Securing your Joomla Site


1. Motivation

Nowadays it is not enough to just install a software like Joomla on your server. Why? If you have your site running for a while and start to look in your logfiles, you will most propably find traces of attempts to break into your system. The attackers are creative peoples and the find every day new possibilities how to get around the actual defence mechanisms. I don’t understand the exact motivation of hackers, but it seems that they have always fun to attack systems in internet.

The first two take aways are:

  • close all not needed ports on your system using a firewall. I like to use iptables wrapped with shorewall.
  • enable logging of the services that you decided to keep reachable from the internet.

2. SSH Service

The ssh service is the front door to your system. In the default configuration you login to the system with a ssh client using user and password. If you keep the configuration like this, you will most likely see brute force / dictionnary attacks to the ssh service in the log file

  /var/log/auth.log

Using tools like fail2ban [1] may help a bit by just closing the firewall for the requesting IP addresses of the attackers. Some attackers will stop attacking your server, but some just switch to rotate the used IP addresses and again the fail2ban mechanism is not very useful.

In many cases it is much more secure to disable user password authentication completely and instead use public private key authentication. To do this you have to edit

  /etc/ssh/sshd_config

and set the following to parameters to no!

ChallengeResponseAuthentication no
PasswordAuthentication no

Before you close the session or restart the ssh server you have to edit / create a file called

  <USER_HOME>/.ssh/authorized_keys

In this file you have to enter all public keys that should be able to the system as the corresponding user. Please read the FAQ/MAN pages for further details.

Caution

If you are not sure try this procedure first on a local system. If you make some mistakes, you may not be able to login to your system again!

3. Apache and Joomla

Now we take look to the Joomla installation itself. Most attacks are targeted to the administrator area of Joomla, where you can change content and manage the complete site from the Joomla point of view. The standard login is again user password authentication. So here the same attacks as already described in the last section can be expected — the difference is just the used protocol (instead of ssh here http is used).

Typically you can detect such attacks, when monitoring the apache log files. In case of attacks you will see many POST requests to the administrator area with NON 200 http response codes. Some tools try to switch the login path to another url with a code inside. This method is know as security through obscurity. Just google this and you will see the drawbacks of such a method.

One way to make the adminstrator area more secure is to configure a ssl secured virtual host in apache which can be used alternatively to access the Joomla site (frontend and backend). In the apache2 configuration of the http site you can add the following directory setting

 <Directory /<pathtoyourJoomlaSite>/administrator/>
                AllowOverride None
                Order deny,allow
                deny from all
                allow from 127.0.0.1 localhost
                DirectoryIndex index.php
                IndexIgnore *
                Options All -Indexes FollowSymLinks MultiViews
        </Directory>

so that no access is possible apart from localhost (which can be tunneled via ssh in urgend cases).

For the https/SSL configuration you add (via .htaccess in directory administrator/ or ssl vhost config file).

## Client Verification
SSLVerifyClient require
SSLVerifyDepth 3

# error handling
RewriteEngine        on
RewriteCond     %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS
RewriteRule     .? - [F]
ErrorDocument 403 "You need a client side certificate to access this site"

SSLOptions           +FakeBasicAuth
SSLRequireSSL
AuthName             "Admin Only Area"
AuthType             Basic
AuthUserFile         /<somesecureplace>/.htpasswd
require              valid-user

The file .htpasswd contains informations of all clients that should be able to login to the administrator area. Each row has to contain the /CN of the clients certificate followed by the fixed string xxj31ZMTZzkVA separated by :

Here is a example

/CN=Donald Duck/emailAddress=donald@disney.com:xxj31ZMTZzkVA

To be able to access to the administrator area of Joomla you now have to authenticate to the server with a client ssl certificate (for example for free from cacert.org). The client certificate has to be installed in your browsers certificate store.

This way brute force attacks are much harder and brute force attackers will most likely switch to other less secured web sites.


4. References

[1]

fail2ban http://www.fail2ban.org/wiki/index.php/Main_Page