Chapter 1: Let's Get Started

Size: px

Start display at page:

Download "Chapter 1: Let's Get Started"

Mercy Flowers
6 years ago
Views:

1 Chapter 1: Let's Get Started Common Terminology Hosting Selection and Unique Needs What Is a Host? Choosing a Host Questions to Ask a Prospective Host Facilities Things to Ask Your Host about Facility Security Environmental Questions about the Facility Site Monitoring and Protection Patching and Security Shared Hosting Dedicated Hosting Architecting for a Successful Site What Is the Purpose of Your Site? Eleven Steps to Successful Site Architecture Downloading Joomla! Settings Permissions User Management Common Trip Ups Failure to Check Vulnerability List First Register Globals, Again Permissions Poor Documentation Got Backups? Setting Up Security Metrics Chapter 2: Test and Development Welcome to the Laboratory! Test and Development Environment What Does This Have to Do with Security? The Evil Hamster Wheel of Upgrades Determine the Need for Upgrade Developing Your Test Plan Essential Parameters for a Successful Test Using Your Test and Development Site for Disaster Planning Updating Your Disaster Recovery Documentation Make DR Testing a Part of Your Upgrade/Rollout Cycle

2 Crafting Good Documentation Using a Software Development Management System Tour of Lighthouse from Artifact Software Reporting Using the Ravenswood Joomla! Server Roll-out Chapter 3: Tools Tools, Tools, and More Tools HISA Installation Check Web-Server Environment Required Settings for Joomla! Recommended Settings Joomla Tools Suite with Services How's Our Health? NMAP Network Mapping Tool from insecure.org Metasploit The Penetration Testers Tool Set Nessus Vulnerability Scanner Why You Need Nessus Chapter 4: Vulnerabilities Importance of Patching is Paramount What is a Vulnerability? Memory Corruption Vulnerabilities SQL Injections Command Injection Attacks Attack Example Why do Vulnerabilities Exist? What Can be Done to Prevent Vulnerabilities? Developers Poor Testing and Planning Forbidden Improper Variable Sanitization and Dangerous Inputs Not Testing in a Broad Enough Environment Testing for Various Versions of SQL Interactions with Other Third-Party Extensions End Users Social Engineering Poor Patching and Updating Chapter 5: Anatomy of Attacks

3 SQL Injections Testing for SQL Injections A Few Methods to Prevent SQL Injections And According to PHP.NET Remote File Includes The Most Basic Attempt What Can We Do to Stop This? Preventing RFI Attacks Chapter 6: How the Bad Guys Do It Laws on the Books Acquiring Target Sizing up the Target Vulnerability Tools Nessus Nikto: An Open-Source Vulnerability Scanner Acunetix NMAP Ping Sweep Firewalk Angry IP Scanner Digital Graffiti versus Real Attacks Finding Targets to Attack What Do I Do Then? Countermeasures But What If My Host Won't Cooperate? What If My Website Is Broken into and Defaced? What If a Rootkit Has Been Placed on My Server? Closing Words Chapter 7: php.ini and.htaccess Bandwidth Preservation Disable the Server Signature Prevent Access to.htaccess Prevent Access to Any File Prevent Access to Multiple File Types Prevent Unauthorized Directory Browsing Disguise Script Extensions Limit Access to the Local Area Network (LAN) Secure Directories by IP and/or Domain

4 Deny or Allow Domain Access for IP Range Stop Hotlinking, Serve Alternate Content Block Robots, Site Rippers, Offline Browsers, and Other Evils More Stupid Blocking Tricks Password-Protect Files, Directories, and More Protecting Your Development Site until it's Ready Activating SSL via.htaccess Automatically CHMOD Various File Types Limit File Size to Protect Against Denial-of-Service Attacks Deploy Custom Error Pages Provide a Universal Error Document Prevent Access During Specified Time Periods Redirect String Variations to a Specific Address Disable magic_quotes_gpc for PHP-Enabled Servers php.ini But What is the php.ini File? How php.ini is Read Chapter 8: Log Files What are Log Files, Exactly? Learning to Read the Log What about this? Status Codes for HTTP 1.1 Log File Analysis User Agent Strings Blocking the IP Range of Countries Where Did They Come From? Care and Feeding of Your Log Files Steps to Care of Your Log Files Tools to Review Your Log Files BSQ-SiteStats JoomlaWatch AWStats Chapter 9: SSL for Your Joomla! Site What is SSL/TLS? Using SSL to Establish a Secret Session Establishing an SSL Session Certificates of Authenticity Certificate Obtainment Process Steps for SSL Joomla! SSL

5 Performance Considerations Other Resources Chapter 10: Incident Management Creating an Incident Response Policy Developing Procedures Based on Policy to Respond to Incidents Handling an Incident Communicating with Outside Parties Regarding Incidents Selecting a Team Structure Appendix: Security Handbook Security Handbook Reference General Information Preparing Your Tool Kit Backup Tools Assistance Checklist Daily Operations Basic Security Checklist Tools Nmap Telnet FTP Virus Scanning Jcheck Joomla! Tools Suite Tools for Firefox Users Netstat Nessus Ports Logs Apache Status Codes Common Log Format Country Information: Top-Level Domain Codes List of Critical Settings php. ini References to Learn More about php.ini General Apache Information List of Ports

epldt Web Builder Security March 2017

epldt Web Builder Security March 2017 TABLE OF CONTENTS Overview... 4 Application Security... 5 Security Elements... 5 User & Role Management... 5 User / Reseller Hierarchy Management... 5 User Authentication