Difference between revisions of "Security Checklist/Site Administration"

From Joomla! Documentation

< Security Checklist
m (update navigational call)
(11 intermediate revisions by 5 users not shown)
Line 1: Line 1:
{{RightTOC}}
+
{{:Security Checklist/TOC}}
 
 
 
== Site Administration ==
 
== Site Administration ==
  
 
===Use well-formed passwords===
 
===Use well-formed passwords===
: Change passwords regularly and keep them unique. Use a random combination of letters, numbers, or symbols and avoid using single names or words found in a dictionary. Never use the names of your relatives, pets, etc. Search the forums for a script supplied by Wizzie that automatically changes passwords. This is a great tool for administrators or multiple sites.
+
: Change passwords regularly and keep them unique. A strong  password has a random combination of letters, numbers, or symbols. Avoid using single names or words found in a dictionary. Never use the names of your relatives, pets, etc. Search the forums for a script supplied by Wizzie that automatically changes passwords. This is a great tool for administrators or multiple sites. There are numerous handy websites that have [http://strongpasswordgenerator.com strong password generators].
  
 
===Follow a password leveling scheme===
 
===Follow a password leveling scheme===
: Most users may not need more than three levels of passwords and webmasters no more than five. Each level must be completely unrelated to the others in terms of which usernames and passwords are used.
+
: Most users may not need more than three levels of passwords and webmasters no more than five. Each level must be completely unrelated to the others in terms of which usernames and passwords are used. Learn how to do this: [[How do you setup a powerful password scheme?]]
 
 
Level 5 (Public) - is the password you use on public sites. It is not imperative that you use a different password on every site. In fact it's more effective to use a different username on every site than it is to use a different password truth be told! Knowing the username allows easy hacking...half the work is done! knowing the password is useless unless you know what account it goes to!
 
Level 4 (Webmaster) - Reserved for SQL Only. this is a password that would only be used by SQL and limited to a specific database in SQL. The best way to protect SQL is by limiting each account to just being able to do the minimum that DB requires. In some cases it is even wise to have a read only account for display and a separate write account that the backend write functions use. But that doesn't apply to J! at all... for J! the best practice is to set up an individual account (not root for sure) that only has read and write access to the J! DB nothing else.
 
Level 3 (Webmaster) - FTP and Server Access. these can be the same user:pass combo since both if compromised can do the most damage. doesn't matter if the backend or Cpanel is safe if the FTP is not and the same goes the other way!
 
Level 2 (Personal Data Access) - This password should be used for any sites or locations that contain personal data with the exception of Banking (see level 1). these sites are often used for social engineering data such as medical records, service accounts and any financial records not directly related to banking! You want these to be secure but also different from the real threat of security...your money!
 
Level 1 (Banking!) - this needs to be the most secure in fact if you have two different banks it actually pays to have a different user:pass for each just to be sure!
 
  
 
===Maintain a strong site backup process===
 
===Maintain a strong site backup process===
: Never rely on others' backups. Take responsibility for your backup procedures. Many ISPs state in their contract that you can not rely solely on their backups.
+
: Never rely on others' backups. Take responsibility for your backup procedures. Many ISPs state in their contract that you cannot rely solely on their backups.
  
 
===Monitor crack attempts===
 
===Monitor crack attempts===
: VPS and dedicated server users can run TripWire or SAMHAIN. These applications provide exhaustive file checking and reporting functionality, and can be installed in a stealthy manner to help protect themselves in the event of a serious infiltration. (Note: Users of shared servers can not use this technique.)</li>
+
: VPS and dedicated server users can run [http://www.tripwire.com/ TripWire] or [http://la-samhna.de/samhain/ SAMHAIN]. These applications provide exhaustive file checking and reporting functionality, and can be installed in a stealthy manner to help protect themselves in the event of a serious infiltration. (Note: Users of shared servers cannot use this technique.)</li>
  
 
===Perform automated intrusion detection===
 
===Perform automated intrusion detection===
Line 38: Line 31:
  
 
===Proactively seek SQL injections vulnerabilities===
 
===Proactively seek SQL injections vulnerabilities===
: Use tools such as Paros Proxy for conducting automated SQL Injection tests against your PHP applications.
+
: Use tools such as [http://www.parosproxy.org/ Paros Proxy] for conducting automated SQL Injection tests against your PHP applications.
 
