How to increase Safety on your Joomla / Mambo installation

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
beuvema
Joomla! Explorer
Joomla! Explorer
Posts: 441
Joined: Thu Aug 18, 2005 8:15 am
Location: the Netherlands
Contact:

How to increase Safety on your Joomla / Mambo installation

Post by beuvema » Thu Aug 18, 2005 6:39 pm

Before continuing, read:

http://forum.joomla.org/index.php/topic,81058.0.html


  • Thx for the responses so far... ( continued from http://forum.mamboserver.com/showthread ... post274363 )

    in General, security can be increased by:

    Index
      • Joomla! / M$mb$
      • .htaccess
      • General



      Joomla / M$mb$

      run MSC component (mambo security check) which will check:
      • your php.ini and chmod on files and tell you if anything might be a hazard there
      • install ldap9 component along with a plug-in to allow a more secure level of authentication.
      - As far as the paths. Here:
      • media/
      Writeable(0644)
      • administrator/components/
      Writeable(0644)
      • components/
      Writeable(0644)
      • images/stories/
      Writeable(0644)


      It's my understanding that these can be set to 644 as well once u done customizing the site

      More information on security on M$mb$/Joomla can be found on:
      :: documentation PDF by jascha from #localareasecurity (outdated by covers all the bases) on Mambo security:
      http://mamboforge.net/frs/?group_id=131&release_id=355
      .htaccess
      - Using secure passwords
        • .htaccess file (turning off directory listings)
        • all file attributes, especially configuration.php, set to 0644
        • all folder attributes 0755
        • edit your .htacces file, so the administrator backend is accessible from predefined IP-Addresses only.
        • add some filtering options to your htaccess  against spambots.

      on the .htaccess file
      the folder to place it in is the mambo root folder?
      Are the following lines sufficient to turn off directory listings, and are they inherited?

Code: Select all

order allow,deny
allow from all

More info on .htaccess can be found on


MySQL
- make sure u have the latest mysql version

General:
Never post:
- files with full path's to you're site
- configuration.php with account information (Loginname / Password)
Greetz Beuvema

I will keep this top file up to date to get an instant view of the safety settings needed.
d3vlabs wrote: you can also
get SSL ($44.99 is it) for your mambo's administrator area.
go through cpanel and enable some stuff like hotlinking protection, spam assasinator or any other useful scripts you might have.



This "Whitepaper" on M$mb$ and Joomla! Security is destilled from the posts of: (in order of appearance)
hazman, keliix06, DeanMarshall, d3vlabs, sc00zy, cmyksteve, elnino, TheSaint, brad,
Last edited by beuvema on Mon Oct 09, 2006 6:12 pm, edited 1 time in total.
!! September 1, 2005 is a beautifull day, JOOMLA! day !!
Webexperiences http://www.oltech.nl

hazman

Re: How to increase Safety on your Mambo installation

Post by hazman » Fri Aug 19, 2005 11:27 am

Hello,

Just having the configuration.php set at 644 is enough? What about the other folders?

User avatar
keliix06
Joomla! Ace
Joomla! Ace
Posts: 1022
Joined: Wed Aug 17, 2005 11:46 pm
Location: Minneapolis, MN
Contact:

Re: How to increase Safety on your Mambo installation

Post by keliix06 » Fri Aug 19, 2005 6:39 pm

configuration.php is the only file that Mambo needs set to something other than 0644 to write to (in a default install, under some server setups).
Doyle Lewis
BuyHTTP Internet Services
http://www.buyhttp.com/joomla_hosting.html - No Overselling Guarantee. Your Joomla site, faster.
http://www.joomlademo.com - 30 day free trial of Joomla

User avatar
beuvema
Joomla! Explorer
Joomla! Explorer
Posts: 441
Joined: Thu Aug 18, 2005 8:15 am
Location: the Netherlands
Contact:

Re: How to increase Safety on your Mambo installation

Post by beuvema » Fri Aug 19, 2005 6:51 pm

So if I understand it correctly, in normal operation all files and folders in a mambo installation MUST be set to 644?
Last edited by beuvema on Fri Aug 19, 2005 6:56 pm, edited 1 time in total.
!! September 1, 2005 is a beautifull day, JOOMLA! day !!
Webexperiences http://www.oltech.nl

User avatar
keliix06
Joomla! Ace
Joomla! Ace
Posts: 1022
Joined: Wed Aug 17, 2005 11:46 pm
Location: Minneapolis, MN
Contact:

Re: How to increase Safety on your Mambo installation

Post by keliix06 » Fri Aug 19, 2005 7:00 pm

No. Files need to be at least 0644 and folders need to be at least 0755. Depending on your server environment that will allow Mambo to write to all files and folders and you will get server errors by changing anything to 0777.
Doyle Lewis
BuyHTTP Internet Services
http://www.buyhttp.com/joomla_hosting.html - No Overselling Guarantee. Your Joomla site, faster.
http://www.joomlademo.com - 30 day free trial of Joomla

User avatar
DeanMarshall
Joomla! Hero
Joomla! Hero
Posts: 2352
Joined: Fri Aug 19, 2005 2:26 am
Location: Lancaster, Lancashire, United Kingdom
Contact:

Re: How to increase Safety on your Mambo installation

Post by DeanMarshall » Sat Aug 20, 2005 3:25 am

On a related note:

One aspect of security that seemed particularly lax in 'the other place', was the frequency with which people would post error messages and config files with full server paths shown, together with domain names, paths to system folders, software version numbers, etc. There is frequently enough info there to give someone a good head start on accessing a system.

Whilst it can be necessary to disclose such info while seeking help I think posters should be encouraged to refrain from posting too much info of this nature too soon.

Perhaps once a solution is found they should be encouraged to edit their earlier posts to remove the path information. And along the same lines - perhaps others should be discouraged from quoting such data - that way  copies aren't left lying around that the original poster does not have authorisation to edit/obfuscate/remove.

Dean Marshall
Dean Marshall Consultancy - six Joomla experts - http://www.deanmarshall.co.uk/

Joomla Experts - Joomla Support http://www.deanmarshall.co.uk/joomla-se ... pport.html

d3vlabs
Joomla! Explorer
Joomla! Explorer
Posts: 426
Joined: Thu Aug 18, 2005 10:41 am
Contact:

Re: How to increase Safety on your Mambo installation

Post by d3vlabs » Sat Aug 20, 2005 8:34 am

you can also

add some filtering options to your htaccess  against spambots
set up an IP range which will have acess to admin backend
run MSC component (mambo security check) which will check your php.ini and chmod on files and tell you if anything might be a hazard there
install ldap9 component along with a plug-in to allow a more secure level of authentication.
get SSL ($44.99 is it) for your mambo's administrator area.
make sure u have the latest mysql version
go through cpanel and enable some stuff like hotlinking protection, spam assasinator or any other useful scripts you might have.


As far as the paths. Here:

media/ Writeable
administrator/components/ Writeable
components/ Writeable
images/stories/ Writeable

It's my understanding that these can be set to 644 as well once u done customizing the site
Last edited by d3vlabs on Sat Aug 20, 2005 8:43 am, edited 1 time in total.

User avatar
sc00zy
Joomla! Exemplar
Joomla! Exemplar
Posts: 9529
Joined: Thu Aug 18, 2005 9:07 am
Location: Assen, Netherlands
Contact:

Re: How to increase Safety on your Mambo installation

Post by sc00zy » Sun Aug 21, 2005 10:16 am

What risk do I take when I leave the folders and configuration.php writable?
My clients like to upload pictures themselves and change the the global configuration sometimes. I really don't want to bother them with the use of an FTP-client and changing the permissions on files and folders.
Arjan Menger
https://welldotcom.nl - Puntgaaf Internetbureau

d3vlabs
Joomla! Explorer
Joomla! Explorer
Posts: 426
Joined: Thu Aug 18, 2005 10:41 am
Contact:

Re: How to increase Safety on your Mambo installation

Post by d3vlabs » Sun Aug 21, 2005 11:11 am

not much of a risk, u cant execute mambo php files directly anyways. I just took it from the list under install components menu. in fact you should just use your own logic when chmoding. only you know what you want to give access to public for

User avatar
sc00zy
Joomla! Exemplar
Joomla! Exemplar
Posts: 9529
Joined: Thu Aug 18, 2005 9:07 am
Location: Assen, Netherlands
Contact:

Re: How to increase Safety on your Mambo installation

Post by sc00zy » Sun Aug 21, 2005 11:38 am

d3vlabs wrote: not much of a risk, u cant execute mambo php files directly anyways. I just took it from the list under install components menu. in fact you should just use your own logic when chmoding. only you know what you want to give access to public for
Ok, thanks. That's clear to me :)
Arjan Menger
https://welldotcom.nl - Puntgaaf Internetbureau

User avatar
cmyksteve
Joomla! Intern
Joomla! Intern
Posts: 53
Joined: Sat Aug 20, 2005 5:20 am
Location: Ohio
Contact:

Re: How to increase Safety on your Mambo installation

Post by cmyksteve » Sun Aug 21, 2005 8:34 pm

d3vlabs wrote: you can also

set up an IP range which will have acess to admin backend
Is this restriction setup in cPanel or Mambo?

Thanks-
Steve
Steve

d3vlabs
Joomla! Explorer
Joomla! Explorer
Posts: 426
Joined: Thu Aug 18, 2005 10:41 am
Contact:

Re: How to increase Safety on your Mambo installation

Post by d3vlabs » Mon Aug 22, 2005 12:05 am

.htacess

User avatar
cmyksteve
Joomla! Intern
Joomla! Intern
Posts: 53
Joined: Sat Aug 20, 2005 5:20 am
Location: Ohio
Contact:

Re: How to increase Safety on your Mambo installation

Post by cmyksteve » Mon Aug 22, 2005 1:55 am

Thanks d3vlabs.

I'll look into that. Would the cPanel forum be as good as any to find out how to set up htaccess, for this?
Steve

d3vlabs
Joomla! Explorer
Joomla! Explorer
Posts: 426
Joined: Thu Aug 18, 2005 10:41 am
Contact:

Re: How to increase Safety on your Mambo installation

Post by d3vlabs » Tue Aug 23, 2005 10:50 am

Here are some more recommendations on the issue.
Learn about .htaccess on forums here:

:: my personal favorite: http://www.apachefreaks.com
:: this can be a useful resource as well: http://www.weberforums.com/

:: visit #apache on freenode IRC with of 160+ users on average

As far as securing &ambo I used combination of

:: documentation PDF by jascha from #localareasecurity (outdated by covers all the bases) on Mambo security:
http://mamboforge.net/frs/?group_id=131&release_id=355

It will show you how to set up admin access by certain IP ranges as well as some extra pre-catuions like an extra login box before you reach the backend.

:: HTAccess Patch 1.0  -A new htaccess file, which protects your website against Spam spiders and leeching tools. Needs mod_rewrite to run from mamboportal.com

This one is outdated as well. But if you look at both the files above it will give you a pretty good idea on what to do with your .htaccess file

I use mine for following:

:: ReWriteEngine On and Redirect function to provide functionality given by some SEF components
:: mod_rewrite and a new url scheme to allow shorter urls to my image gallery
:: allow only users from certain IP ranges to access admin's backend
:: extra security login
:: deny certain file types
:: deny access to .htaccess file
:: list of known spambots to prevent them from harvesting my site
:: #php_value post_max_size // #php_value upload_max_filesize  to increase the 2MB per file limit enforced by  standard php.ini set-up

I would love to post my .htaccess file for informative purposes, but it has just too much personal information for me to clean up. Regardless I hope my post was helpful

User avatar
beuvema
Joomla! Explorer
Joomla! Explorer
Posts: 441
Joined: Thu Aug 18, 2005 8:15 am
Location: the Netherlands
Contact:

Re: How to increase Safety on your Mambo installation

Post by beuvema » Tue Aug 23, 2005 11:04 am

Hi d3vlabs,

thx for the info, it's great to see the evolution on this "White paper" on M$Mb$ security is taken serious by you all.

Greetz Beuvema
!! September 1, 2005 is a beautifull day, JOOMLA! day !!
Webexperiences http://www.oltech.nl

User avatar
cmyksteve
Joomla! Intern
Joomla! Intern
Posts: 53
Joined: Sat Aug 20, 2005 5:20 am
Location: Ohio
Contact:

Re: How to increase Safety on your Mambo installation

Post by cmyksteve » Tue Aug 23, 2005 2:54 pm

Thanks again d3vlabs.

I started looking into htaccess last night and found a lot of dead ends. I'm sure your post will help, when I can get back to this and have a few more of the basics "under my belt".

Steve
Steve

elnino
Joomla! Intern
Joomla! Intern
Posts: 60
Joined: Thu Aug 18, 2005 9:07 pm

Re: How to increase Safety on your Mambo installation

Post by elnino » Wed Aug 24, 2005 1:08 pm

I thought at one point I remember reading something on the forums that said any directory that needs to be writeable should be set to 707 instead of 755 because it would be a little more secure.  Is this true at all?

User avatar
DeanMarshall
Joomla! Hero
Joomla! Hero
Posts: 2352
Joined: Fri Aug 19, 2005 2:26 am
Location: Lancaster, Lancashire, United Kingdom
Contact:

Re: How to increase Safety on your Mambo installation

Post by DeanMarshall » Wed Aug 24, 2005 2:03 pm

elnino wrote: I thought at one point I remember reading something on the forums that said any directory that needs to be writeable should be set to 707 instead of 755 because it would be a little more secure.  Is this true at all?

Based on my reading of this:
http://www.akamarketing.com/unix-files-permissions.html
I would say that in general we are only really looking at the first and last digits.  Your 707 is, as far as the world browsing your site(the third digit) are concerned, actually more open than the 755 that you are changing from. I think a directory needs to be BOTH readable and executable if it is to be accessible so 5 is the more secure option.

Dean.
Dean Marshall Consultancy - six Joomla experts - http://www.deanmarshall.co.uk/

Joomla Experts - Joomla Support http://www.deanmarshall.co.uk/joomla-se ... pport.html

elnino
Joomla! Intern
Joomla! Intern
Posts: 60
Joined: Thu Aug 18, 2005 9:07 pm

Re: How to increase Safety on your Mambo installation

Post by elnino » Wed Aug 24, 2005 4:06 pm

Cool.  Thanks for the info Dean

User avatar
beuvema
Joomla! Explorer
Joomla! Explorer
Posts: 441
Joined: Thu Aug 18, 2005 8:15 am
Location: the Netherlands
Contact:

Re: How to increase Safety on your Mambo installation

Post by beuvema » Thu Sep 01, 2005 12:11 pm

sc00zy wrote: What risk do I take when I leave the folders and configuration.php writable?
My clients like to upload pictures themselves and change the the global configuration sometimes. I really don't want to bother them with the use of an FTP-client and changing the permissions on files and folders.
What if my client has the FTP credentials (Username / Login), and I don't want him to be able to alter or view M$mb$ settings. Is there a way to compile the site somehow?

Grtz Beuvema
!! September 1, 2005 is a beautifull day, JOOMLA! day !!
Webexperiences http://www.oltech.nl

User avatar
TheSaint
Joomla! Ace
Joomla! Ace
Posts: 1256
Joined: Sat Aug 20, 2005 4:15 am
Location: California, USA
Contact:

Re: How to increase Safety on your Mambo installation

Post by TheSaint » Sun Sep 11, 2005 6:44 am

This thread has some great information in it. Could we consider it for a sticky? Also, if the original post could be edited to include the follow-up info it would help keep things a bit cleaner. Or, perhaps the moderator of this area could maintain a new sticky thread and start grabbing information from the various topics and compile a new list? We shouldn't let all this good information slip down the page.
Paul
http://www.gamehostingreviews.com - In development
The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke

User avatar
brad
Joomla! Master
Joomla! Master
Posts: 13419
Joined: Fri Aug 12, 2005 12:38 am
Location: Sydney - Australia
Contact:

Re: How to increase Safety on your Mambo installation

Post by brad » Sun Sep 11, 2005 6:47 am

TheSaint wrote: This thread has some great information in it. Could we consider it for a sticky? Also, if the original post could be edited to include the follow-up info it would help keep things a bit cleaner. Or, perhaps the moderator of this area could maintain a new sticky thread and start grabbing information from the various topics and compile a new list? We shouldn't let all this good information slip down the page.
To contact a moderator please use the report to moderator link. Not all moderators are able to read all threads.
Brad Baker
https://xyzulu.hosting
https://www.joomlatutorials.com <-- Joomla Help & Tutorials

User avatar
TheSaint
Joomla! Ace
Joomla! Ace
Posts: 1256
Joined: Sat Aug 20, 2005 4:15 am
Location: California, USA
Contact:

Re: How to increase Safety on your Mambo installation

Post by TheSaint » Sun Sep 11, 2005 6:56 am

Alright. I'm just a bit shy about using the report function lest I look like an attention grabbing bloke. Sometimes it seems more natural to get a consensus from your peers as to the usefulness of a sticky and then report the thread after the results are in. Regardless, a report has been filed for moderator review. ;)
Paul
http://www.gamehostingreviews.com - In development
The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke

User avatar
beuvema
Joomla! Explorer
Joomla! Explorer
Posts: 441
Joined: Thu Aug 18, 2005 8:15 am
Location: the Netherlands
Contact:

Re: How to increase Safety on your Mambo installation

Post by beuvema » Sun Sep 11, 2005 7:23 am

Hi Joomlads,

I promised to keep the first item up to date, but due to lack of expertise on the matter it is hard for me to see what is an what isn't important. Assistance, e.g. by making it a sticky, would be appreciated indeed!

Grtz Beuvema
!! September 1, 2005 is a beautifull day, JOOMLA! day !!
Webexperiences http://www.oltech.nl

User avatar
brad
Joomla! Master
Joomla! Master
Posts: 13419
Joined: Fri Aug 12, 2005 12:38 am
Location: Sydney - Australia
Contact:

Re: How to increase Safety on your Mambo installation

Post by brad » Sun Sep 11, 2005 7:26 am

Feel free to submit a new FAQ to the FAQ forum so a moderator from the Doc team can review.

Thanks for you help and suport. :)
Brad Baker
https://xyzulu.hosting
https://www.joomlatutorials.com <-- Joomla Help & Tutorials

User avatar
beuvema
Joomla! Explorer
Joomla! Explorer
Posts: 441
Joined: Thu Aug 18, 2005 8:15 am
Location: the Netherlands
Contact:

Re: How to increase Safety on your Mambo installation

Post by beuvema » Sun Sep 11, 2005 7:57 am

Updated the first post, comments are welcome...
Last edited by beuvema on Sun Sep 11, 2005 8:35 am, edited 1 time in total.
!! September 1, 2005 is a beautifull day, JOOMLA! day !!
Webexperiences http://www.oltech.nl

User avatar
TheSaint
Joomla! Ace
Joomla! Ace
Posts: 1256
Joined: Sat Aug 20, 2005 4:15 am
Location: California, USA
Contact:

Re: How to increase Safety on your Mambo installation

Post by TheSaint » Sun Sep 11, 2005 8:02 am

A table of contents at the top of the first post would be great.

Keeping the content to subject specific areas (CHMOD, .htaccess etc.) we should be in good shape.

Minor: Add a credits section at the bottom if you find you have too much time on your hands. ;)
Paul
http://www.gamehostingreviews.com - In development
The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke

User avatar
beuvema
Joomla! Explorer
Joomla! Explorer
Posts: 441
Joined: Thu Aug 18, 2005 8:15 am
Location: the Netherlands
Contact:

Re: How to increase Safety on your Mambo installation

Post by beuvema » Sun Sep 11, 2005 8:20 am

Check out the first post  ;)

Grtz beuvema
Last edited by beuvema on Sun Sep 11, 2005 8:36 am, edited 1 time in total.
!! September 1, 2005 is a beautifull day, JOOMLA! day !!
Webexperiences http://www.oltech.nl

User avatar
mogabog
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Sun Apr 16, 2006 8:50 pm

Great Info

Post by mogabog » Wed May 31, 2006 9:37 pm

I just an trying to bump this thread up - It's full of good info.

-A

User avatar
beuvema
Joomla! Explorer
Joomla! Explorer
Posts: 441
Joined: Thu Aug 18, 2005 8:15 am
Location: the Netherlands
Contact:

Re: How to increase Safety on your Mambo installation

Post by beuvema » Wed May 31, 2006 10:22 pm

Don't hesitate to add new info if neccessary....  ;)
!! September 1, 2005 is a beautifull day, JOOMLA! day !!
Webexperiences http://www.oltech.nl


Locked

Return to “Security - 1.0.x”