A lot of Mambo/Joomla site has been hacked last week, since I've already help someone hardening an installation (mambo 4.5.2.3), I've decide to write a tutorial for the benefit of the open source community...

 Some steps are common sense while others are not.

But:

  • Do not think that doing all steps below will protect You! nothing is secure in the computer world! or not very long...
  • Do not think that after doing all steps below, Joomla will be as user friendly for You as before! we are restricting rights, changing some behaviours of the webserver, it will be more difficult to publish content, on the other side, articles and content will be safer.
  • Security come always with a pain!.

Consider this page as a work in progress, feedback is as usual welcomed. Click read more for the article

Choose a (better) FTP password for accessing your Homepage which is not trivial! using rules in annexe A

Requirements: having a valid login and password to your plesk account

How: http://yoursite.com:8443/

Go to main page, If your hosting company allow you to create many subdomains, click on the right one, here on www.waltercedric.com

 
On Plesk main page, click on domain, here waltercedric.comon the next page, on Setup 
  
Then enter New FTP password, and save  
Choose a DIFFERENT Joomla/Mambo administration password using rules in annexe A

Requirements: having a valid login and password to your Joomla administrator account

How:

Go to Your administrator panel
For ex http://yourhost/administrator/
click on your login name, here on admin
 
Enter a new password 
Choose a DIFFERENT Plesk password for the administration of Your site using rules in annexe A

Requirements: having a valid login and password to your Plesk administrator panel

Go to: http://yoursite.com:8443/ which is the default URL for Plesk, attention it may vary depending on your hosting company

On the main page, click on editAnd enter new password
Choose a DIFFERENT mySQL password for the Joomla/Mambo table using the rules in annexe A

How
Use the plesk administration panel

On Plesk main page, click on domain, here waltercedric.comon the next page, click on Databases
Then on your Joomla database (here for me mos)then click on the right user: here mosuser, Note that I have
a special user for backup purpose with only select rights! and change password
  
Open the file /configuration.php and change the key mosConfig_password 
Adapt user rights of the mySQL Joomla user

a mySQL user may have following privileges:

This user, for example joomlaUser should ONLY have insert (new comment, guestbook) and delete and update rights on Joomla/Mambo database

SHOW GRANTS FOR 'mosdev'@'%';
GRANT ALTER,CREATE,CREATE TEMPORARY TABLES,CREATE VIEW,DROP,EXECUTE,LOCK TABLES,PROCESS,SHOW DATABASES,SHOW VIEW ON *.* TO 'mosdev'@'%' WITH GRANT OPTION;
FLUSH PRIVILEGES;

Do not allow drop or create table, normal operation of Joomla do not require it! Of course as soon as You want to install a new component, You will have to temporarly allow joomlaUser to create new table (if the component require it)

Adapt files right on your server

Heritage of UNIX, file rights are organized in 3 groups, user, group, all. Each group may be able to read (r) write (w) or execute (x) file individually. the combinaison rwx is read in octal rwx = 7 for each group, so 777 is the worse settings: anybody may be able to delete or change your file on server...

This is how look my file structure

RecommendedSet toCHMOD equivalent
files rights:r_ _r_ _r_ _ 444
directory rightsr _ x r _ x r _ x555
Exception for /cache directoryrwxrwxrwx777

How use an FTP tool like CuteFTP, on selected resources, use right click menu , and check the bit:

Example in cuteFTP, note the command is not recursive!

Side effects

  • You wont be able to use the upload function of HTMLArea: impossible to upload images or file using the administrator articles editor.
  • Each time You wan to publish a new articles with pictures inside, You'll have to copy them with FTP before editing in order to be able to insert them into the text.
  • In order to write a file into the directoy C in the path A/B/C, You will have to set temporary directory A and B and C to rwxr-xr-x rights (CHMOD 755)!
Protect some part of Joomla using additionnal password like .htaccess

Requirements: Your provider must support .HTACCESS per directory

How:

Read my tutorial HERE

Side effects

  • Some component or code trying to read file form the admin area (if protected by a htaccess file), may bring a popup login windows to your users, but it is possible to find these problems and solve them quickly. My plugin securityimages in its first version was also having this error (coding)
Run a part or your site in HTTPS mode

For added security, you can force users to access your pages using an SSL (Secure Socket Layer) connection. This means transmitted data is encrypted, so passwords and webpages cannot be read in cleartext over the internet.

