security checklist updated 03/20/2015. secure usernames and passwords file permissions database...
TRANSCRIPT
• Secure Usernames and Passwords• File Permissions• Database Privileges• Top 10 Stupidest Administrator Tricks• Analyzing Access Logs
Topics
Secure Usernames and Passwords
Usernames• often overlooked when thinking about staying secure
when online, with more importance given to passwords• should be at least 6 alphanumeric characters long
combined with Caps and Symbols (., -, or _)• create one you can remember but which is very difficult
to guess• keep your username information private
Passwords• easy enough to remember, but random enough to make
a difficult barrier to get past• at least 8 characters long (8-16 or 8-24)• does not contain any personal information• does not contain a complete word• uses a combination of upper case and lower case letters
(a-z and A-Z), numbers (0-9), and special characters (!@#$%^&*()_+={}[]|;:<>,.?~`)
• significantly different from previous passwords
Secure Usernames and Passwords
Passwords• avoid using keyboard patterns (asdf) or sequential
numbers (1234)• avoid the use of repeating characters (aa11)• change your password often – as in several times a year• try using a password manager
Secure Usernames and Passwords
Password Security Dos and Don'ts• DO have different passwords for different things – don't
use the same password for every application• DON'T write your password down – if you can't memorize
it, try and disguise it, leaving it in a secure place• DON'T choose an obvious password – such as using
your personal information which is easy for someone to guess
• DON'T keep the same passwords – change them every once in a while and don't reuse a password for at least a year
Secure Usernames and Passwords
User Categoriesuser – a specific account on the hosting systemgroup – a specific selection of one or more usersworld – any other account
File Permissions
Access Rightsread – ability to view the contents of a file or directorywrite – ability to change the contents of a file or directoryexecute – ability to ask the server to treat the file as a program
Valuesread – 4 write – 2 execute – 1
File Permissions
Review:6 0 0
user category user group worldaccess rights r+w - -values 4+2 0 0
read – 4 write – 2 execute – 1
File Permissions
Notes to Remember• For directories or folders, only the user that a directory
or folder belongs to should have write access. Everyone else should have read and execute permissions. - 755
• For static content (.html, .jpg, .gif, .css, .js, .pdf, .txt, etc), only the user should have write access. Everyone else should have read permission. - 644
• For dynamic content (.php, .cgi, .pl, .rb, etc), only the user should have read, write, and execute permissions. Nobody else should need any other permissions. - 700
File Permissions
Why restrict MySQL user privileges?Imagine if by mistake you install a malicious plugin which contains a back door or trojan software, or if a malicious user manages to get his hands on the credentials of the MySQL use. In both cases, if the MySQL user privileges are limited only to the data in the MySQL database, the damage can be limited and such issue can easily be fixed.
Though if the MySQL user has full access to the MySQL database, i.e. including structure privileges, the malicious user can also modify the structure of the database and not just the data inside it. Even worse, if the MySQL user being used has access to other databases, the malicious user will access the other MySQL databases and steal data or modify them.
Database Privileges
Tips for a secure database:• When creating a new user, use a non-
predictable username• Configure a very strong password• Use a different user for each web application
you have installed• Always assign the minimum required database
privilege to the user
Database Privileges
1. Use the cheapest hosting provider you can find.
2. Don't waste time with regular backups.3. Don't waste time adjusting PHP and CMS
settings for increased security.4. Use the username and password for
everything.5. Install your brand new beautiful CMS-powered
site, and celebrate a job well done.
Top 10 Stupidest Administrator Tricks
6. Do all upgrades on the live site right away.7. Trust third-party extensions.8. Don't worry about updating to the latest version
of your CMS.9. When your site gets cracked, panic your way into support forums.10. Once your site's been cracked, fix the defaced index.php file and assume all else is well.
Top 10 Stupidest Administrator Tricks
Full article is available at http://docs.joomla.org/Top_10_Stupidest_Administrator_Tricks
Analyzing Access Logs
type of HTTP request / HTTP method
“GET” retrieves information“POST” request that the web server accept the data
enclosed in the request message's body for storage
“PUT” allows a client to upload new files to the web server“DELETE” requests the web server to delete the resource
identified“TRACE” echoes back to the client whatever string has been
sent to the server; mainly used for debugging
Analyzing Access Logs
requested resource
HTTP status codes303 – See Other200 – OK
See http://perishablepress.com/http-error-codes/ for a list of HTTP status codes
data downloaded for the request, in bytes
Analyzing Access Logs
Formal identity and credentials of the user-agent. This may include version number, website resource, and compatibility information
* Keep in mind that user-agent spoofing is not uncommon. A specific agent's identity may be verified through a Reverse-IP Lookup
The Bad News
There is no perfect security on the Web!Maintaining a secure web site on the open Internet is not easy. Maintaining adequate security requires a wide and ever-growing range of skills and knowledge, constant watchfulness, and a robust backup and recovery process.
The Bad News
There's no one right way!Due to the variety and complexity of modern web systems, security issues can't be resolved with simple one-size-fits-all solutions. You must learn enough about your server infrastructure to make valid security decisions. Strong security is a moving target.
The Bad News
There's no substitute for experience!To secure your website, you must gain real experience, or get experienced help from others. If you haven't invested the considerable time it takes to learn how to maintain a secure web site, be sure you can consult with someone who has.
The Good News
Even a beginner can start at the head of the herdUser forums for many systems are clogged with “Help, I've been hacked” posts by people who do NOT follow standard security practices. If you are following basic security practices, congratulations, you're already ahead of the herd.
The Good News
It's not as hard as it looksIf this is one of your first websites, security issues may seem overwhelming, but you don't have to deal with all of them at once. Start with the most critical issues.
The Good News
You can get helpIf you believe your website was attacked, DO NOT simply post an announcement with full details. If you are dealing with a new vulnerability or new form of attack, publishing that information could put other websites at risk.
Full article at http://docs.joomla.org/Security_Checklist_1_-_Getting_Started