Publisher: Packt Publishing
Number Of Pages: 264
Publication Date: 2008-10-15
ISBN-10 / ASIN: 1847194885
ISBN-13 / EAN: 9781847194886
Table of Contents
Preface 1
Chapter 1: Let's Get Started 7
Introduction 7
Common Terminology 8
Hosting—Selection and Unique Needs 9
What Is a Host? 9
Choosing a Host 9
Questions to Ask a Prospective Host 10
Facilities 10
Things to Ask Your Host about Facility Security 11
Environmental Questions about the Facility 12
Site Monitoring and Protection 12
Patching and Security 13
Shared Hosting 13
Dedicated Hosting 15
Architecting for a Successful Site 17
What Is the Purpose of Your Site? 17
Eleven Steps to Successful Site Architecture 18
Downloading Joomla! 20
Settings 21
.htaccess 24
Permissions 26
User Management 27
Common Trip Ups 27
Failure to Check Vulnerability List First 27
Register Globals, Again 28
Permissions 28
Poor Documentation 29
Got Backups? 29
Setting Up Security Metrics 30
Summary 39
Chapter 2: Test and Development 41
Welcome to the Laboratory! 42
Test and Development Environment 42
What Does This Have to Do with Security? 43
The Evil Hamster Wheel of Upgrades 44
Determine the Need for Upgrade 45
Developing Your Test Plan 47
Essential Parameters for a Successful Test 47
Using Your Test and Development Site for Disaster Planning 49
Updating Your Disaster Recovery Documentation 49
Make DR Testing a Part of Your Upgrade/Rollout Cycle 50
Crafting Good Documentation 50
Using a Software Development Management System 54
Tour of Lighthouse from Artifact Software 54
Reporting 56
Using the Ravenswood Joomla! Server 58
Roll-out 59
Summary 60
Chapter 3: Tools 61
Introduction 61
Tools, Tools, and More Tools 62
HISA 62
Installation Check 63
Web-Server Environment 64
Required Settings for Joomla! 66
Recommended Settings 67
Joomla Tools Suite with Services 68
How's Our Health? 70
NMAP—Network Mapping Tool from insecure.org 78
Wireshark 81
Metasploit—The Penetration Testers Tool Set 83
Nessus Vulnerability Scanner 86
Why You Need Nessus 86
Summary 88
Chapter 4: Vulnerabilities 89
Introduction 89
Importance of Patching is Paramount 91
What is a Vulnerability? 92
Memory Corruption Vulnerabilities 93
SQL Injections 95
Command Injection Attacks 97
Attack Example 97
Why do Vulnerabilities Exist? 98
What Can be Done to Prevent Vulnerabilities? 99
Developers 99
Poor Testing and Planning 99
Forbidden 101
Improper Variable Sanitization and Dangerous Inputs 102
Not Testing in a Broad Enough Environment 102
Testing for Various Versions of SQL 103
Interactions with Other Third-Party Extensions 103
End Users 103
Social Engineering 103
Poor Patching and Updating 105
Summary 105
Chapter 5: Anatomy of Attacks 107
Introduction 108
SQL Injections 108
Testing for SQL Injections 112
A Few Methods to Prevent SQL Injections 113
And According to PHP.NET 114
Remote File Includes 114
The Most Basic Attempt 116
What Can We Do to Stop This? 117
Preventing RFI Attacks 121
Summary 122
Chapter 6: How the Bad Guys Do It 123
Laws on the Books 123
Acquiring Target 125
Sizing up the Target 126
Vulnerability Tools 129
Nessus 129
Nikto: An Open-Source Vulnerability Scanner 130
Acunetix 130
NMAP 131
Wireshark 132
Ping Sweep 132
Firewalk 132
Angry IP Scanner 133
Digital Graffiti versus Real Attacks 135
Finding Targets to Attack 143
What Do I Do Then? 144
Countermeasures 144
But What If My Host Won't Cooperate? 145
What If My Website Is Broken into and Defaced? 145
What If a Rootkit Has Been Placed on My Server? 146
Closing Words 147
Summary 148
Chapter 7: php.ini and .htaccess 149
.htaccess 149
Bandwidth Preservation 151
Disable the Server Signature 151
Prevent Access to .htaccess 151
Prevent Access to Any File 151
Prevent Access to Multiple File Types 152
Prevent Unauthorized Directory Browsing 152
Disguise Script Extensions 153
Limit Access to the Local Area Network (LAN) 153
Secure Directories by IP and/or Domain 153
Deny or Allow Domain Access for IP Range 154
Stop Hotlinking, Serve Alternate Content 154
Block Robots, Site Rippers, Offline Browsers, and Other Evils 155
More Stupid Blocking Tricks 156
Password-Protect Files, Directories, and More 157
Protecting Your Development Site until it's Ready 159
Activating SSL via .htaccess 160
Automatically CHMOD Various File Types 160
Limit File Size to Protect Against Denial-of-Service Attacks 161
Deploy Custom Error Pages 161
Provide a Universal Error Document 162
Prevent Access During Specified Time Periods 162
Redirect String Variations to a Specific Address 162
Disable magic_quotes_gpc for PHP-Enabled Servers 163
php.ini 164
But What is the php.ini File? 164
How php.ini is Read 164
Summary 166
Chapter 8: Log Files 167
What are Log Files, Exactly? 168
Learning to Read the Log 170
What about this? 171
Status Codes for HTTP 1.1 173
Log File Analysis 175
User Agent Strings 176
Blocking the IP Range of Countries 178
Where Did They Come From? 178
Care and Feeding of Your Log Files 179
Steps to Care of Your Log Files 180
Tools to Review Your Log Files 181
BSQ-SiteStats 182
JoomlaWatch 182
AWStats 183
Summary 184
Chapter 9: SSL for Your Joomla! Site 185
What is SSL/TLS? 186
Using SSL to Establish a Secret Session 187
Establishing an SSL Session 187
Certificates of Authenticity 189
Certificate Obtainment 189
Process Steps for SSL 190
Joomla! SSL 191
Performance Considerations 192
Other Resources 193
Summary 194
Chapter 10: Incident Management 195
Creating an Incident Response Policy 196
Developing Procedures Based on Policy to Respond to Incidents 200
Handling an Incident 201
Communicating with Outside Parties Regarding Incidents 202
Selecting a Team Structure 206
Summary 206
Appendix: Security Handbook 209
Security Handbook Reference 209
General Information 210
Preparing Your Tool Kit 210
Backup Tools 211
Assistance Checklist 212
Daily Operations 213
Basic Security Checklist 213
Tools 214
Nmap 215
Telnet 216
FTP 216
Virus Scanning 217
JCheck 217
Joomla! Tools Suite 217
Tools for Firefox Users 217
Netstat 217
Wireshark 218
Nessus 218
Ports 218
Logs 220
Apache Status Codes 221
Common Log Format 223
Country Information: Top-Level Domain Codes 223
List of Critical Settings 232
.htaccess 232
php. ini 235
References to Learn More about php.ini 236
General Apache Information 236
List of Ports 237
Summary 241
Index 243
Download links are here :
For English readers :
http://ubookmark.blogspot.com/2010/02/do-you-know-joomla-also-joomla-learning.html
For Arabic readers :
http://ubookmark.blogspot.com/2010/02/blog-post_24.html
No comments:
Post a Comment