For a website hosted on an Apache server, there is a powerful mechanism available to help – the Apache htaccess file. Use of an appropriately configured htaccess file on a server with mod_rewrite can provide a robust defence against many HTTP Request attacks. This posting examines the types of rules that can be implemented and their role in protecting your website.

So what is an .htaccess file?

An .htaccess file is a plain text file containing a list of configuration directives (rules). These rules are processed by the Apache webserver. A site can have more than one htaccess file, on more complex sites this allows for distributed configuration instructions, i.e. specific instructions may be applied at individual directory level. The htaccess file will be read on every HTTP Request submitted to the webserver, this is very helpful as changes to this file can therefore take immediate effect.

Will my hosting provider let me use an htaccess file?

If your website is hosted on an Apache server your hosting company should allow the use of htaccess files. These files provide a number of important mechanisms to support websites.

If your host does not allow the use of htaccess files, if you plan to run a Joomla website – change your hosting provider to one that does.

What types of rules can the file contain?

The common security related processing directives (rules) the file may contain include:

• Authorisation or authentication – username/password control at directory level;
• Blocking – use of allow/deny rules to block users by IP address or domain;
• Customised error responses – defining the response to a server side error, e.g. page not found (404);
• Directory listing – rules on what to do if a directory rather than a page is requested (and there is no index.html in the directory);
• URL Rewriting – evaluating and processing the submitted HTTP Request, can be used for a number of purposes including search engine optimisation (SEO), redirection of moved content, and security processing of the Request.

How can I protect my Joomla! website?

The standard Joomla! installation includes an .htaccess file. It is in the root directory of the site and following installation will be named htaccess.txt rather than .htaccess so that it is not automatically activated. Before using the file you need to check whether your host allows the use of htaccess files and has enabled the Apache mod_rewrite module. Instructions on how to perform this check can be found here. If mod_rewrite is enabled on your server then you can use the pre-configured file simply by renaming it from htaccess.txt to .htaccess.

From a site protection perspective what does this file do?

For HTTP Requests that meet the security processing directives, the htaccess file will block the requests and redirect them to your site’s homepage with a 403 (Forbidden) error. The preconfigured directives are designed to block out any script trying to:

• set a mosConfig value through the URL – mosConfig variables are global variables in Joomla! 1.0, they are not used in Joomla! 1.5 core code although a number of extensions that originated under Joomla! 1.0 still use them;
• submit base64_encode data via the URL – this technique is used by hackers to inject or conceal code which they hope to execute on your server;
• includes a tag in URL – used for example to try to inject Javascript into a page
• set a PHP GLOBALS variable via URL – attempts to set or change a Global variable – for a properly configured server, the PHP directive register_globals should be turned off, if it is not turned off, this directive prevents access to GLOBALS variables via the URL;
• modify a _REQUEST variable via URL – attempts to set or change a Request variable, these are variables associated with the HTTP Request. This directive prevents access to REQUEST variables via the URL;

Can this protection be improved on?

Yes, the Joomla! documentation website includes a page on htaccess examples. Under the heading “Other useful settings” there are a number of additional directives which may be used to enhance your site’s security. The Joomla! website does not currently explain these directives, but we have analysed them and posted an article explaining the enhanced htaccess directives.

Conclusion

If you want to significantly improve the security of your website, a properly configured .htaccess file provides a powerful mechanism to prevent many common exploits using HTTP Requests. At a minimum it is worth implementing the pre-configured version available as part of the core Joomla installation. But you should consider using an enhanced htaccess file to increase  the protection to further reduce the risks.

PR: wait… I: wait… L: wait… LD: wait… I: wait… wait… Rank: wait… Traffic: wait… Price: wait… C: wait…

What is the composition of a typical web server?

According to the latest Web Server Survey from netcraft.com, there are 111.7 million Apache servers deployed as active web hosts, representing 54% of the server market. Other providers include Microsoft (IIS) – 26%, Google – 7.4% and nginx – 5.4%. This posting examines the Apache server in its well known LAMP configuration.
LAMP is the acronym used to describe the common open source server architecture which comprises:

• Linux – the server’s operating system
• Apache – the web server component
• MySQL – a relational database
• PHP – the application layer (may also refer to Perl, Python or Ruby).

