Table of Contents
Preface
Chapter 1: Let's Get Started
Chapter 2: Test and Development
Chapter 3: Tools
Chapter 4: Vulnerabilities
Chapter 5: Anatomy of Attacks
Chapter 6: How the Bad Guys Do It
Chapter 7: php.ini and .htaccess
Chapter 8: Log Files
Chapter 9: SSL for Your Joomla! Site
Chapter 10: Incident Management
Appendix: Security Handbook
Index
- Chapter 1: Let's Get Started
- Introduction
- Common Terminology
- Hosting—Selection and Unique Needs
- What Is a Host?
- Choosing a Host
- Questions to Ask a Prospective Host
- Facilities
- Things to Ask Your Host about Facility Security
- Environmental Questions about the Facility
- Site Monitoring and Protection
- Patching and Security
- Shared Hosting
- Dedicated Hosting
- Architecting for a Successful Site
- What Is the Purpose of Your Site?
- Eleven Steps to Successful Site Architecture
- Downloading Joomla!
- Settings
- .htaccess
- Permissions
- User Management
- Common Trip Ups
- Failure to Check Vulnerability List First
- Register Globals, Again
- Permissions
- Poor Documentation
- Got Backups?
- Setting Up Security Metrics
- Summary
- Chapter 2: Test and Development
- Welcome to the Laboratory!
- Test and Development Environment
- What Does This Have to Do with Security?
- The Evil Hamster Wheel of Upgrades
- Determine the Need for Upgrade
- Developing Your Test Plan
- Essential Parameters for a Successful Test
- Using Your Test and Development Site for Disaster Planning
- Updating Your Disaster Recovery Documentation
- Make DR Testing a Part of Your Upgrade/Rollout Cycle
- Crafting Good Documentation
- Using a Software Development Management System
- Tour of Lighthouse from Artifact Software
- Reporting
- Using the Ravenswood Joomla! Server
- Roll-out
- Summary
- Welcome to the Laboratory!
- Chapter 3: Tools
- Introduction
- Tools, Tools, and More Tools
- HISA
- Installation Check
- Web-Server Environment
- Required Settings for Joomla!
- Recommended Settings
- Joomla Tools Suite with Services
- How's Our Health?
- NMAP—Network Mapping Tool from insecure.org
- Wireshark
- Metasploit—The Penetration Testers Tool Set
- Nessus Vulnerability Scanner
- Why You Need Nessus
- HISA
- Summary
- Chapter 4: Vulnerabilities
- Introduction
- Importance of Patching is Paramount
- What is a Vulnerability?
- Memory Corruption Vulnerabilities
- SQL Injections
- Command Injection Attacks
- Attack Example
- Why do Vulnerabilities Exist?
- What Can be Done to Prevent Vulnerabilities?
- Developers
- Poor Testing and Planning
- Forbidden
- Improper Variable Sanitization and Dangerous Inputs
- Not Testing in a Broad Enough Environment
- Testing for Various Versions of SQL
- Interactions with Other Third-Party Extensions
- End Users
- Social Engineering
- Poor Patching and Updating
- Summary
- Chapter 5: Anatomy of Attacks
- Introduction
- SQL Injections
- Testing for SQL Injections
- A Few Methods to Prevent SQL Injections
- And According to PHP.NET
- Remote File Includes
- The Most Basic Attempt
- What Can We Do to Stop This?
- Preventing RFI Attacks
- Summary
- Chapter 6: How the Bad Guys Do It
- Laws on the Books
- Acquiring Target
- Sizing up the Target
- Vulnerability Tools
- Nessus
- Nikto: An Open-Source Vulnerability Scanner
- Acunetix
- NMAP
- Wireshark
- Ping Sweep
- Firewalk
- Angry IP Scanner
- Digital Graffiti versus Real Attacks
- Finding Targets to Attack
- What Do I Do Then?
- Countermeasures
- But What If My Host Won't Cooperate?
- What If My Website Is Broken into and Defaced?
- What If a Rootkit Has Been Placed on My Server?
- Closing Words
- Summary
- Chapter 7: php.ini and .htaccess
- .htaccess
- Bandwidth Preservation
- Disable the Server Signature
- Prevent Access to .htaccess
- Prevent Access to Any File
- Prevent Access to Multiple File Types
- Prevent Unauthorized Directory Browsing
- Disguise Script Extensions
- Limit Access to the Local Area Network (LAN)
- Secure Directories by IP and/or Domain
- Deny or Allow Domain Access for IP Range
- Stop Hotlinking, Serve Alternate Content
- Block Robots, Site Rippers, Offline Browsers, and Other Evils
- More Stupid Blocking Tricks
- Password-Protect Files, Directories, and More
- Protecting Your Development Site until it's Ready
- Activating SSL via .htaccess
- Automatically CHMOD Various File Types
- Limit File Size to Protect Against Denial-of-Service Attacks
- Deploy Custom Error Pages
- Provide a Universal Error Document
- Prevent Access During Specified Time Periods
- Redirect String Variations to a Specific Address
- Disable magic_quotes_gpc for PHP-Enabled Servers
- php.ini
- But What is the php.ini File?
- How php.ini is Read
- Summary
- .htaccess
- Chapter 8: Log Files
- What are Log Files, Exactly?
- Learning to Read the Log
- What about this?
- Status Codes for HTTP 1.1
- Log File Analysis
- User Agent Strings
- Blocking the IP Range of Countries
- Where Did They Come From?
- Care and Feeding of Your Log Files
- Steps to Care of Your Log Files
- Tools to Review Your Log Files
- BSQ-SiteStats
- JoomlaWatch
- AWStats
- Summary
- Chapter 9: SSL for Your Joomla! Site
- What is SSL/TLS?
- Using SSL to Establish a Secret Session
- Establishing an SSL Session
- Certificates of Authenticity
- Certificate Obtainment
- Using SSL to Establish a Secret Session
- Process Steps for SSL
- Joomla! SSL
- Performance Considerations
- Other Resources
- Summary
- What is SSL/TLS?
- Chapter 10: Incident Management
- Creating an Incident Response Policy
- Developing Procedures Based on Policy to Respond to Incidents
- Handling an Incident
- Communicating with Outside Parties Regarding Incidents
- Selecting a Team Structure
- Summary
- Appendix: Security Handbook
- Security Handbook Reference
- General Information
- Preparing Your Tool Kit
- Backup Tools
- Assistance Checklist
- Daily Operations
- Basic Security Checklist
- Tools
- Nmap
- Telnet
- FTP
- Virus Scanning
- JCheck
- Joomla! Tools Suite
- Tools for Firefox Users
- Netstat
- Wireshark
- Nessus
- Ports
- Logs
- Apache Status Codes
- Common Log Format
- Country Information: Top-Level Domain Codes
- List of Critical Settings
- .htaccess
- php. ini
- References to Learn More about php.ini
- General Apache Information
- List of Ports
- Summary
