Advertisement

Discussion for: Joomla Administrator's Security Checklist

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
User avatar
brian
Joomla! Master
Joomla! Master
Posts: 12813
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Discussion for: Joomla Administrator's Security Checklist

Post by brian » Sat Jul 29, 2006 7:48 am

f you're using a shared hosting provider, be sure other users on your server can't access your site's files. Usually a shell account is required for this level of access.
Sorry but that is just not true. Any good ISP will have set up their sharedhosting system in an environment that prevents other users accessing your files. Shell access is not required. Or did you mean that shell access was required to test for this?
Last edited by RobS on Tue Aug 01, 2006 6:12 pm, edited 1 time in total.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

Advertisement
User avatar
brian
Joomla! Master
Joomla! Master
Posts: 12813
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Joomla Administrator's Security Checklist Discussion

Post by brian » Sat Jul 29, 2006 7:51 am

rliskey wrote:
Be sure you know your ISP's backup procedures. Test the backup process before you really need it by requesting a specific file from the previous day.
Never rely on anyone else for backup. Take responsibilty for your own database and ensure that YOU keep it backed up.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1366
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Joomla Administrator's Security Checklist Discussion

Post by RobS » Sat Jul 29, 2006 8:05 am

brian wrote:
f you're using a shared hosting provider, be sure other users on your server can't access your site's files. Usually a shell account is required for this level of access.
Sorry but that is just not true. Any good ISP will have set up their sharedhosting system in an environment that prevents other users accessing your files. Shell access is not required. Or did you mean that shell access was required to test for this?
I believe he meant that a shell was usually required to test this.  While a shell makes this easier it is not necessary to test it.  Though, I won't get into how to get around that.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 12813
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Joomla Administrator's Security Checklist Discussion

Post by brian » Sat Jul 29, 2006 8:45 am

i thought he might. i just dont want to see people thinking that they need shell access
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Joomla Administrator's Security Checklist Discussion

Post by rliskey » Sun Jul 30, 2006 2:04 am

That's right, I only meant that using your own shell account is an easy way to check what users at your level can do with their shell accounts. Personally, I'd feel blind without shell account, but maybe "required" is too strong a word. If you don't have shell access, aren't you pretty much stuck with FTP for moving and renaming files, and for setting file permissions?

User avatar
crash777
Joomla! Explorer
Joomla! Explorer
Posts: 334
Joined: Sat Sep 03, 2005 1:56 am
Location: Upstate New York

Joomla Administrator's Security Checklist Discussion

Post by crash777 » Sun Jul 30, 2006 1:00 pm

rliskey wrote: That's right, I only meant that using your own shell account is an easy way to check what users at your level can do with their shell accounts. Personally, I'd feel blind without shell account, but maybe "required" is too strong a word. If you don't have shell access, aren't you pretty much stuck with FTP for moving and renaming files, and for setting file permissions?
VPS' have a file manager.. moving files, uploading and downloading can be done as well as editing some files..
I also do not provide shell access unless my client has a specific need for it.

A step back, however... what is the setting that prevents users from accessing files not in their own account?
Thanks!
Aaron

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Joomla Administrator's Security Checklist Discussion

Post by rliskey » Sun Jul 30, 2006 6:10 pm

crash777 wrote: A step back, however... what is the setting that prevents users from accessing files not in their own account?
I didn't consider VPS management. That's a BIG, interesting subject that I think would have to go in a *NIX administrators topic. I was limiting this to basic Joomla! installation considerations.