The diagram below illustrates the principal components in the architecture of a typical LAMP web server.

LAMP web server architecture

What are the functions of the principal components?

Linux

The Linux operating system provides the platform for secure and reliable operation of the web server. Access to the file system is governed by file permissions and enforced by the operating system. The operating system also provides interfaces to the networks and enforces process and user security.

Apache

When a user requests a page or content from the web server, Apache receives the HTTP Request and interprets the contents. For example, Apache will determine whether a file extension has been supplies as part of the Request. If so it will determine whether the requested resource is a static items, e.g.  a simple web page stored as an HTML file, or whether the requested item relates to an application, e.g. a PHP file. Depending on the complexity of the requested item, Apache may be required to locate and respond with a number of resources, e.g. the basic HTML file, CSS files, Javascript, images and other media like MP3 audio files of SWF video files. Apache determines where to locate the content based on the path specified in the HTTP Request and the file paths identified in the HTML content.

PHP

Increasingly users expect to be provided wuth dynamic content, which may be influenced by time, current events, the user’s location or personalisation.  With these more complex websites, static HTML pages are largely replaced by applications. One of the most popular scripting languages is PHP and there are a wide range of applications available including content management systems (CMS) like Joomla!, forums, bulletin boards, shopping carts, etc.

For a dynamic site, the Apache web server is configured to recognise when a script needs to be run, this may be through a combination of file extensions and default settings. For example, if a website’s home page is requested and the server has PHP installed, Apache will seek an index.php file in the root directory if there is no index.html file in the website root directory. It is this mechanism which is used to initialise applications like Joomla! The PHP scripts will be used to store and retrieve information and to render the HTML page layouts for transmission back to the user’s browser by the Apache web server.

MySQL

Typically a PHP website will also use a MySQL database to store content and configuration information. It is possibel to build sites where the contents are storeed in flat text files, but the use of relational databses like MySQL gives greater flexibility. The interaction between the Apache webserver and the MySQL database is handled by PHP.

Other Components

There may be a number of other components and applications hosted on the server. These may include compiled applications for delivery of specialist media or graphic content, or for rendering images and animations. A common application on Linux servers is email and this may be provided with a web mail interface via Apache and/or direct connections using POP ans SMTP protocols.

So what is the Internet?

The Internet is the global system of interconnected computer networks. These networks use the standard Internet Protocol Suite (known as TCP/IP) to allow information to be transferred between computers and networks. The diagram below illustrates the Internet in its simplest form, a networked computer connected to a host (server) using HTTP, with a domain name server (DNS) translating the web address entered by the user into an IP address.
The user communicates with the server using a browser (e.g. Firefox, Internet Explorer, Safari, etc) . Using this Internet connection the user can access a vast array of information  resources and services, particularly the inter-linked hypertext  documents which are commonly referred to as the World Wide Web (WWW), but also services such as electronic mail and streamed multi-media (films, television and audio). There is an interesting video illustrating internet connectivity here.

What do we mean by HTTP?

HTTP is the stateless request-response based communications protocol which is employed by the browser on your computer to request and receive information from a web-server. By stateless, we mean that the protocol does not maintain any contextual information about the browsers communicating with it. Hence browsers maintain session information and may use cookies to provide memory about the current status of the interaction between a user and the host system. The Internet currently uses version 1.1 of the HTTP, and more details of this can be found in RFC2616 as defined by w3.org.

So how does a user connect to a website?

In the above diagram, if the user wishes to obtain a page from the WWW, the page address may be entered into the browser address field, or a hyperlink clicked.The browser initiates the communication by sending an HTTP Request and the Website (Server) will respond with an HTTP Response. Every time the browser needs to send a request, it first establishes a TCP reliable connection with the website, then transfer the request via this connection. Similarly, when the website needs to return an HTTP Response to browser. Either of the two parties – the browser or the website can prematurely stop a data  transfer by simply terminating the TCP connection.

What are the HTTP Requests and HTTP Responses?

An HTTP Request has three main components, they are:

• HTTP Request Method, URI, and Protocol Version
• HTTP Request Headers
• HTTP Request Body

An HTTP Response also has three main components, which are:

• Protocol/Version, Status Code, and its Description
• HTTP Response Headers
• HTTP Response Body

We will look at a simple HTTP Request and Response interaction in a future post.

An HTTP Request has been sent, what happens next?

In our next post we will look at the composition of a typical web-server used to host a Joomla! website, and examine the components used to receive, interpret and respond to the Request.

Starting tomorrow we will be publishing a series of articles with the aim of explaining the issues associated with operating a Joomla! website and the rationale for the published advice.

Creating Passwords for a User Account

To create a strong, and therefore more secure password there are a number of simple steps your can follow:

1. Avoid personal information.
   You should never use personal information as a part of your password. This is particularly improtant if your profile on Facebook or other social networking sites contains such personal information. It is easy to guess names and other similar details, particularly if your social networking profile, provides some useful hints as where to start.
2. Avoid real words.
   There are a wide range of ‘dictionary’ based tools available to help attackers guess your password. Brute force attacks using a dictionary ae easy to manage given the computing power available today in the average desktop computer. You should not assume that the use of words from foreign languages is any more secure
3. Try to mix different character types. Passwords are normally case-sensitive, so at a minimum use a mixture of upper and lower case letters. However you can make your password much more secure by mixing different types of characters, i.e. a combination of upper-case and lower-case letters, numbers and even special characters such as ‘&’ or ‘%’.
4. Using a pass-phrase. An alternative to trying to remember a password created using various character types, which is also not a word from the dictionary, is to use a pass-phrase. The pass-phrase is developed by thinking up a sentence, or a line from a song or poem that you like. You can then create the password using the first letter from each word.

Creating Passwords for an Administrator Account

For administrator accounts you should endeavour to use strong passwords, containing a random mix of characters (letters numbers and punctuation). If your website is hosted on an account with cPanel, there are tools on the control panel which can be used to generate strong random passwords. Alternatively you can search for one of the free tools on the Internet or use the strong password generator here. You will need to keep a secure record of such passwords – but try not to store them in an easily compromised location or to make it obvious which account(s) they belong to.

Keeping your Password Secure

Once you have created your secure password you need to protect it. So for a start avoid caching it on publicly accessible or shared computers. Secondly be careful about entering it over insecure public networks. There is an excellent guest post by Herman Peeren on Brian Teeman’s blog about protecting your Joomla! password when accessing the site via a public wi-fi network.

We know about it, it is due to old version of Joomla it is not our component problem, we plane to set up latest Joomla CMS, ok, we have fixed this problem, what you think about our component?

So what would you think about using a component from a business which knows its website has been hacked, fails to respond quickly to the hack, and then assumes that simply installing the latest version of Joomla! is the answer to the problem? Compare the above response to the thorough investigation documented here by another business site. The impressive and professional response by the second company comprised:

The security of our customers websites matters to us. Had the hacked site responded in a similar way to the professional response described above, we might have continued to evaluate their component. Instead their code remains untested, the downloaded zip file has been deleted from our system and we are evaluating alternative solutions to the customer’s requirements.

What is the Permissions Issue?

Inexperienced Joomla users will sometimes install the product and set permissions to 777 (r/w/x) for everyone. This is a serious mistake! Unfortunately improperly configured servers, and the design of some extensions are often the culprits. By giving everyone the ability to read, write and execute files on the server, the user is exposing their account to the threat of serious hacking and abuse.

The Security Checklist referred to above advises that if your host that makes you setup your site this way – change host, and avoid extensions that will only run with the permissions set to 777. The advice is to always set folders to 755 and Files to 644.

How do I check and set the Permissions?

You can either do it through your website’s control panel (e.g. cPanel), assuming that you have access to it. Or you can use a tool to check and set the permissions. There is a free tool which can be downloaded from here which can be used to check and set the permissions for a Joomla! website.

