Joomla Lockdown Script for Apache

Posted on March 23, 2011 by nigel

One of the main problems with Joomla is that if you use an old version or a bad component, you open your server up to being hacked. I’ve had to fix this problem time and time again. It’s not fun, it’s an epic waste of time and it makes me want to kill the hacker almost as much as the client usually wants to kill me.

Administering multiple servers is part of my day to day life and I needed a script to lockdown all Joomla installs reliably without messing with non-Joomla sites. Furthermore I needed a script that would iterate through my entire /home directory and recursively set all the permissions for all of my Joomla sites. At work, we had a security expert come in and brief us about some aspects of our current practices that needed to be improved. Based on his feedback I took the liberty of writing my Joomla lockdown script for Apache.

If you are a server admin and want to lockdown bulk Joomla sites in one go, this script might save you some typing. I haven’t tested the script since I made some changes but I’m sure you can do that. DO NOT CUT AND PASTE THIS SCRIPT AND RUN IT BLINDLY! I offer no warranty and if you screw your server up because you ran this without understanding what it does, please don’t come crying to me unless you’re willing to pay by the hour – I’m busy enough already :P


#!/bin/bash

# Set the Home directory
dir=/home

# Start iterating thru the home directory
for i in $( ls -1 $dir ); do

# Test to see if the public_html exists and there is a folder called components before iterating into it
if [ -d "/home/$i/public_html/components" ]; then

# Rewrite all ownership to be the user account permissions
chown -R $i:$i /home/$i/public_html

# Descend into the public_html folder and begin fixing permissions
cd /home/$i/public_html

echo "--- Setting Generic Permissions ---"

# Indescriminately rewrite all permissions
find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;

echo "--- Generic Permissions Completed ---"

echo "--- Setting Images Permissions ---"
# Reset permissions for images to be writeable
chmod 1777 /home/$i/public_html/images
cd /home/$i/public_html/images
find . -type d -exec chmod 777 {} \;

echo "Creating .htaccess file..."
# Add an .htaccess file to the images folder so PHP files cant be executed
echo '
Order Allow,Deny
Deny from all
' > /home/$i/public_html/images/.htaccess
# Change the user on the .htaccess file so that it cant be modified by apache due to the sticky bit
chown root:root /home/$i/public_html/images/.htaccess
echo "File created."
echo "--- Image Permissions Completed ---"

# Check for DocMan, if it exists give it write permissions
if [ -d "/home/$i/public_html/dmdocuments" ]; then
echo "--- Setting DocMan Permissions ---"
chmod 1777 /home/$i/public_html/dmdocuments

echo "Creating .htaccess file..."
# Add an .htaccess file to the DocMan folder so PHP files cant be executed
echo '
Order Allow,Deny
Deny from all
' > /home/$i/public_html/dmdocuments/.htaccess
# Change the user on the .htaccess file so that it cant be modified by apache due to the sticky bit
chown root:root /home/$i/public_html/dmdocuments/.htaccess
echo "File created."
echo "--- DocMan Permissions Completed ---"
fi

# Check for Mosets Tree, if it exists give the images folder write permissions
if [ -d "/home/$i/public_html/components/com_mtree" ]; then
echo "--- Setting Mosets Tree Permissions ---"
cd /home/$i/public_html/components/com_mtree
chmod 1777 /home/$i/public_html/components/com_mtree/img
cd /home/$i/public_html/components/com_mtree/img
find . -type d -exec chmod 777 {} \;

echo "Creating .htaccess file..."
# Add an .htaccess file to the Mosets Tree images folder so PHP files cant be executed
echo '
Order Allow,Deny
Deny from all
' > /home/$i/public_html/components/com_mtree/img/.htaccess
chown root:root /home/$i/public_html/components/com_mtree/img/.htaccess
echo "File created."
echo "--- Mosets Tree Permissions Completed ---"
fi
fi
done

Posted in Uncategorized | Leave a comment

Customer Uno

Posted on March 21, 2011 by nigel

Today was an exciting day, I launched my first hosting customer. I’ve spent a lot of time over the last 12 months working on my server configurations. Ironically, very little has changed from the original script Hone Watson gave me. I’ve update all the tools to latest versions, made the original script much more modular and made post installation configuration scripts as well.

About 90% of the process is completely automated now. I’ve built firewalls, I’ve created numerous crons, I’ve even written automated lockdown scripts for joomla that detect numerous components and configure ownership and permissions in a best practice manner.

Here’s to the future, may it bring many more clients.

Posted in Web Hosting | Tagged , , | Leave a comment

Switching on Artio Plugin causes 500 – Unable to load renderer class error in Joomla

Posted on March 17, 2011 by nigel

I’ve been developing a new hosting environment that uses Nginx and I came across an issue with Artio JoomSEF. Whenever I switched on the plugin the site would die and display:

500 – Unable to load renderer class

This ended up being a problem with Artio itself. Version 3.5.3 of Artio JoomSEF doesn’t work properly. Upgrading Artio solved this issue. Hopefully this will save other people from spending a lot of time trying to find issues in their code or configs.

