My Joomla Security Notes

You are here:Home»KB»Web Design»CMS»Joomla»My Joomla Security Notes

Friday, 28 November 2014 00:00

My Joomla Security Notes

Written by shoulders

Fingerprinting

To prevent version of Joomla being identified. A way to check if you're running a Joomla site and what version by what files and directories are present. Also will prevent Blind Elephant working. One of the easiest ways for an attacker to decide if your site is a potential Joomla! target is to perform a rudimentary visual fingerprinting.

Template Issues, Deny these links via htaccess

http://www.joomla.org/?tp=1 (Reveals Template Positions/Triggers the modules debugging mode)
http://extensions.joomla.org/?template= (This will change your site's template a template name after the =)
http://www.joomla.org/?tmpl=offline (Triggers the display of a system sub-template)

Delete These

* You should also remove (if not needed) the default joomla images. Presence of Certain default files and folders can ID the Joomla Version. Delete the following:

Directories:

../images/stories/food
../images/stories/fruit

Files:

articles.jpg, clock.jpg, ext_com.png, ext_lang.png, ext_mod.png, ext_plugin.png, joomla-dev_cycle.png,

key.jpg, pastarchives.jpg, powered_by.png, taking_notes.jpg, web_links.jpg
* deny access to xml and language.ini files (via htaccess in ## This also blocks fingerprinting attacks browsing for XML and INI file (or <Files ~ "\.xml$">))

Other Fingerprinting

Disable PHP easter eggs (Visual Fingerprinting)(via htaccess)

Other Security

disable anonymous ftp in your cPanel
your site should have only a handful of entry points, namely the index.php and index2.php files inside your site's root and the administrator and xmlrpc subdirectories.
(via htaccess / Joomla Backend Protection Section, this restricts Joomlas administrator, components, modules and plugins folders)
SQLi protection / prevent SQLi Attacks (via htaccess)
SQLi protection / prevent SQLi Attacks (via joomla extensions), JHackgurad from siteground, possibly sh404SEF
remove or replace - x-powered-by header, usually says something like PHP version X-Powered-By: PHP/5.3.2 , use clean Response plugin, possibly use htaccess
remove meta tag generator joomla, sh404SEF does this, if not available use ByeBye Generator
Turn off and uninstall what you don't use. There's a security benefit to this practice also since unused code can still be the source of a vulnerability that gets you cracked.
disallow images in robots.txt
it is suggested super admin user should be in the 1-61 range when you change it
remove the X-Powered-By header, edit the php.ini, find expose_php=Off and change to expose_php=on
joomla when using gzip apparently adds a X-Powered-By Header, remove with plugin
remove joomla id in responses when gzip is used (clean response)
turn php errors off in php.ini
make sure jos_ or jos151_ prefix are not used (see note below for instructions to change)
Upload and configure custom .htaccess file
use strong passwords (ie cPanel)
htaccess password for all non joomla directories (via htaccess)
stop hotlink (cpanel or htaccess)
remove unused XML-RPC Server (if not needed)
admin to SSL (only if cert is installed)
enable SSL
Remove (if not needed) the standard images from the images folder. The stories/fruit and stories/food are another way to check if you're running a Joomla site
Turn Joomla Error Reporting off, Global Configuration page (see notes)
Turn PHP Error Reporting off (if not needed)
Remove the XML-RPC server if you don't need it.
remove joomla generator (might be done sh404sef)
add reCaptcha boxes where needed ie user registration
Restrict Access to the Administrator Section
hidden URL for administrator access via jsecure
username and password for admin directory via htaccess
Consider proper ACL for backend when there are multiple administrators etc.. dont have everyone as Super Admins
restrict access to the installer - when using mulitple admins
make sure host has suPHP running and that all file permission are directories have 0755 permissions and all regular files 0644 permissions
Error Reporting to None

Prevents any minor glitch to reveal sensitive server configuration information to a potential hacker). If this doesn't work, disabling PHP's error output to the browser in the php.ini. Leaving Error Reporting set to anything else except NONE will slow down your website and give hackers a security hole that they can use to peer into your server settings and PHP environment. Turn it off (NONE) unless you are debugging at the moment. Only use Error Reporting while testing or debugging. Otherwise keep it turned off.
robots.txt is a security nightmare.

- create deny lists for certain folders. better than identifying them in robots.txt
- Think twice about what you put in your robots.txt, since this is a common source for attackers to find interesting URLs
- ideally - make everything dissallowed and then add exceptions. this will not show what folders are there
if suhosin patch is installed this can cause unxplained issues where stuff will not run. it cannot be disabled by users but can be put in simulation mode (same thing)

find extension="suhosin.so" and add the following line below to give
extension="suhosin.so"
suhosin.simulation="On"

Read 1118 times Last modified on Friday, 28 November 2014 17:30

Published in Joomla

back to top