But, if I understand your goal (to protect multiple users that you are hosting on your VPS), here are some links that may help:
How VPS works: http://www.webintellects.com/solutions/ ... ervers.htm
suEXEC: http://httpd.apache.org/docs/1.3/suexec.html
Apache Security: http://httpd.apache.org/docs/1.3/misc/s ... _tips.html
Apache Require Directive: http://httpd.apache.org/docs/2.2/mod/core.html#require

User avatar
crash777
Joomla! Explorer
Joomla! Explorer
Posts: 334
Joined: Sat Sep 03, 2005 1:56 am
Location: Upstate New York

Joomla Administrator's Security Checklist Discussion

Post by crash777 » Sun Jul 30, 2006 7:01 pm

hmm.. thank you for the detailed links.. I will be reviewing them as well.  ;D
I had thought you had a particular setting in mind like "Php open_basedir" that WHM can control. I was just curious if this is the setting that you might have been referring to...
Thanks!
Aaron

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Joomla Administrator's Security Checklist Discussion

Post by rliskey » Sun Jul 30, 2006 8:39 pm

Nope, sorry. Actually, you're way over my head. I haven't used a VPS yet, but have been planning to move that way someday. How do you like it so far?

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1366
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Joomla Administrator's Security Checklist Discussion

Post by RobS » Sun Jul 30, 2006 11:00 pm

Well, when it comes to something like that you have 3 options basically.  And they would probably be arranged as below in order of difficulty if the top is easiest and the bottom is the most difficult to implement correctly.

PHP open_basedir
PHP SafeMode
Apache suExec

Then of course, you can combine them as well for those little bits of extra security.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

Joomaboom
Joomla! Intern
Joomla! Intern
Posts: 73
Joined: Fri Sep 02, 2005 4:19 pm

Joomla Administrator's Security Checklist Discussion

Post by Joomaboom » Tue Aug 01, 2006 2:44 pm

I think under Joomla extensions you could put a reminder to remove any unused extensions and double check that the folders and files were actually removed.


Also as an aside and a tip for newbies. I was a bit of a nervous wreck about a few sites I had done for clients until I took the time to test out the backups by getting an actual development server. It's only $3.95 per month on Godaddy and uploaded the sites there to see if the backups were OK and how tough it would be to restore, move a site to a new server etc.. I had one that was still on Mambo with an older version of Menalto Gallery. I uploaded and upgraded everything to Joomla on the development server without any real hitches, you just need to tweak a few configuration files in most cases. But by doing it all on a development server I'm pretty confident I should be able to handle a worst case scenario without to much difficulty. This makes me sleep better, but make sure you have good backups.  :)

User avatar
Jenny
Joomla! Champion
Joomla! Champion
Posts: 6206
Joined: Sun Aug 21, 2005 2:25 pm
Contact:

Re: Joomla Administrator's Security Checklist Discussion

Post by Jenny » Thu Aug 03, 2006 12:27 pm

brian wrote:
rliskey wrote:
Be sure you know your ISP's backup procedures. Test the backup process before you really need it by requesting a specific file from the previous day.
Never rely on anyone else for backup. Take responsibilty for your own database and ensure that YOU keep it backed up.
I have to concur with Brian on this, and I cannot stress it enough!  Each person as an individual is responsible for their own backups, both files and databases, in fact every host I have ever hosted with insists on this in their terms of service.  That is not to say that they did not or do not have backup systems in place, but those backup are for their own use to restore their servers in case of mishap.  They are not responsible for restoring your site, or any file that you wish to have restored on a whim, as this takes a huge amount of time for them.  Some hosts may help you out if you have issues, and some will charge you for restoration services, but I have never seen a terms of service that stated they are responsible for backing up your files.  People make this mistake all of the time, please don't perpetuate the notion that hosts are responsible for backing up people's websites, as it is incorrect.

The backup process that I have seen in the user control panels I have used are almost always a one click solution.  Click on backup, the backup is created in a zip file.  Download the zip file.  Same with databases.  You can then download the backup and check for integrity. 

Please change or even better remove the reference to hosts being responsible for backing up websites. Individuals and only individuals are responsible for their site's data.  I don't know of any host's terms of service that does not specifically state this. 

