Sercurity Issues – Share your tips!!!

Forums    Public Forums    Share J! - Public Chat    Sercurity Issues - Share your tips!!!
Viewing 15 posts - 1 through 15 (of 23 total)
1 2
  • Author
    Posts
  • mfcphil Friend
    October 17, 2008 at 8:08 pm #134536

    With concerns about the growing number of sites getting Hacked please share your tips on how to prevent this from happening with the other Forum Members

    1 user says Thank You to mfcphil for this useful post

    1. jwellman
    swemmel Friend
    October 17, 2008 at 8:14 pm #275930

    Ok, some tips I already put in another thread.

    Kind regards,
    Peter

    2 users say Thank You to swemmel for this useful post

    1. mfcphil
    2. jwellman
    Menalto Friend
    October 17, 2008 at 8:15 pm #275932

    1: Make sure you use the latest version of Joomla, check joomla.org regulary for updates. Make sure you allways do a backup of your site before you upgrade.
    2: Check all file and folders that they have the right permission.
    3 Check all php files regading Joomla that they start with this:

    <?php
    defined( '_JEXEC' ) or die( 'Restricted access' );
    4: Change super administrator password regulary and allways use a strong password.
    5: Change admin log in name to something unique.
    6: Uninstall all unused templates/modules/components/plug ins.
    7: Use a htaccess file to password protect administrator area of your site.
    8: Move configuration.php file to a folder with a unique name.
    9: Use a strong database password.
    10: Change password at your ftp account regulary.

    3 users say Thank You to Menalto for this useful post

    1. mfcphil
    2. jwellman
    3. mj1256
    bennitos Friend
    October 17, 2008 at 8:30 pm #275935

    number 7 on menalto’s list above.

    Secure you administrator access, i recommend doing it like this:

    Make a ..htaccess file and place it in the administrator folder in that file put:

    <Limit GET>
    Order Deny,Allow
    Deny from all
    Allow from YOURIPADRESSHERE
    </Limit>

    This will only give access to the administrator part to ipadresses you give up.

    3 users say Thank You to bennitos for this useful post

    1. jwellman
    2. mj1256
    3. scotty
    bennitos Friend
    October 17, 2008 at 8:33 pm #275936

    for point 4,9 and 10 i use this tool to create strong password really easy:

    http://www.pctools.com/guides/password/

    1 user says Thank You to bennitos for this useful post

    1. mfcphil
    mfcphil Friend
    October 17, 2008 at 9:41 pm #275937

    I am hopeless at this type of thing so here are some of the pages I will be reading :confused:

    Joomla Administrators Security Chacklist

    Secure your website

    Core Security Settings

    More Tips

    7 tips to optimize Joomla! security

    Joomla cloaner Video Tutorials

    A personal thanks to Swemmel who updated my site to the latest version of 1.015…Thanks Peter

    shertmann Friend
    October 18, 2008 at 11:24 pm #276053

    wao it appears that the security issues have help the comunnity to take good measures

    always a good measure for password is a md5 encrypted password

    too check your cpanel of your host in order to check your host password is really secure too.

    check that all your folders have and index.html file that has no content in ther in order to avoid praying eyes trying to see you web folder content.

    scotty Friend
    October 18, 2008 at 11:36 pm #276055

    <em>@bennitos 86670 wrote:</em><blockquote>number 7 on menalto’s list above.

    Secure you administrator access, i recommend doing it like this:

    Make a ..htaccess file and place it in the administrator folder in that file put:

    <Limit GET>
    Order Deny,Allow
    Deny from all
    Allow from YOURIPADRESSHERE
    </Limit>

    This will only give access to the administrator part to ipadresses you give up.</blockquote>

    OK this might be a silly question but….

    When I do the above doesn’t that make my site 100% secure and eliminate the need for other security measures? or would there still be vulnerabilities?

    <em>@shertmann 86821 wrote:</em><blockquote>check that all your folders have and index.html file that has no content in ther in order to avoid praying eyes trying to see you web folder content.</blockquote>

    I always wondered why these existed. Could you explain a bit more why these empty index files exist?

    instantinlaw Friend
    October 18, 2008 at 11:48 pm #276056

    scotty;86823OK this might be a silly question but….

    When I do the above doesn’t that make my site 100% secure and eliminate the need for other security measures? or would there still be vulnerabilities?

    I always wondered why these existed. Could you explain a bit more why these empty index files exist?

