Are my site monitoring efforts nonessential drudgery?
Moderators: mandville, General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
-
- Joomla! Apprentice
- Posts: 38
- Joined: Mon Oct 06, 2014 11:26 pm
- Contact:
Are my site monitoring efforts nonessential drudgery?
Hi! I have been manually monitoring file changes and raw apache server logs for a website that was supposedly hacked some time ago. Everyday I check the apache server logs for the following strings: ”update”, “replace”, “insert”, “administrator” and “POST” then I block ips that look like suspicious. So far I've been finding only some “POST” logs and a some “site/administrator” logs and most of them look like SEO bots or something similar.
The 2nd routine is checking all the hourly file changes from server's cron setup that send me an email after every hour with the file changes.
Anyways, I need to know of this is just a waste of time because I guess there are more strings to search for in logs and a more stuff to look out for in file changes, than I can think of as a Joomla security newbie.
This procedure that I go through every 24 hours takes a lot of time since I am manually going through a lot of text and sometimes I am not able to finish auditing a whole 24 hour server logs and file changes especially times when the site has a lot of traffic.
Can you advice me if there's a better way to monitor a joomla website after a hack as I am just a beginner? I have already read the Joomla security checklist and this forum's security threads but there are no resources listed there such as automated php Joomla monitoring scripts or anything of that sort?
The 2nd routine is checking all the hourly file changes from server's cron setup that send me an email after every hour with the file changes.
Anyways, I need to know of this is just a waste of time because I guess there are more strings to search for in logs and a more stuff to look out for in file changes, than I can think of as a Joomla security newbie.
This procedure that I go through every 24 hours takes a lot of time since I am manually going through a lot of text and sometimes I am not able to finish auditing a whole 24 hour server logs and file changes especially times when the site has a lot of traffic.
Can you advice me if there's a better way to monitor a joomla website after a hack as I am just a beginner? I have already read the Joomla security checklist and this forum's security threads but there are no resources listed there such as automated php Joomla monitoring scripts or anything of that sort?
-
- Joomla! Virtuoso
- Posts: 4025
- Joined: Mon Nov 25, 2013 4:35 pm
- Location: Montreal, Canada
- Contact:
Re: Are my site monitoring efforts nonessential drudgery?
We do monitor the Apache logs for our major clients and it's not a waste of time. We also check for any file changes in the last 2 days using the following shell command:
The above command excludes the cache directory and saves a list of the changed files in the changed.txt file.
We also run a maldet scan on each website (using the following shell command when in the website's main directory):
Now returning back to searching the logs, we don't (and can't) examine every line, but we prune out all the non-questionable lines and IPs. We also check if there are any administrator logins from unknown IPs (also using the logs). This helps tremendously - in fact, we discovered last week that one of our major clients had one of the passwords compromised, 6 hours after the fact, and changed all the passwords on the account, and reverted back what was done on the website.
Security work is not straightforward and you can't use a single tool to do that and it does require manual work, lots of it, but you will need to always prune out non-essential data.
Note: We also allow only for the index.php file to be executed on any website that we manage - this really helps protecting against many attacks.
Hope this helps.
Code: Select all
find /home/[user]/public_html -path '/home/[user]/public_html/cache/*' -prune -o -mtime -2 -ls > changed.txt
We also run a maldet scan on each website (using the following shell command when in the website's main directory):
Code: Select all
maldet -a .
Security work is not straightforward and you can't use a single tool to do that and it does require manual work, lots of it, but you will need to always prune out non-essential data.
Note: We also allow only for the index.php file to be executed on any website that we manage - this really helps protecting against many attacks.
Hope this helps.
http://www.itoctopus.com - Joomla consulting at its finest
https://twitter.com/itoctopus - Follow us on Twitter
https://twitter.com/itoctopus - Follow us on Twitter
- Slackervaara
- Joomla! Ace
- Posts: 1115
- Joined: Sat Aug 13, 2011 6:27 am
Re: Are my site monitoring efforts nonessential drudgery?
I use the extension Eyesite to detect file changes in Joomla. Works well.
http://www.lesarbresdesign.info/extensions/eyesite
http://www.lesarbresdesign.info/extensions/eyesite
- Bernard T
- Joomla! Guru
- Posts: 782
- Joined: Thu Jun 29, 2006 11:44 am
- Location: Hrvatska
- Contact:
Re: Are my site monitoring efforts nonessential drudgery?
Are you able to implement mod_security? With a proper rule set it can tremendously lower the risk of SQL injection and similar attacks that can be detected by WAF.
A better approach is to track calculated hashes for files, at least SHA1.
So use it, but don't 100% rely on it as it can have false negatives.
