Embed Size (px)
Citation preview
Chapter 1: Let's Get Started
Chapter 2: Test and Development
· Introduction
· Common Terminology
· Hosting—Selection and Unique Needs
· What Is a Host?
· Choosing a Host
· Questions to Ask a Prospective Host
· Facilities
· Things to Ask Your Host about Facility Security
· Environmental Questions about the Facility
· Site Monitoring and Protection
· Patching and Security
· Shared Hosting
· Dedicated Hosting
· Architecting for a Successful Site
· What Is the Purpose of Your Site?
· Eleven Steps to Successful Site Architecture
· Downloading Joomla!
· Settings
· .htaccess
· Permissions
· User Management
· Common Trip Ups
· Failure to Check Vulnerability List First
· Register Globals, Again
· Permissions
· Poor Documentation
· Got Backups?
· Setting Up Security Metrics
· Welcome to the Laboratory!
· Test and Development Environment
· What Does This Have to Do with Security?
· The Evil Hamster Wheel of Upgrades
· Determine the Need for Upgrade
· Developing Your Test Plan
· Essential Parameters for a Successful Test
· Using Your Test and Development Site for Disaster Planning
· Updating Your Disaster Recovery Documentation
· Make DR Testing a Part of Your Upgrade/Rollout Cycle
· Crafting Good Documentation
· Using a Software Development Management System
· Tour of Lighthouse from Artifact Software
· Reporting
· Using the Ravenswood Joomla! Server
· Roll-out
Chapter 3: Tools
Chapter 4: Vulnerabilities
· Introduction
· Tools, Tools, and More Tools
· HISA
· Installation Check
· Web-Server Environment
· Required Settings for Joomla!
· Recommended Settings
· Joomla Tools Suite with Services
· How's Our Health?
· NMAP—Network Mapping Tool from insecure.org
· Wireshark
· Metasploit—The Penetration Testers Tool Set
· Nessus Vulnerability Scanner
· Why You Need Nessus
· Introduction
· Importance of Patching is Paramount
· What is a Vulnerability?
· Memory Corruption Vulnerabilities
· SQL Injections
· Command Injection Attacks
· Attack Example
· Why do Vulnerabilities Exist?
· What Can be Done to Prevent Vulnerabilities?
· Developers
· Poor Testing and Planning
· Forbidden
· Improper Variable Sanitization and Dangerous Inputs
· Not Testing in a Broad Enough Environment
· Testing for Various Versions of SQL
· Interactions with Other Third-Party Extensions
· End Users
· Social Engineering
· Poor Patching and Updating
Chapter 5: Anatomy of Attacks
· Introduction
· SQL Injections
· Disguise Script Extensions
· Limit Access to the Local Area Network (LAN)
· Secure Directories by IP and/or Domain
· Testing for SQL Injections
· A Few Methods to Prevent SQL Injections
· And According to PHP.NET
· Remote File Includes
· The Most Basic Attempt
· What Can We Do to Stop This?
· Preventing RFI Attacks
· Laws on the Books
· Acquiring Target
· Sizing up the Target
· Vulnerability Tools
· Nessus
· Nikto: An Open-Source Vulnerability Scanner
· Acunetix
· NMAP
· Wireshark
· Ping Sweep
· Firewalk
· Angry IP Scanner
· Digital Graffiti versus Real Attacks
· Finding Targets to Attack
· What Do I Do Then?
· Countermeasures
· But What If My Host Won't Cooperate?
· What If My Website Is Broken into and Defaced?
· What If a Rootkit Has Been Placed on My Server?
· Closing Words
· .htaccess
· Bandwidth Preservation
· Disable the Server Signature
· Prevent Access to .htaccess
· Prevent Access to Any File
· Prevent Access to Multiple File Types
· Prevent Unauthorized Directory Browsing
Chapter 6: How the Bad Guys Do It
Chapter 7: php.ini and .htaccess
· Deny or Allow Domain Access for IP Range
· Certificates of Authenticity
· Certificate Obtainment
· Process Steps for SSL
· Joomla! SSL
· Stop Hotlinking, Serve Alternate Content
· Block Robots, Site Rippers, Offline Browsers, and Other Evils
· More Stupid Blocking Tricks
· Password-Protect Files, Directories, and More
· Protecting Your Development Site until it's Ready
· Activating SSL via .htaccess
· Automatically CHMOD Various File Types
· Limit File Size to Protect Against Denial-of-Service Attacks
· Deploy Custom Error Pages
· Provide a Universal Error Document
· Prevent Access During Specified Time Periods
· Redirect String Variations to a Specific Address
· Disable magic_quotes_gpc for PHP-Enabled Servers
· php.ini
· But What is the php.ini File?
· How php.ini is Read
· What are Log Files, Exactly?
· Learning to Read the Log
· What about this?
· Status Codes for HTTP 1.1
· Log File Analysis
· User Agent Strings
· Blocking the IP Range of Countries
· Where Did They Come From?
· Care and Feeding of Your Log Files
· Steps to Care of Your Log Files
· Tools to Review Your Log Files
· BSQ-SiteStats
· JoomlaWatch
· AWStats
· What is SSL/TLS?
· Using SSL to Establish a Secret Session
· Establishing an SSL Session
Chapter 8: Log Files
Chapter 9: SSL for Your Joomla! Site
· Performance Considerations
· Other Resources
Chapter 10: Incident Management
Appendix: Security Handbook
· Creating an Incident Response Policy
· Developing Procedures Based on Policy to Respond to Incidents
· Handling an Incident
· Communicating with Outside Parties Regarding Incidents
· Selecting a Team Structure
· Security Handbook Reference
· General Information
· Preparing Your Tool Kit
· Backup Tools
· Assistance Checklist
· Daily Operations
· Basic Security Checklist
· Tools
· Nmap
· Telnet
· FTP
· Virus Scanning
· Jcheck
· Joomla! Tools Suite
· Tools for Firefox Users
· Netstat
· Wireshark
· Nessus
· Ports
· Logs
· Apache Status Codes
· Common Log Format
· Country Information: Top-Level Domain Codes
· List of Critical Settings
· .htaccess
· php. ini
· References to Learn More about php.ini
· General Apache Information
· List of Ports
