It is important, like all software, to update Joomla when a new version is released. These usually consist of important security fixes. CentOS 5 still uses PHP 4 but the security patches have been fixed for PHP 4 so you will also need to update your CentOS distribution.
Joomla file permissions should be 644.
Joomla folder permissions should be 755. The only exceptions are the cache directory and the temporary directories which must be writable.
Delete the installation directory completely as this represents a major security issue. Change the permissions of the configuration.php to 644 as well once you have completed the setup.
Change the administrator name to something else so it is more difficult to guess and create an excellent password as users will attempt to guess this on a regular basis. On the Joomla sites I run one of the most often visited pages is the administrator login…because people are trying to hack it. Create GOOD Passwords!!!! Passwords must include case differences, include symbols and numbers and be at least 8 characters long.
Created a Restricted Folder for Administrator
One of the most effective ways to protect Joomla is to create a restricted folder with Apache so that only administrators can get access to the folder.
Restrict Scripting Injection Attacks
Edit your /etc/php.ini file to turn off register globals.
register_globals = off
You can also force SQL inject attacks to bounce by adding this information to the php.ini file.
allow_url_fopen = OFF
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
The first line disables URL-aware fopen wrappers that enable accessing URL object like files. The second one disables a lot of PHP functions:
* shows_source — an alias of highlight_file() which provides syntax highlighting for files;
* system — allows execution of external programs;
* shell_exec — allow execution of commands via a shell;
* exec — allow execution of commands;
* passthru — similar to the exec() function, allows execution of commands;
* phpinfo — outputs PHP information that could be used by potential intruders;
* popen — opens a pipe to a process being executed by a certain command;
* proc_open — similar to popen() but provides better control over command execution.
This may cause you some problems so you need to test, however, in initial testing it seemed to work OK.
Joomla is a very popular content management program that uses PHP and MySQL. It does have a history of security issues so these series of articles will focus on how to protect Joomla from many of these attacks. The first article is about using a Reverse Proxy Server to stop attempts to inject SQL strings into the database to create a compromise.
Joomla 1.5.1 was developed to allow reverse proxy protection. It now has an optional livesite parameter to facilitate the reverse proxy so that all features work properly.
“Squid can be placed in front of an insecure web server to protect it from the outside world: not merely to stop unwanted clients from accessing the machine, but also to stop people from exploiting bugs in the server code” Squid-cache.org
Using a Simple Reverse Proxy
There are many things you can do with Squid to provide additional security for your Joomla install, but this first article will just provide the basics which actually do a great deal to protect your web server with Joomla content. The Reverse Proxy with Squid is a separate box placed in front of your Joomla server. The Reverse Proxy will have a cache that will store the static content from your Joomla site and provide that cache for those who make requests. The advantage is a speed enhancement as the content is delivered from the cache not your Joomla server. The other real security advantage is that the SQL attacks will often be done on the cache content on the reverse proxy, not on the actual Joomla server. This one factor provides a real advantage to stopping many, not all, attacks on your server. The Reverse Proxy will basically minimize cross-site scripting exploits that are common.
CLICK HERE to see the details on setting up a Reverse Proxy with Squid.
Examples of Security Issues
SANS Consensus Security Vulnerability Alerts
Here are a few that are mentioned in the Vulnerability Alerts
8.08.28 – Joomla! MCQuiz Component “tid” Parameter SQL Injection
08.08.29 – Joomla! PAXXGallery Component “userid” Parameter SQL Injection
08.08.30 – Joomla! and Mambo “com_quiz” Component “tid” Parameter SQL Injection
08.08.32 – Joomla! and Mambo “com_smslist” Component “listid” Parameter SQL Injection
08.08.33 – Joomla! and Mambo “com_activities” Component “id” Parameter SQL Injection
08.08.34 – Joomla! and Mambo “com_sg” Component “pid” Parameter SQL Injection
08.08.35 – Joomla! and Mambo “faq” Component “catid” Parameter SQL Injection
08.08.39 – Joomla! and Mambo “com_salesrep” Component “rid” Parameter SQL Injection
08.08.40 – Joomla! and Mambo “com_lexikon” Component “id” Parameter SQL Injection
08.08.41 – Joomla! and Mambo “com_filebase” Component “filecatid” Parameter SQL Injection
08.08.42 – Joomla! and Mambo “com_scheduling” Component “id” Parameter SQL Injection
08.08.44 – Joomla! and Mambo “com_galeria” Component “id” Parameter SQL Injection
08.08.45 – Joomla! and Mambo “com_jooget” Component “id” Parameter SQL Injection
08.08.47 – Joomla! and Mambo Quran Component SQL Injection
08.08.49 – Joomla! and Mambo Portfolio Manager Component “categoryId” Parameter SQL Injection
08.08.50 – astatsPRO com_astatspro Component “id” Parameter SQL Injection
08.08.51 – Joomla! and Mambo com_profile Component “oid” Parameter SQL Injection
08.08.52 – Joomla! and Mambo com_detail Component “id” Parameter SQL Injection
08.08.56 – Joomla! and Mambo com_downloads Component “cat” Parameter SQL Injection
08.08.59 – Joomla! and Mambo “com_pccookbook” Component “user_id” Parameter SQL Injection
08.08.63 – Joomla! and Mambo “com_team” Component SQL Injection
08.08.64 – Joomla! and Mambo com_iigcatalog Component “cat” Parameter SQL Injection
08.08.65 – Joomla! and Mambo com_formtool Component “catid” Parameter SQL Injection
08.08.67 – Joomla! and Mambo com_genealogy Component “id” Parameter SQL Injection
08.08.68 – iJoomla com_magazine Component “pageid” Parameter SQL Injection