    The first will only block access to the admin for any ip address but your own.
    The empty index file is there so that anyone who finds that particular folder will not find a directory of the files in that folder.

    scotty Friend
    October 18, 2008 at 11:53 pm #276058

    <em>@instantinlaw 86825 wrote:</em><blockquote>The first will only block access to the admin for any ip address but your own.</blockquote>
    Yes I understand that. But my question still stands. Is this single security measure not enough?

    <em>@instantinlaw 86825 wrote:</em><blockquote>The empty index file is there so that anyone who finds that particular folder will not find a directory of the files in that folder.</blockquote>
    aha! I’m with you now Ted. Never knew that. Ty

    instantinlaw Friend
    October 19, 2008 at 12:05 am #276059

    scotty;86827Yes I understand that. But my question still stands. Is this single security measure not enough?

    Absolutely not. It’s just one more level of security and if I’m reading it correctly it only prevents someone from logging into the admin area.

    instantinlaw Friend
    October 19, 2008 at 12:13 am #276060

    To take it a bit further, if you are being visited by a lot of spammers or see hacking attempts in your logs, you can add the following to your root .htsccess file;


    <Limit GET>
    order allow,deny
    deny from 128.23.45.
    deny from 207.158.255.213
    allow from all
    </Limit>

    The first ip line will block all sub addresses coming from that ip range and must end in a period, the second will block the specific ip address.
    Please Note * The above ip is only an example.
    You must also use the numeric address. www addresses won’t work.

    1 user says Thank You to instantinlaw for this useful post

    1. jwellman
    instantinlaw Friend
    October 19, 2008 at 12:28 am #276061

    Here is some more info to get you started.
    A good article: http://blamcast.net/articles/block-bots-hotlinking-ban-ip-htaccess
    Or, do a search on google or yahoo for “bad bots” to find lists.
    Or visit: http://www.webmasterworld.com/ and search for the same as above.

    1 user says Thank You to instantinlaw for this useful post

    1. scotty
    shertmann Friend
    October 19, 2008 at 1:44 am #276068

    thanks for that tip law i will implement in all my joomla sites from now on.

    scotty there is and never will be a site cyber cryminal bullet proof, because all the systems are vulnerable in any grade, but if you let yours exposed you make the work easy for them, so when you implement a lot of security measures you can sleep a little better knowing your site is not the target of some this criminals, because they are looking for easy targets.

    the web seccurity is not and easy target because always exist the security treats but always people find a way to fix it.

    bennitos Friend
    October 20, 2008 at 1:35 pm #276277

    For point 8 on menalto’s list above i did this.

    The best thing is that the configuration.php file will be placed on a location wich is not accessible from the internet, wich is the reason thats its better than to just move it in a subfolder.

    This tip explains how to move your configuration.php file outside of your webroot as well as making it unwritable by the server. That makes it nearly impossible for someone to corrupt or gain access to the information in the file.

    The first step is to move the file. Your webroot is /home/USERNAME/public_html, where USERNAME is your cPanel username. Joomla and Mambo can access files located at /home/USERNAME, but those files cannot be directly accessed from the internet. Login to your favorite FTP program and download your configuration.php from /home/USERNAME/public_html/configuration.php . Rename it to “site.conf” then upload it to /home/USERNAME/site.conf.

    Now that we’ve uploaded it to the new location we need to edit the original configuration.php file. Open it in your favorite text editor and replace the contents of the file with the following:

    require( ‘/home/USERNAME/site.conf’ );
    ?>

    Make sure to replace USERNAME with your cPanel username. Then upload the new file to /home/USERNAME/public_html/configuration.php. At this point your site should still function normally.

    Next, we need to make the file unwritable by the server. Most FTP programs allow you to do this. Right-click on the /home/USERNAME/site.conf file and select the option to edit permissions (normally “Permissions” or “Info”) and change the permissions to 444. This lets the server read the file without any problems, but it will not be able to edit the file.

    If you ever need to edit the file you will need to change the permissions back to 644 before making your changes.

    nb. Please ignore whoohanetworks post above, its not bringing anything in this discussion.

    1 user says Thank You to bennitos for this useful post

    1. shertmann
  • Author
    Posts
Viewing 15 posts - 1 through 15 (of 23 total)
1 2

This topic contains 23 replies, has 8 voices, and was last updated by  tonyg 16 years ago.

We moved to new unified forum. Please post all new support queries in our New Forum

Important Notice :

New Unified Portal is live

Must Read

Jump to forum

Categories