Security ChecklistUpdated 03/20/2015

• Secure Usernames and Passwords• File Permissions• Database Privileges• Top 10 Stupidest Administrator Tricks• Analyzing Access Logs

Topics

Secure Usernames and Passwords

Secure Usernames and Passwords

Usernames• often overlooked when thinking about staying secure

when online, with more importance given to passwords• should be at least 6 alphanumeric characters long

combined with Caps and Symbols (., -, or _)• create one you can remember but which is very difficult

to guess• keep your username information private

Passwords• easy enough to remember, but random enough to make

a difficult barrier to get past• at least 8 characters long (8-16 or 8-24)• does not contain any personal information• does not contain a complete word• uses a combination of upper case and lower case letters

(a-z and A-Z), numbers (0-9), and special characters (!@#$%^&*()_+={}[]|;:<>,.?~`)

• significantly different from previous passwords

Secure Usernames and Passwords

Passwords• avoid using keyboard patterns (asdf) or sequential

numbers (1234)• avoid the use of repeating characters (aa11)• change your password often – as in several times a year• try using a password manager

Secure Usernames and Passwords

Password Security Dos and Don'ts• DO have different passwords for different things – don't

use the same password for every application• DON'T write your password down – if you can't memorize

it, try and disguise it, leaving it in a secure place• DON'T choose an obvious password – such as using

your personal information which is easy for someone to guess

• DON'T keep the same passwords – change them every once in a while and don't reuse a password for at least a year

Secure Usernames and Passwords

File Permissions

User Categoriesuser – a specific account on the hosting systemgroup – a specific selection of one or more usersworld – any other account

File Permissions

Access Rightsread – ability to view the contents of a file or directorywrite – ability to change the contents of a file or directoryexecute – ability to ask the server to treat the file as a program

Valuesread – 4 write – 2 execute – 1

File Permissions

Review:6 0 0

user category user group worldaccess rights r+w - -values 4+2 0 0

read – 4 write – 2 execute – 1

File Permissions

Exercise:7 5 5

user category ? ? ?access rights ? ? ?values ? ? ?

File Permissions

Notes to Remember• For directories or folders, only the user that a directory

or folder belongs to should have write access. Everyone else should have read and execute permissions. - 755

• For static content (.html, .jpg, .gif, .css, .js, .pdf, .txt, etc), only the user should have write access. Everyone else should have read permission. - 644

• For dynamic content (.php, .cgi, .pl, .rb, etc), only the user should have read, write, and execute permissions. Nobody else should need any other permissions. - 700

File Permissions

Database Privileges

Why restrict MySQL user privileges?Imagine if by mistake you install a malicious plugin which contains a back door or trojan software, or if a malicious user manages to get his hands on the credentials of the MySQL use. In both cases, if the MySQL user privileges are limited only to the data in the MySQL database, the damage can be limited and such issue can easily be fixed.

Though if the MySQL user has full access to the MySQL database, i.e. including structure privileges, the malicious user can also modify the structure of the database and not just the data inside it. Even worse, if the MySQL user being used has access to other databases, the malicious user will access the other MySQL databases and steal data or modify them.

Database Privileges

Minimum user privileges

Database Privileges

might be neededfor the installationof some plugins

Tips for a secure database:• When creating a new user, use a non-

predictable username• Configure a very strong password• Use a different user for each web application

you have installed• Always assign the minimum required database

privilege to the user

Database Privileges

Top 10 Stupidest Administrator Tricks

1. Use the cheapest hosting provider you can find.

2. Don't waste time with regular backups.3. Don't waste time adjusting PHP and CMS

settings for increased security.4. Use the username and password for

everything.5. Install your brand new beautiful CMS-powered

site, and celebrate a job well done.

Top 10 Stupidest Administrator Tricks

6. Do all upgrades on the live site right away.7. Trust third-party extensions.8. Don't worry about updating to the latest version

of your CMS.9. When your site gets cracked, panic your way into support forums.10. Once your site's been cracked, fix the defaced index.php file and assume all else is well.

Top 10 Stupidest Administrator Tricks

Full article is available at http://docs.joomla.org/Top_10_Stupidest_Administrator_Tricks

Analyzing Access Logs

Analyzing Access Logs

Identity of the visiting agent, as resolved via its IP address

Analyzing Access Logs

Date and time of the visit

Analyzing Access Logs

type of HTTP request / HTTP method

“GET” retrieves information“POST” request that the web server accept the data

enclosed in the request message's body for storage

“PUT” allows a client to upload new files to the web server“DELETE” requests the web server to delete the resource

identified“TRACE” echoes back to the client whatever string has been

sent to the server; mainly used for debugging

Analyzing Access Logs

requested resource

HTTP status codes303 – See Other200 – OK

See http://perishablepress.com/http-error-codes/ for a list of HTTP status codes

data downloaded for the request, in bytes

Referrer field

*Null-referrer values are common for robots

Analyzing Access Logs

Analyzing Access Logs

Formal identity and credentials of the user-agent. This may include version number, website resource, and compatibility information

* Keep in mind that user-agent spoofing is not uncommon. A specific agent's identity may be verified through a Reverse-IP Lookup

The Bad News

There is no perfect security on the Web!Maintaining a secure web site on the open Internet is not easy. Maintaining adequate security requires a wide and ever-growing range of skills and knowledge, constant watchfulness, and a robust backup and recovery process.

The Bad News

There's no one right way!Due to the variety and complexity of modern web systems, security issues can't be resolved with simple one-size-fits-all solutions. You must learn enough about your server infrastructure to make valid security decisions. Strong security is a moving target.

The Bad News

There's no substitute for experience!To secure your website, you must gain real experience, or get experienced help from others. If you haven't invested the considerable time it takes to learn how to maintain a secure web site, be sure you can consult with someone who has.

The Good News

Even a beginner can start at the head of the herdUser forums for many systems are clogged with “Help, I've been hacked” posts by people who do NOT follow standard security practices. If you are following basic security practices, congratulations, you're already ahead of the herd.

The Good News

It's not as hard as it looksIf this is one of your first websites, security issues may seem overwhelming, but you don't have to deal with all of them at once. Start with the most critical issues.

The Good News

You can get helpIf you believe your website was attacked, DO NOT simply post an announcement with full details. If you are dealing with a new vulnerability or new form of attack, publishing that information could put other websites at risk.

Full article at http://docs.joomla.org/Security_Checklist_1_-_Getting_Started

End