Ideally only the administration part (all URL beginning with http://yousite/administrator/), or your whole site.

Why: if your site run in http mode, all password and fields submitted to the server are send in cleartext (can be read). an attacker may be able to intercept or fake user by rerouting the http request. In https mode, data are travelling encrypted on the network and a session key avoid replaying attacks. Moreover it is not realistic to have a commercial business on internet without running https

Requirements: Your provider/hosting company should allow it

How

Run FULL site in httpsRun PART of site in https
  • In plesk, just copy your Joomla/Mambo file structure from /httpdocs to the directory /httpsdocs with a FTP tool
  • Eventually put a file index.html in /httpdocs which redirect users to the protected https area to show to users that your site still exist (it will not bring an error 404: page nt found)
This is certaimly not as easy as running Your full site with https,


Side effects

  • If You install a new site, no problem
  • If You have an existing homepage and are heaviliy indexed by Google and Co and/or many users have Bookmark You, Users will be disturbed to say the least, and Google may think You are using some spammer techniques (moving and creating/dissimulating new content)
Review OpenSEF/SEF 404 logs

if a SEO/SEF component is installed, You may be able to look at unusual or incorrect url. This typically can reveal some SQL or parameter injection in existing code.

SEO will in fact reject some URL and redirect user to your home root index.php, instead of displaying an error message or revealing informations about file structure, which is a positive side-effect

ex:

.../banner.php?id=120&client="select 1 from dual" someone is trying to test SQL injection in the component Banner

Review access logs

Search in log file about unusual behaviour, is someone accessing too often (in a small interval) to /index2.php (admin part of your site) -> this may be a brute force attack!

Requirements: have a plesk access

How:

On Plesk main page, click on domain, here waltercedric.comon the next page, on Log Manager
  • The server access log records all requests processed by the server. Access log for http:// and access ssl log for https://
  • The server error log, whose name and location is set by the error log directive, is the most important log file. This is the place where Apache httpd will send diagnostic information and record any errors that it encounters in processing requests. It is the first place to look when a problem occurs with starting the server or with the operation of the server, since it will often contain details of what went wrong and how to fix it.
  • The xferlog file contains logging information from the FTP server daemon, ftpd
  
Make Backup!

Joke: "Real men don't do backup but they often cry"

mySQL :
4 ways to automate MAMBO database backup..

Ftp
use any FTP tool to sync or Plesk backup function

  
Keep Your Joomla/mambo installation up to date.

Always use the latest version of Joomla: www.joomla.org Or the latest version of Mambo: www.mamboserver.com

As soon as a new version of Joomla/mambo is available, install it in the same day!

  • Hacker will look at the patch and search for unpatched server! It has never been so easy to search for running version of a certain CMS version, thanks to search engine. For giving You an example, a hacker may search in Google (but any search engine will work) all site running Joomla/Mambo with allinurl: administrator/index2.php so install patches very fast!
  • Make a backup (just in case), and install the new patch, you can also install the patch on your local running instance of Joomla
 For paranoid or How to push security even higher

All actions below require some knowledge or time...

Change regurly ALL password above!

just in case, someone get Your password or part of it. Ideally You must change your password before a brute force can find it. Or as soon as logs reveal a possible attack just in case the hacker has not start doing something bad with Your account..

With decreasing frequency:

  • Joomla Admin password
  • mySQL user password
  • Plesk admin password
  • FTP user password
Attack surface reduction (ASR)

Definition:
M$ has a good article here (idea is not coming from them, but they are trying to evangelize a lot of developers with good articles)

So bugs/security issues can not exist in a code if the code do not exist on the server.... :-)

Quite easy to understand but really difficult to achieve, here is a way to do it....

  1. Define Your requirement, list all components/modules/mambots that you need to run.
  2. Unpublish all components/modules/mambots
  3. Test Your site,
  4. If everything run correctly, remove one components/modules/mambots at a time, and test Your site
  5. Take care when installing next CMS patch, that you do not copy uneeded files on your server. It may be surprising, but even if the component is not published but it's code is physically present on server dissk, it may cause a security vulnerabilities.

You know have a customized version of Joomla/Mambo with a lot less code running and possibly a lot less unknow vulnerabilities! It will be a pain to maintain.

Log are always telling the truth! (sometimes)

You may want to install of write a tool which parse automatically Apache, Tomcat, PHP, mySQL logs to monitor

Just for FUN....

Just to give you an overview of some crazy things that can be done....

  • I've read some times ago, a person which have customized a linux version. In order to be sure that if someone ever get an access to the disk, it won't be able to execute any command, he rename all files and commands on disk...This is also possible for Joomla. Write a JAVA/C#/other parser which rename all files/directories and changes all include, include_once, require, require_once with UUID. It is possible but surely (a pain to) maintain.
  • If you have a full webserver for You, You can create a special user which will start PHP and Apache and not be able to write or erase file.
  • The last crazy thing I can imagine (but with time I can be more creative ;-) ) would be to create release of  my homepage, burn it on a DVD (Read only) and publish it on the webserver.
Of course this latest example do not allow You to use the CMS normally, You have a bloody Read only site, but nobody will be able to tamper data...

 

 

Normally Your provider is already doing a lot under the scene, and may have done some stuff for You. It can be useful to contact him for asking what it is already monitoring or doing from preventing Your site from being hacked.

Congratulations, You have now a lot more secure Joomla/Mambo secure homepage!

Comments are as usual welcomed, use the contact section of this site!

Annexes

  
A. Choosing a good password
  • NEVER use any words that can be found in a dictionnary! common brute force program can try million of passwords in seconds
  • Do not use your name, birthday, or part of your domain name
  • A good password is at least 10 or more character long! (brute forcing entropy get too high after 7 characters)
  • Use all character of keyboard! @_! and use different case and number

Ex: dR2_z57zzU!sP is not a bad password

B How to store all passwordsCreate a Text file, and crypt it with www.truecrypt.com or www.pgp.com (pgpdisk)
C Class of attacksI've write a small article, listing all web vulnerabilities (HTML partiel) and (PDF complete)
D Some tools
  • Beyond Compare from www.scootersoftware.com To deal with the huge amount of PHP files contained in Joomla/Mambo, and install more easily patches or synchronize folders, I strongly recommend You to try or buy a Beyond Compare Licence. This tool is able to compare directories, preview changes, and even compare a locale directory with a remote FTP server.

 

E https rewriting for admin panelcreate a file .htaccess and copy it in /administrator, if a file already exist (it should!), add lines which ae missing in it

# Do not allow any user to access this file - to copy in all .htaccess
<Files .htaccess>
order allow,deny
deny from all
</Files>

#/administrator/.htaccess
RewriteEngine on
RewriteRule ^/$ /administrator/index.php
RewriteCond %{SERVER_PORT} !443$
RewriteRule ^(.*) https://www.waltercedric.com/administrator/$1 [R=301,L]

You might like also

No Thumbnail was found
Joomla! 1.0.5 is now available on the forge for download here. This is a Bug and Security Release, which means it contains fixes for Security Vulnerabilities. It is highly recommend that you upgrade to this version. …
5094 Days ago
No Thumbnail was found
For "Joe six pack" user to advance users... You only want to use Mambo admin panel- EASIESTYour provider has given You a plesk panel - EASYYour provider only give You a Telnet or ssh access to the server - ADVANCE USERYou want more! - VERY ADVANCE USERI am using the method 4, which isn't more difficult and a lot better, open the script and set the variable according to the internal documentation. Upload the file to the server (not in …
5217 Days ago
Protecting You Mambo admin panel using htaccess
.htaccess files are very versatile, and can easily protect some area of Your Homepage. In the case of Mambo, I am here giving You a way to secure it in less than 5 minutes. …
5225 Days ago