       <ul>
 
       <ul>
 
         <li>[http://www.google.com/search?q=%22SQL+Injection Google Search]</li>
 
         <li>[http://www.google.com/search?q=%22SQL+Injection Google Search]</li>
Line 56: Line 49:
  
 
===Don't reinvent every wheel===
 
===Don't reinvent every wheel===
: Every now and then hire a professional Joomla! security consultant to review your configurations. Do you remember the adage, ''"Anyone who acts as their own lawyer has a fool for a client."'' The same goes for Web development. Don't expect to catch all of your own security mistakes.
+
: Every now and then, hire a professional Joomla! security consultant to review your configurations. Do you remember the adage, ''"Anyone who acts as their own lawyer has a fool for a client."?'' The same goes for Web development. Don't expect to catch all of your own security mistakes.
 
 
== Choose A Checklist==
 
# [[Security Checklist 1 - Getting Started|Getting Started]]
 
# [[Security Checklist 2 - Hosting and Server Setup|Hosting and Server Setup]]
 
# [[Security Checklist 3 - Testing and Development|Testing and Development]]
 
# [[Security Checklist 4 - Joomla Setup|Joomla Setup]]
 
# [[Security Checklist 5 - Site Administration|Site Administration]]
 
# [[Security Checklist 6 - Site Recovery|Site Recovery]]
 
 
 
  
 
<!-- KEEP THIS AT THE END OF THE PAGE -->
 
<!-- KEEP THIS AT THE END OF THE PAGE -->
 
[[Category:Security Checklist]]
 
[[Category:Security Checklist]]

Revision as of 20:01, 15 October 2012

Security Checklist Joomla CMS
Articles in this series
{{:Security Checklist/contents/<translate> en</translate>}}

Site Administration[edit]

Use well-formed passwords[edit]

Change passwords regularly and keep them unique. A strong password has a random combination of letters, numbers, or symbols. Avoid using single names or words found in a dictionary. Never use the names of your relatives, pets, etc. Search the forums for a script supplied by Wizzie that automatically changes passwords. This is a great tool for administrators or multiple sites. There are numerous handy websites that have strong password generators.

Follow a password leveling scheme[edit]

Most users may not need more than three levels of passwords and webmasters no more than five. Each level must be completely unrelated to the others in terms of which usernames and passwords are used. Learn how to do this: How do you setup a powerful password scheme?

Maintain a strong site backup process[edit]

Never rely on others' backups. Take responsibility for your backup procedures. Many ISPs state in their contract that you cannot rely solely on their backups.

Monitor crack attempts[edit]

VPS and dedicated server users can run TripWire or SAMHAIN. These applications provide exhaustive file checking and reporting functionality, and can be installed in a stealthy manner to help protect themselves in the event of a serious infiltration. (Note: Users of shared servers cannot use this technique.)

Perform automated intrusion detection[edit]

Use an Intrusion Prevention/Detection Systems to block/alert on malicious HTTP requests.

Perform manual intrusion detection[edit]

Regularly check raw logs for suspicious activity. Don't rely on summaries and graphs.

Stay current with security patches and upgrades[edit]

Apply vendor-released security patches ASAP.

Proactively seek site vulnerabilities[edit]

Perform frequent web scanning.

Proactively seek SQL injections vulnerabilities[edit]

Use tools such as Paros Proxy for conducting automated SQL Injection tests against your PHP applications.

Use shell scripts to automate security tasks[edit]

Search the forums for these popular scripts:
  • Joomla! Version Checking
  • Joomla! Component/Module Version Checking
  • Exploit Checking

Learn about security software[edit]

There is not a single tool that can protect your site. If there were, it would be so heavily targeted that it would probably become a liability.

Don't reinvent every wheel[edit]

Every now and then, hire a professional Joomla! security consultant to review your configurations. Do you remember the adage, "Anyone who acts as their own lawyer has a fool for a client."? The same goes for Web development. Don't expect to catch all of your own security mistakes.
Retrieved from "https://docs.joomla.org/index.php?title=Security_Checklist/Site_Administration&oldid=76606"