Edit: Just a clarification:  I don't know of any reputable hosts that do not specifically state in their terms of service that the account holder is responsible for their own data backups. 
Last edited by Jenny on Thu Aug 03, 2006 12:34 pm, edited 1 time in total.
Co-author of the Official Joomla! Book http://officialjoomlabook.com
Marpo Multimedia http://marpomultimedia.com

User avatar
spike00
Joomla! Intern
Joomla! Intern
Posts: 55
Joined: Wed Jan 25, 2006 10:56 pm
Location: Busto Arsizio (VA) - Italy
Contact:

Re: Discussion for: Joomla Administrator's Security Checklist

Post by spike00 » Thu Aug 03, 2006 3:47 pm

We have managed servers (this means that there's another company who manage our servers).
Our hosting service include raid1 mirroring and daily incremental backup + total backup every 15 days on a different machine used only for backups. Disaster recovery service and restore on demand are included.

We have a specific contract with the external company just for backup service.

This not to make spam of course (I won't write any url), just to say that there are many levels of service.
Paolo De Dionigi
Moderator of Zen Cart Italy

http://www.atfriends.net

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 12813
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Discussion for: Joomla Administrator's Security Checklist

Post by brian » Thu Aug 03, 2006 3:57 pm

I still say that you should NOT rely on anyone else to do your backups no matter what you pay them.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
spike00
Joomla! Intern
Joomla! Intern
Posts: 55
Joined: Wed Jan 25, 2006 10:56 pm
Location: Busto Arsizio (VA) - Italy
Contact:

Re: Discussion for: Joomla Administrator's Security Checklist

Post by spike00 » Thu Aug 03, 2006 4:22 pm

Hmmm... is simply outsourcing like many other services, like fiscal stuff, safety, security. Why is normal to rely on others about fiscal, safety, security and not backup?

Here in Italy we have strict laws about privacy that involve backup policies (among many other things), so is easier to give backup responsability to who manages servers - speaking about online data - (this way they MUST assure a good backup policy according to the law: if something goes worng, not only they break the contract but the law too!)
Paolo De Dionigi
Moderator of Zen Cart Italy

http://www.atfriends.net

User avatar
Jenny
Joomla! Champion
Joomla! Champion
Posts: 6206
Joined: Sun Aug 21, 2005 2:25 pm
Contact:

Re: Discussion for: Joomla Administrator's Security Checklist

Post by Jenny » Thu Aug 03, 2006 4:31 pm

If you have specifically contracted an agency to handle your backups then you are taking responsiblity for your own backups. Please do not confuse what I posted, with someone having specifically contracted someone else to do their backups.  It is not the same thing. 

Most hosting companies have it specifically in their terms of service that they are not responsible for data loss. 
Co-author of the Official Joomla! Book http://officialjoomlabook.com
Marpo Multimedia http://marpomultimedia.com

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: Discussion for: Joomla Administrator's Security Checklist

Post by rliskey » Thu Aug 03, 2006 4:34 pm

The backup issue generated the most debate so far. I've strengthened the wording in response.

I think being personally responsible for backups means different things in different situations, which may partly explain the range of opinions. But all agree that backups are vital.

Seems best for the checklist to stress the vital importance of backups as well as the ultimate inescapability of personal responsibility--no matter how that responsibility is managed.
Last edited by rliskey on Thu Aug 03, 2006 4:35 pm, edited 1 time in total.

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16553
Joined: Thu Aug 18, 2005 7:13 am

Re: Discussion for: Joomla Administrator's Security Checklist

Post by Tonie » Thu Aug 03, 2006 4:35 pm

I wholeheartedly agree with Brian and Mmmedia. Things can and will go wrong. You can be protected by whatever law or contract made with a 3rd party, in the case of trouble this doesn't get your site or data back. Even working at big customer sites, I don't fully trust backup systems and always take copies of my own documents

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 12813
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Discussion for: Joomla Administrator's Security Checklist

Post by brian » Thu Aug 03, 2006 4:49 pm

To re-emphasise why you should never rely on anyone else for backups (even if you contract them to do so) read this http://usertools.plus.net/status/archive/1154603560.htm

Which goes on to tell the customers of a major isp that they have irretreviably lost 700gb of clients email.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
spike00
Joomla! Intern
Joomla! Intern
Posts: 55
Joined: Wed Jan 25, 2006 10:56 pm
Location: Busto Arsizio (VA) - Italy
Contact:

Re: Discussion for: Joomla Administrator's Security Checklist

Post by spike00 » Thu Aug 03, 2006 5:36 pm

I get your point, but managing backup by yourself is possible (but still very expensive in term of time) only for small sites, considering a daily backup.

I've a friend whose db is about 200Mb (e-commerce + forum). Obviously is a pain to dump such a big db, not speaking about bandwidth: 200x30 = 6Gb month just for db backup.

And if you manage 10/50/100 sites?

With our data on 2 hd (raid1) and on a different machine (not online) I feel quite safe.

At the end is only a matter of costs and benefits.

Of course I totally agree with the importance of paying attention to which level of service your hosting provider offers.
Paolo De Dionigi
Moderator of Zen Cart Italy

http://www.atfriends.net

User avatar
eyezberg
Joomla! Hero
Joomla! Hero
Posts: 2859
Joined: Thu Aug 25, 2005 5:48 pm
Location: Geneva mostly
Contact:

Re: Discussion for: Joomla Administrator's Security Checklist

Post by eyezberg » Tue Aug 08, 2006 9:07 pm

Some points about this sticky:
1. good idea, should be integrated as default content in installer sql! Just so it's right there in your face, instead of somewhat hidden here.
2. but: some of the things in there should be explained, for example:
* i have no idea what shell access is and can be used for
* i have absolutely no idea how to "Use an Intrusion Prevention/Detection Systems to block/alert on malicious HTTP requests", no idea what that could be.. (yeah, go ahead and hack my site now.. :) )
* i have no idea how to "Check the "raw logs" for real detail", dunno what "raw logs" are, and what "real detail" I should be looking for!
* how do I "Configure Apache mod_security and mod_rewrite filters to block PHP attacks"? no idea!
* most stuff listed under "PHP"  wouldn't know how/what to do..

About 3P extensions: how do I know if I can trust a site? If I click a download link here on the extensions site, and it takes me to another website, is that to be trusted because it's linked here? Or is there a list somewhere?

And all the interesting things listed under "Joomla! Hardening" would be cool to use, except I got no clue how, for ex. "Move configuration files above Web root using symlinks or modified path variables" sounds like something I'd want to do too..

So, it all sounds very interesting for someone who knows how to DO all this stuff, but there's all the details missing for all those who don't.. ;)
Sometimes one pays most for the things one gets for nothing.
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1366
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: Discussion for: Joomla Administrator's Security Checklist

Post by RobS » Tue Aug 08, 2006 9:17 pm

Well, in reality most of those things go well beyond the scope of a Joomla! article and in that fashion, most of them have several thousands of pages worth of documentation and howtos available elsewhere on the web.  It would take quite seriously, a book, to explain all of that stuff in enough detail to make it useable to everyone.  However, I am sure that you can find lots of information regarding those suggestions by utilizing your favorite search engine.  And if that won't work, there is always the option of hiring a security professional to do it for you.  (Also suggested in that checklist).
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
eyezberg
Joomla! Hero
Joomla! Hero
Posts: 2859
Joined: Thu Aug 25, 2005 5:48 pm
Location: Geneva mostly
Contact:

Re: Discussion for: Joomla Administrator's Security Checklist

Post by eyezberg » Wed Aug 09, 2006 7:31 am

No book needed, just adding links to relevant readings might do it.
As it is now, it's like a TOC both no pages after.
These things might go beyond the scope of this list, but I don't see why more information about some points couldn't be available here (or in Help or Dev), as Security concerns seem to be getting stronger after all those hacks lately. One short intro article per item, expaining what it is/means/does and where to look for more info.
I think it is disappointing to tell users: you should really secure your site by doing all these things, but not telling them how, no?
And what about "trusted sites"?
Sometimes one pays most for the things one gets for nothing.
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: Discussion for: Joomla Administrator's Security Checklist

Post by rliskey » Wed Aug 09, 2006 8:19 am

The reason this list exists as a forum post is so we can quickly benefit from our collective knowledge. It is not an official Joomla! document; it is just my best shot at collecting and sharing what I have learned and been told by others.