What's nice with Maldet, you can use it as a "inotify" monitor, so it will scan any changed file.
Also, you can integrate it with mod_security, so every uploaded file passes through Maldet check.
File change monitoring is a good idea, but don't rely solely on "last modified" time. Touch command (PHP, shell) can be used to fixate any time attacker wants.itoctopus wrote:We do monitor the Apache logs for our major clients and it's not a waste of time. We also check for any file changes in the last 2 days using the following shell command:The above command excludes the cache directory and saves a list of the changed files in the changed.txt file.Code: Select all
find /home/[user]/public_html -path '/home/[user]/public_html/cache/*' -prune -o -mtime -2 -ls > changed.txt
A better approach is to track calculated hashes for files, at least SHA1.
Maldet is OK tool, we use it too, but it's very limited in detection coverage since it's designed to check file hashes, some hex fingerprints and statistical check for obfuscated code.We also run a maldet scan on each website (using the following shell command when in the website's main directory):Code: Select all
maldet -a .
So use it, but don't 100% rely on it as it can have false negatives.
What's nice with Maldet, you can use it as a "inotify" monitor, so it will scan any changed file.
Also, you can integrate it with mod_security, so every uploaded file passes through Maldet check.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak
- Slackervaara
- Joomla! Ace
- Posts: 1115
- Joined: Sat Aug 13, 2011 6:27 am
Re: Are my site monitoring efforts nonessential drudgery?
Against SQL injection is an entry for .htaccess in the master htaccess for Joomla and I use it for many years now.
## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @
## http://www.sigsiu.net/presentations/for ... bsite.html
## May cause problems on legitimate requests
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC]
RewriteRule .* - [F]
https://docs.joomla.org/Htaccess_exampl ... ecurity%29
## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @
## http://www.sigsiu.net/presentations/for ... bsite.html
## May cause problems on legitimate requests
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC]
RewriteRule .* - [F]
https://docs.joomla.org/Htaccess_exampl ... ecurity%29
-
- Joomla! Apprentice
- Posts: 38
- Joined: Mon Oct 06, 2014 11:26 pm
- Contact:
Re: Are my site monitoring efforts nonessential drudgery?
Great info friends thanks
-
- Joomla! Apprentice
- Posts: 38
- Joined: Mon Oct 06, 2014 11:26 pm
- Contact:
Re: Are my site monitoring efforts nonessential drudgery?
Slackervaara wrote:Against SQL injection is an entry for .htaccess in the master htaccess for Joomla and I use it for many years now.
## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @
## http://www.sigsiu.net/presentations/for ... bsite.html
## May cause problems on legitimate requests
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC]
RewriteRule .* - [F]
https://docs.joomla.org/Htaccess_exampl ... ecurity%29
Good one dude
-
- Joomla! Apprentice
- Posts: 38
- Joined: Mon Oct 06, 2014 11:26 pm
- Contact:
Re: Are my site monitoring efforts nonessential drudgery?
Does anyone know of a script for doing the apache logs monitoring for Joomla? So far I've found only a desktop utility, a great text editor called Geany that can use regexps in the find n replace commands also has a some cool features.
- Bernard T
- Joomla! Guru
- Posts: 782
- Joined: Thu Jun 29, 2006 11:44 am
- Location: Hrvatska
- Contact:
Re: Are my site monitoring efforts nonessential drudgery?
Just don't get too confident that this is an universal SQL injection protection...webvirtuoso wrote:Good one dudeSlackervaara wrote:Against SQL injection is an entry for .htaccess in the master htaccess for Joomla and I use it for many years now.
## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @
## http://www.sigsiu.net/presentations/for ... bsite.html
## May cause problems on legitimate requests
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC]
RewriteRule .* - [F]
https://docs.joomla.org/Htaccess_exampl ... ecurity%29
This is a 5 year old, non-optimized condition set which was used for Joomla 1.5 username/password grabbing attacks. Those lines can only detect usage of word "concat" followed by opening bracket, or "union select" or "union all" words, and only if they are present as GET variables. SQL injection attacks don't have to consist of those words at all.
Also, most of the Joomla Forms that get attacked are POST method based, not GET, so this protection most probably won't do much good other than slowing down every of your requests. So. if you don't see such query string patterns in your logs, I'd advise against using it today.
If you have control over your hosting server, use Fail2Ban.webvirtuoso wrote:Does anyone know of a script for doing the apache logs monitoring for Joomla? So far I've found only a desktop utility, a great text editor called Geany that can use regexps in the find n replace commands also has a some cool features.
I am developing a brute force protection extensions right now, which will track logs too. But it will take some time until it's tested and ready for production. Beta testers are welcome
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak