Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Joomla! Web Security

You're reading from   Joomla! Web Security Secure your Joomla! website from common security threats with this easy-to-use guide

Arrow left icon
Product type Paperback
Published in Oct 2008
Publisher
ISBN-13 9781847194886
Length 264 pages
Edition Edition
Tools
Arrow right icon
Toc

General Information


This section covers information that is general in nature for your site's security.

Preparing Your Tool Kit

The purpose of a tool kit is like a "ready bag". It should contain the items that you need to recover or respond to a problem with your site.

You are free to modify, add, or delete any of these to make them fit into your personal situation.

  1. 1. Blank CD-Rs To record logs for forensic purposes

  2. 2. A CD-R that is burned with your tools (see tools section)

  3. 3. Small tool set to work on your computer:

    • a. Phillips head

    • b. Flat-head screw driver

    • c. ¼" nut driver

    • d. Pliers

    • e. Small flashlight

  4. 4. Note pad

  5. 5. Pen and notepaper

  6. 6. A copy of your site (for restoration), this can and should be a recent copy. However, DO NOT put your master backup here.

  7. 7. One or two large capacity USB drives: One should be blank. But on the other you may want to put all your current (meaning stable, patched) extensions, a copy of your version of Joomla!, the most recent version (in your family 1.xx or 1.5.xx) on the key as well as the template, and any extra scripts or code necessary. This means that you can at least rebuild quickly if you have to.

Note

You may wonder why I specify a tools section for a software security book. If you have to physically touch hardware, such as remove drives from a server, you will need tools handy. Believe me, you will appreciate it the first time you need it.

The software tools will be covered in a later section.

Backup Tools

The key to a successful restoration post-hack is having a good backup of the database, files, and other assorted software.

Some of the tools that I like and find to work very well are:

  • Hosting Control Panel (such as cPanel or Plesk)—These built-in tools can often automate backups for you, capturing the files and database that comprose your site.

  • JoomlaPack—Available from joomlapack.net. This GPL-licensed tool is a feature-rich toolset that will make your backup and recovery a breeze.

  • JoomlaCloner—Available from JoomlaPlug.com. This commercially available tool can make a "clone" of your site and allow you to restore quickly.

  • Manual—This method, while effective, is a time-consuming venture. This is where you copy all files down, export your SQL data, and write to external media.

The key to all these is to pick one, learn it, and use it. Document everything in your Disaster Preparation Guide and store with your tool kit. Additionally, make sure that you have a recent copy of your data offsite.

Note

What is a recent copy?

It depends on how important your data is and how frequently your data changes. If you have a very busy site and it's changing often, then daily backups are important. If you have a slow site that updates every now and then, you are probably safe backing up less frequently.

For more information see my other book Dodging the Bullets—A Disaster Preparation Guide for Joomla! Web Sites.

Assistance Checklist

Your assistance checklist should include the following and while it may seem strange, keep in mind that YOU may not be doing the supporting. If you are depending on someone else, they won't necessarily know this information:

  • ISP:

    • Phone number (a 24 hour, 7 days a week support number)

    • Your account number

    • Any security information they need

  • Webhost:

    • Phone number (a 24 hour, 7 days a week support number)

    • Your account number

    • Any security information they need

    • The domain in question

  • Co-Location:

    • This should be the same as for the webhost with an addition of procedures to enter the building, the cabinet you are in, and location of "keys to unlock".

  • Website:

    • Super user administrative name and password

    • FTP information

    • Any other information relevant to your site

  • Backups:

    • Where are they?

    • How do you restore them? (document)

  • Utilities contact information (emergency and after hours):

    • Water

    • Electrical

    • Gas

  • Law:

    • Local law enforcement

    • FBI—If the computer crime is serious you will want to report it.

  • Hotels:

    • In the event you have to travel TO a site for your website

  • Extensions

    • Location of current copies (note you should have these in your toolkit, in the event you cannot immediately get to their site)

    • Contact at their site (forum, email, and so on)

  • A good friend: Someone you can call if you need help

Basic Security Checklist

Your basic security checklist is a collection of items that will help you to ensure that you are secure.

Physical Security (of an office, facility, or server closet)

  • Make sure server(s) stay locked.

  • Look for evidence of any tampering such as an "odd device" plugged into network (this could be keyloggers).

  • Scan for rouge wireless devices attached to your network.

  • Watch for anyone attempting to gain access to your building who shouldn't.

Electronic

  • Scan your site (a good tool is Nmap) to make sure your host/colo hasn't turned on ports that should be closed or filtered.

  • If you do NOT need ports ON, then close them. Following are some examples of common ports found open:

    • Port 53 (DNS Zone Transfer)

    • Port 23 (Telnet)

    • Ports 161 and 162 (SNMP and SNMP trap)

  • Passwords:

    • Are they strong enough?

    • Define a change policy (preferably every 30 days).

    • Require your users to have a strong password.

  • Vulnerabilities:

    • Periodic checks of extensions to check whether Joomla! Core, Apache, MySQL, and the base OS are in order. Make a weekly habit of checking the sites, or a better option is to subscribe to the RSS feeds.

  • FrontPage extensions: If you do not need it, turn it OFF. This is one of the best things you can do for your site.

  • Confirm whether .htaccess is in place.

  • Confirm whether the necessary commands in php.ini are in place (if applicable).

  • Use the tools in this book to check for file and directory permissions.

  • Install JCheck as your tripwire system for Joomla!

  • Periodically Google your site to see what comes up. This can help if someone has written negatively about your site, such as saying that your site is a spammer.

lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image