Chapter 3 [ 67 ] Recommended Settings The items in this particular screen should be called "required" rather than recommended. The Recommended Settings shown here are important. The wrong setting of Magic Quotes, Safe Mode, and Register Globals was responsible for many problems in Joomla! sites in the past. Setting them incorrectly could allow an attacker to take advantage of the site and exploit it. Interestingly, here the tool lists the Register Globals as Recommended rather than required. Despite your personal stance on writing a secure code, you should always set this to off in your Joomla! site. It's like gravity: "not just a good idea, but a law." The HISA tool is of great value and should be a part of every Joomla! installation. Running this beforehand will help to make sure that you have set up the site properly. An important note: It is advised to remove this tool as soon as you have the needed information. Since it provides a huge amount of information, it could be used to research your site for an attack. The talented folks at justjoomla.com.au have produced a more advanced suite of the tools, consisting of a component, and a module set. An addition to this powerful combination is: Post-Joomla! Installation Server Environment Audit: This provides you a bevy of information about your site post-installation. It keeps your site functional and running at a peak performance, with a good tool box. This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Tools [ 68 ] In addition to performance, should something go awry with your site, the trouble-shooting and problem resolution power that the component provides to you are beyond comparison. You can obtain diagnostic and conguration information to speed up the process of problem resolution. This information is wider and deeper than that of the HISA tool. This tool has plans (via placeholders) to offer more functionality in the future, such as database optimization tools and more. Even today, it offers a great deal of information and helps by providing you with a good method to improve your security. Additionally, it can also provide you a template for some critical information needed for disaster recovery. Joomla Tools Suite with Services This is the whole enchilada (to use a very American term): It gives us the dashboard, the errors, and a full directory of information, including open ports, services running, etc. This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Chapter 3 [ 69 ] In the following gure, our server has several services disabled from the host. POP3, HTTPS, SMTP amongst others. This, interestingly enough, shows we're not running MySQL on our box, but rather another machine in the network. Another piece of critical information is regarding the "ports" that are open on our particular system. This is the knowledge you need because an open port is like an unlocked door. Servers are "port-scanned"—the process of looking for open ports—on such a regular basis that it's ignored by the perimeter defences in many cases. However, port-scanning is an important and powerful tool in the pre-attack scenario by hackers. All is good! No unexpected ports. Keeping an eye on this particular metric is a very good idea. This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Tools [ 70 ] The other submenus provide a great deal of detailed information, such as permission on various les, giving you a visual indicator of Success, Warning, Critical, and so on. This should be reviewed anytime you make a change to your site. Later in this chapter, we'll review a proactive tool, JCheck, which gives you a warning based on any change it nds. Returning to our rst screen, we learn a great deal about our site. How's Our Health? Great! After following some of the advice from the tool, we see that this screenshot shows us having 100% health. That means we have all the required and recommended settings set up properly. The JTSuite indicates that we have done everything right and we can go in our current conguration. We can continue looking at our settings, but the 100% assessment rating should give you condence that you have set up everything correctly. This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Chapter 3 [ 71 ] However, what if something were to change? Say Register Globals is turned on? Logging into the tool, we can see at a glance that our site is in need of some care. If you were at 100% and all the sudden you dropped to 77% and the cause was register_globals being enabled, then you know that someone or something has tampered with your site. This is the information provided at a dashboard view about PHP: This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Tools [ 72 ] The dashboard tells me in brief about my PHP environment, including one interesting statistic. You may note the Zend information in this screenshot. If you are running an encrypted component that uses Zend for encryption, you will need to know what the host supports. In our case, we are running a shared-hosting account with GoDaddy.com. We needed the latest level of Zend encryption, which according to the Joomla! forums cannot be done. However, we were able to upgrade it. We can review our Zend information as being reported via the PHP tab on our main dashboard: Click COMPONENTS | JOOMLA TOOLS SUITE | JOOMLA TOOL SUITES WITH SERVICES. Click the PHP tab on the left, scroll down, and note the Zend information. We have a PHP environment, and it's important to know what key settings are in place. This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Chapter 3 [ 73 ] In this case, we can see that the Register Globals, Magic Quotes, Safe mode, and more are in the preferred state. However, if we were to change something like Register Globals, the screen would change to the following screen: The need for proper permissions on les is absolutely vital, and yet is often overlooked. Sometimes the users cast blame on the application, the host, or the phase of the moon. The Tool Suite gives us a great view of all permissions. Here is a partial view of that screen: In addition, the good folks at justjoomla.com.au have provided us with a wonderful module that can give our end users the condence that the site is set up for optimal security. The Joomla! assurance module displays a logo that