The screen-shot below is from a live website run by a commercial organisation selling Joomla! extensions and PHP scripts. The site has been anonymised and the site owner informed about the problem.

Example of a hacked Joomla! website

In this example the hacker has tried to add some page content to the site, by pasting some malicious HTML into the website. The hacker has not understood  how Joomla! works, so in this example the website is displaying the raw HTML rather than the payload that was intended for the hacked website.

The fact that the website has been hacked is a serious issue for the site owners:

• What if the hacker has left behind malicious scripts (e.g. back-doors or Trojans)?
• Could any of the commercial products on the site have been tampered with?
• Has the website’s database been compromised and if so are the site’s customers now going to receive a stream of SPAM emails?
• What damage has the attack done to the reputation and operation of the business?
• How long will it take to clean up and restore the site to a safe, unhacked state?

Finally a significant issue which needs to be addressed as a priority – how was the Joomla! website’s security breached and what steps can be taken to prevent it happening again?

In our posts to date we have examined some simple steps you can take to improve the security of your website. In future posts we will examine further steps you can take, both to improve security and to enable fast restoration of a website if it has been compromised.

All Joomla! sites have their administrator interface at http://my-site-url/administrator/index.php. Because this known, predefined URL exists on your website, the administrator interface is a potential target for attacks. Although you can not change the URL there are some steps you can take to protect it.

Joomla! has a wide range of extensions listed in the Joomla! Extensions Directory. A useful free extension which allows you to limit access to your administrator interface is “Ban IP Address/Range for 1.5″, a plugin written by Sam Moffatt. Providing you access your administrator interface only from a fixed IP address (or a range of fixed IP addresses), this plugin allows you to limit access to the interface to a defined set of IP addresses. If you access your site’s administrator interface from a dynamic IP address (i.e. your ISP randomly assigns an IP address for each session) or you do not want to limit the IP addresses from which you can update your website, you would need to consider alternative extensions.

A second method you can use, is to apply a password to the administrator directory of your website. If you log into to the hosting control panel (e.g. cPanel) for your website, there should be an option our utility which allows you to password protect individual directories. You can use this to set username(s) and password(s) for access to the /administrator directory of your Joomla! installation.

In addition to these methods it is worth ensuring that with the exception of your website’s root directory, all other browser accessible directories contain a ‘blank’ index.html file. The contents of this file can be as simple as: ‘<html><body bgcolor=”#FFFFFF”></body></html>’. The core Joomla! software should have these files in place already, and extension builders should include them in their install files. However we have produced a simple free tool which can be used to check and where necessary add an index.html file to any directory where it is missing. You can find more information here on the tool, which also set file and directory permissions.

Changing the default Joomla! database prefix

The default Joomla installation sets a database prefix of “jos_” for all the tables created by Joomla. If you examine Joomla related exploits on millw0rm or many of the other security sites you will see that many of the exploits rely on your Joomla database tables being called jos_XXXXXX. By simply setting your own prefix you are protected from these exploits.
So how do you set your own table prefix? Well at Step 4 of the Joomla 1.5 installation you are actually offered the option, unfortunately it is hidden in an advanced options section of the page. For more information on setting the prefix and how to change it on a live Joomla site see the article here. The article describes how to change your Joomla database prefix during installation, how to make it manually post-installation and how to make it using a simple PHP script which is available for download.

Changing your Joomla! administrator ID

Every Joomla! website is created by with a default Super Administrator user, which has the username “admin” and user ID “62″. This is a weakness which can be exploited during SQL injection attacks. Unfortunately during installation of Joomla there is no option to allow you to set an alternative ID or username. To overcome this you could create and then remove new Super Administrator accounts until you have reached a random ID of your choice. This is quite a tedious process if you don’t simply want to end up with the ID as 63 or 64. An article here describes how to make the change either manually using your database manager (e.g. phpMyAdmin) or using a simple PHP script which is available for download.

Completed both these steps?

If so you are making progress toward a more secure Joomla site. In our next post we will address some further steps you can take to secure your website.