The best way to improve this list is to contribute to it. If you find important information that should be here, you could PM me or post it to this topic. I watch this topic daily and incorporate suggestions into the list as soon as possible.

I agree that tight summary paragraphs for each item would be a great addition. If anyone has deep knowledge of particular items and would like to write a summary, I'm sure thousands of worried Joomla! administrators would be very grateful.

User avatar
eyezberg
Joomla! Hero
Joomla! Hero
Posts: 2859
Joined: Thu Aug 25, 2005 5:48 pm
Location: Geneva mostly
Contact:

Re: Discussion for: Joomla Administrator's Security Checklist

Post by eyezberg » Wed Aug 09, 2006 8:23 am

Thanks rliskey,
I understand how this list was meant and appreciate you doing this, its just as you say: reading it leaves you somewhat worried as to what and how to do. And hiring a security expert for a personal site is not really an option..
So I do hope there are some experts willing to contribute a few more details/ links to post with how-tos or other explanations.
thanks
Sometimes one pays most for the things one gets for nothing.
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: Discussion for: Joomla Administrator's Security Checklist

Post by rliskey » Wed Aug 09, 2006 8:25 am

eyezberg wrote: And what about "trusted sites"?
A "trusted site" is one that *you* trust. Examples of sites *I* trust include:
    http://forge.joomla.org  -- Added by popular demand.  ;) Didn't mean for this to become an official list!
    http://www.joomla.org
    http://www.apache.org
    http://www.php.net
    http://www.mysql.com
    http://www.gnu.org
    http://www.truthout.org
Your list may vary. There are very few sites hosting third party extensions that I trust. I don't think you should either.
Last edited by rliskey on Wed Aug 09, 2006 8:01 pm, edited 1 time in total.

User avatar
eyezberg
Joomla! Hero
Joomla! Hero
Posts: 2859
Joined: Thu Aug 25, 2005 5:48 pm
Location: Geneva mostly
Contact:

Re: Discussion for: Joomla Administrator's Security Checklist

Post by eyezberg » Wed Aug 09, 2006 10:48 am

Sometimes one pays most for the things one gets for nothing.
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16553
Joined: Thu Aug 18, 2005 7:13 am

Re: Discussion for: Joomla Administrator's Security Checklist

Post by Tonie » Wed Aug 09, 2006 11:02 am

Regarding Forge. All components that are in Robs list and are still having security issues that are know, have been set to "project member access" only. I am in the process of searching for projects that also distribute an (old) Joomla distribution (and searching for empty projects).

User avatar
eyezberg
Joomla! Hero
Joomla! Hero
Posts: 2859
Joined: Thu Aug 25, 2005 5:48 pm
Location: Geneva mostly
Contact:

Re: Discussion for: Joomla Administrator's Security Checklist

Post by eyezberg » Wed Aug 09, 2006 11:37 am

Thanks Tonie, efforts much appreciated.
Maybe should be announced somewhere so dev's (and downloaders) are aware of that?
Sometimes one pays most for the things one gets for nothing.
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16553
Joined: Thu Aug 18, 2005 7:13 am

Re: Discussion for: Joomla Administrator's Security Checklist

Post by Tonie » Wed Aug 09, 2006 12:03 pm

Good idea. I will create a sticky in the Forge forum later on.

I do use the developer contact information in Forge to contact the developer when a security issue has been found. The current Robs list has been done last week. When a new one has been found, a developer can receive two mails, extensions and Forge.

Advertisement

Locked

Return to “Security - 1.0.x”