

Check your back-end updates of Joomla, components and plugins. As well as any other php script on your hosting account.

One php vulnerability that grants access to the file system is all that is needed to get your site hacked.

:pop

_________________
============
John Boone
http://www.boonewebmaster.com - Web Design - Joomla 3.x
http://www.genealogyarticles.com - Articles about Genealogy - Joomla 2.5.x


Top
 Profile  
 
PostPosted: Mon Feb 18, 2013 7:25 am 
Joomla! Virtuoso
Joomla! Virtuoso

Joined: Sat Oct 01, 2011 7:06 pm
Posts: 3925
Even with access to the filesystem security still applies. So permissions are relevant. You can only do things you are allowed to. FTP doesn't give you access to everything. So, you can only change permissions when you are allowed to.

And yes, the best protection on your frontdoor is useless when you leave the door to the garden open!


Top
 Profile  
 
PostPosted: Tue Feb 19, 2013 8:38 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Aug 29, 2005 10:17 am
Posts: 13542
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
HannahCornwall wrote:
oohhh Trust The Doctor! Do you get that on TV in the US?
Hello: Genaecology is stated in his signature and not gynaecology. ;-)

Leo

_________________
-- Joomla Professional Support Services : http://gws-desk.com --
-- Good & Cheap Joomla Sites Ready To Roll : http://gws-deals.today --
-- Joomla Specialized Hosting Solutions : www.gws-host.com --
-- Member Joomla Bug Squad --


Top
 Profile  
 
PostPosted: Wed Sep 25, 2013 11:05 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Aug 15, 2013 12:06 pm
Posts: 7
RedEye wrote:
You should not
register_globals -> default to off since php4.2, now deprecated and removed in 5.4
magic_quotes_gpc -> deprecated 5.3, removed 5.4 and Joomla3 requirement is off not on
allow_url_fopen -> some say turn it off, some say it`s ok being on blabla,
my setting is on and allow_url_include is off
expose_php -> well hide the php version with this, that you use php on the server everybody knows when looking at your site



And dont forget to disable remote file execution. An attacker can open files from remote server and execute any PHP code. This allows them to upload file, delete file and install backdoors.


Top
 Profile  
 
PostPosted: Wed Sep 25, 2013 5:27 pm 
Joomla! Ace
Joomla! Ace

Joined: Sat Jan 21, 2006 8:42 pm
Posts: 1113
harry888 wrote:
And dont forget to disable remote file execution.
Hi harry, what is the name of the config var I have to set for this?


Top
 Profile  
 
PostPosted: Thu Sep 26, 2013 2:36 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Aug 15, 2013 12:06 pm
Posts: 7
allow_url_include = 'off'

This is a setting available in php 5.2 and above. See more here:
http://phpsec.org/projects/phpsecinfo/t ... clude.html


Top
 Profile  
 
PostPosted: Sat Oct 12, 2013 9:56 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Oct 10, 2013 11:01 am
Posts: 7
This option is disabled by default usually.

_________________
http://www.erfahrungen-mit.biz


Top
 Profile  
 
PostPosted: Wed Oct 16, 2013 5:00 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Aug 15, 2013 12:06 pm
Posts: 7
erfahrungen wrote:
This option is disabled by default usually.



Thats right, but don`t forget that most attacks are only possible because of outdated scripts and extensions and misconfigured servers.


Top
 Profile  
 
PostPosted: Wed Oct 16, 2013 5:16 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Aug 29, 2005 10:17 am
Posts: 13542
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
allow_url_include = 'off'

Is not available anymore in since cPanel distro's 11.34.xx

Leo 8)

_________________
-- Joomla Professional Support Services : http://gws-desk.com --
-- Good & Cheap Joomla Sites Ready To Roll : http://gws-deals.today --
-- Joomla Specialized Hosting Solutions : www.gws-host.com --
-- Member Joomla Bug Squad --


Top
 Profile  
 
PostPosted: Tue Nov 19, 2013 8:54 pm 
Joomla! Ace
Joomla! Ace

Joined: Sat Jan 21, 2006 8:42 pm
Posts: 1113
Uh some new replies on this funny thread, I should enable notification here again^^
harry888 wrote:
allow_url_include = 'off'
This is a setting available in php 5.2 and above. See more here:
http://phpsec.org/projects/phpsecinfo/t ... clude.html
Thx for taking the time to answer this, even if you already quoted this config var from my post.
erfahrungen wrote:
This option is disabled by default usually.
You can strip that "usually" :)
leolam wrote:
allow_url_include = 'off'
Is not available anymore in since cPanel distro's 11.34.xx
Finally a useful information here, thx Leo :)
Is there a post somewhere how this is now handled in cPanel, or did they just cut it out without the ability to enable it? Didn't used cPanel for a long time now.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 19 posts ] 



Who is online

Users browsing this forum: No registered users and 19 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group