changes according to the health of your site. Let's say your health is around ninety percent. You will see this displayed on the front of your site: This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Tools [ 74 ] However, if your health is below ninety percent, you get a different visual clue as shown in the following screenshot: The importance of security of sites and personal information is increasing almost hourly, as the attacks are more organized and directed. Just reading about a large retailer's incident, in which its site was penetrated, resulting in the loss of several million credit card numbers, is bad enough. Sites are being scrutinized at the highest levels. It is important to give yourself and your end users the assurance that you are doing everything you can to have a secure site. This tool is HIGHLY recommended to help you in that effort. You can obtain the full suite of tools from www.justjoomla.com.au. It provides an impressive array of services for your Joomla! site. One of the most interesting ones is a managed service. They will take care of your site, allowing you to focus on delivery of content, goods, and services. Take some time to review their offerings, which are good. Mr. Adam von Dongen, of http://www.joomla-addons.org, is the author of the GNU/GPL tool Joomla! Diagnostics. This tool provides a post copy/installation test of your Joomla! site, giving a detailed report on les that are missing, corrupted, or that have errors and omissions. Running this against a site, we discover that there is a potential problem with the installation. We see a WARNING showing that the le is corrupted or altered. In the rst example, we see globals.php has been corrupted or altered. The tool is comparing a hash against that of the original. In this case, the original le had this line in it: define( 'RG_EMULATION', 1 ); This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Chapter 3 [ 75 ] We know this is wrong, so change it to: define( 'RG_EMULATION', 0 ); This would result in the tool kicking out the warning, but in this case it's OK. In the most current versions, this modication is no longer required, as there is a setting in the Global Conguration of Joomla! The one that should catch our attention is the Security warning in the last line in the previous gure. It says File does not contain a _VALID_MOS. Read more. Clicking the Read more takes us to Joomla-addons.org, explaining that the le in question is missing the ever-so-critical code to prevent terrible things. Every included le in Joomla should contain the following line of code: defined ( '_VALID_MOS' ) or die( 'Restricted access' ); Having this list handy enables us to address extensions that put us at risk. Recently, I moved a site from test/dev to production. It demonstrated an odd error: When editing the content from the front, the content would lock and stay locked. Even after clicking the CHECK IN button, it would not release the code. It turns out that during the transfer, a couple of les did not make it across. Though seemingly small, it had a huge effect. Once again, Joomla! Diagnostics comes to the rescue. Running this tool against the transferred site will yield the missing les, enabling the developer to quickly replace them. In this case, the innocuous htaccess.txt le is missing. Again, we know this is OK, because the security step of renaming it to .htaccess was done during development. However, if it were a real threat, we would know it by reviewing this. Adam von Dongen, of http://www.joomla-addons.org, has done a terric job with this GNU/GPL tool, in addition to hosting offerings, Bandhosting.nl is a must-bookmark site. This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Tools [ 76 ] The third tool we should make a part of our security arsenal is JCheck from http://www.ravenswoodit.co.uk. It is a must-have commercial extension for the security of your site. The extension comes with excellent technical support, is easy to install, and costs as much as a designer cup of coffee. Ask yourself what is the security of your site worth? The following information gleaned from the previously mentioned site speaks volumes about JCheck: For those who remember last year's "summer of hacking" when a lot of Joomla! and Mambo websites were attacked, JCheck will bring a peace of mind because if the worst happens, you will be alerted right away, hopefully even before your customers notice anything. JCheck is a multiplatform security tool, which allows automated le integrity checking or host-based intrusion detection on Joomla!, Mambo, or any other system that supports PHP. It creates an encoded database, which is used to verify the integrity of les on your website. Any change to the les will be agged for attention by the administrator. This enables easy detection of hacking attempts, and allows prompt action to prevent further damage. JCheck can be congured in many ways to eliminate false positives, and minimize the effort required by the site owners. Alerts can be sent by email or logged to a log le to be monitored by other tools. JCheck can be congured to run at periods specied by the administrator. It can be used as a stand-alone application running through cron for the most effective protection, security, and exibility. It can also be installed and used as a Joomla! or Mambo module, where the module acts as a bridge to the JCheck application. JCheck provides a proactive system to alert us to changes. When it is rst run and installed, it examines in detail the les on your site. Webmasters can exclude the portions of the site that may be subject to frequent changes, to avoid "false-positives". This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 . set this to off in your Joomla! site. It's like gravity: "not just a good idea, but a law." The HISA tool is of great value and should be a part of every Joomla! installation. Running. Adam von Dongen, of http://www .joomla- addons.org, is the author of the GNU/GPL tool Joomla! Diagnostics. This tool provides a post copy/installation test of your Joomla! site, giving a detailed. talented folks at justjoomla.com.au have produced a more advanced suite of the tools, consisting of a component, and a module set. An addition to this powerful combination is: Post -Joomla! Installation