Posted in Artio JoomSEF, Joomla | Tagged , , , , , , | Leave a comment

Running with MySQL 5.5

Posted on February 3, 2011 by nigel

I’ve got the latest version of MySQL installed and running. I’ve spent quite a few hours setting up and configuring my servers. I’ve custom written my firewall scripts and finely tuned them (to the best of my ability) for my setup. They seem to be working well so far so only time will tell.

I plan to bring the frontend servers online this weekend to install, configure and test. I’ll be doing lots of load tests and DDOS’ing my own boxes to see if they can sustain heavy amounts of traffic from around the globe. Will be interesting to see.

I only have one major hurdle on the hardware side of things and that will be enabling the app to scale and fire up additional hardware as needed to service requests. I’ll talk more about this on the weekend.

Posted in Uncategorized | Tagged , , , , | Leave a comment

Building infrastructure for isRaiding

Posted on January 26, 2011 by nigel

I’ve started work building isRaiding finally. I’ve implemented a small farm of VPS’s (Virtual Private Servers) to prove the technology I’m working with and to make sure that things will scale outward correctly.

I’m still testing database performance for MySQL and PostrgreSQL. I’ve always used MySQL but with Oracle owning MySQL I’m less inclined to use it as Oracle tries to monetize it in every way possible.

I’ve decided to run with DooPHP as my underlying framework for PHP. I’m going to be replacing some of it but for the most part it’ll be DooPHP under the hood. Nginx (pronounced Engine X) will be the web server driving the site. I’m also using PHP 5.3.x to take advantage of PHP-FPM built into it.

Memcached and APC also feature in the application stack for caching purposes.

I’d love to use MongoDB but it just isnt a reality when using a VPS with low memory.

The migration of all my sites to my new hosting should run smoothly. Time to make some money! :)

Posted in Uncategorized | Leave a comment

Upcoming Outages

Posted on January 20, 2011 by nigel

Hi Everyone, there is going to be some downtime coming up for my sites. I’m upgrading my hosting platform getting ready for isRaiding. I need to rebuild my database servers and my web servers so my blog might be a bit patchy for the next bit.

I’m working on a security project at the moment at Salsa and will be applying a lot of what I’ve learnt to my new hosting configuration. There were lots of security aspects I’d never even considered in previous incantations of this hosting platform. My focus had been almost entirely on speed and not so much on locking down the underlying platforms as much as possible.

If anyone has any experience with SELinux and even more so if they have it successfully running in a Linode or Rackspace Cloud environment I’d love to hear from you. I spent 2 days trying to get it working and unfortunately walked away from it as I ran out of time for that part of my research.

Posted in Uncategorized | Leave a comment

New Year, New Plans!

Posted on January 11, 2011 by nigel

2011 is upon us already and this year is shaping up to be an awesome year! I hope everyone has made their New Years resolutions and are actively working towards them. I’ve made 3 major ones and so far 2 of them are day to day things, I wont know if I’ve hit my 3rd goal until the end of the year.

IsRaiding is top of my agenda now, I’ve spent a lot of time over the last 18 months thinking about how to build it, testing hardware configurations, playing with various frameworks, etc. This year is the year! I’m going to be writing the app in a completely custom framework that is loosely based off Doophp and developed by Hone Watson.

I find it amusing that the Curse Client was basically the idea I was working on but was obviously to slow to market so I canned the project. Lee Banks and myself spent quite a few hours working on a prototype only to shelve the idea once I learnt about the Curse Client.

They wont be so lucky this time!

Posted in Uncategorized | Leave a comment

Protecting 777 directories with .htaccess

Posted on December 15, 2010 by nigel

Just like my file permissions there is one .htaccess file I cant live without. It’s super simple and will save you from major headaches!

<FilesMatch "\.php$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

That’s it! It prevents php files from being run inside 777 directories and all their subdirectories. I dont particularly like Apache as anyone that knows me knows however I have to work with it daily so I need to know how to do things like this. You could modify that code block to also block perl files, python files or anything else you dont want executed inside a 777 world writable directory.

***IMPORTANT***
I recently discover that this works well, except if they remove the .htaccess file. The solution to this is to give the folder 1777 permissions and then give the .htaccess file an owner that isn’t the web server. This prevents the .htaccess file being able to be modified by the web server.

Posted in Uncategorized | Leave a comment

Linux Commands – File and Folder Permissions

Posted on December 8, 2010 by nigel

I regularly find myself dealing with websites that have been hacked and they almost always have weak permissions. Here are the 2 commands I cant live without:

find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;

How to remove .php files recursively from the directory you are currently in.
WARNING: If you run this in your document root you will delete your entire site. Make sure you know where you are use pwd first to check your path is correct!

find . -name '*.php' -type f -exec rm -f {} \;
Posted in Uncategorized | Leave a comment

Deciding on a framework…

Posted on December 5, 2010 by nigel

I’ve been ummm’ing and ahhh’ing about what framework to use for my IsRaiding site. I’ve decided to go with DooPHP. I’m having some trouble with the view rendering, ->render doesnt seem to want to work for me however ->renderc works fine.

I just realised that all my original templates that I purchased were all Wrath of the Lich King colours so I’m busy in Photoshop changing the colour schemes for Cataclysm. I’m also trying to decide on a set of fonts for my site. I’m thinking Serif headings with a sans body. Decisions, decisions…

Posted in Uncategorized | Leave a comment