2007年7月18日 星期三

打算開始翻譯FAQ

官網FAQ打算從Security & Performance開始,其下子分類有

 

先從start Here開始:

 

Joomla! Administrator's Security Checklist

1. Read Me First!

  1. There's no free lunch!
    Although installing Joomla! is easy, maintaining a secure Web site on the open Internet is not. Good web security is a moving target and requires continuous effort. Complex issues can't be resolved with cookie-cutter solutions. To secure your site, you must either gain experience (some of which will be bitter) or get experienced help from others. The Security forums are filled with "Help! I've been hacked" posts by people who did NOT follow standard security practices. The following checklist will point you in the right direction.

    優先閱讀!

    1.沒有免費的午餐!

    雖然安裝joomla!是容易的,但在開放性的網際網路中維護一個安全的網站就不是那麼簡單了。一個優秀的網站安全定義不斷在更新,所以需要持續不斷的努力。為確保您的網站安全,你必需增加經驗,或者是尋求有經驗者的協助。

    在安全論壇中充斥著那些不依標準安全準則管理網站,而發出"救命啊!我被入侵了"的文章。以下的檢查表將讓你檢視你的方向是否正確。


    2. Getting Started

    1. Determine if you are ready.
      Are you're willing and able to administer a dynamic, database-driven, interactive, user-authenicated web-based system? Do you have the time and resources to respond to the many existing and constantly emerging security issues on the open Internet? Here is a tragic/comic list of the most common administrator security errors. Don't learn these the hard way!
      Top 10 Stupidest Joomla! Administrator Tricks.
    2. Determine if Joomla! meets your needs.
      Developers of very large projects may want to check this forum discussion. If you're wondering about Joomla! vs. Drupal, check this forum discussion.
    3. Stay informed of security issues.
      Subscribe to Joomla Security Related Announcements. Select the "Notify" button
    4. Check the FAQs.
      The most helpful posts in the Joomla! Security Forum (as well as other sources) are converted into Security FAQs on the official Joomla! Help site.
    5. Learn from the pros.
      Hunt down the many nuggets of wisdom in the Joomla! forums. For example, read this great post by CirTap.
    3. Choose a Qualified Hosting Provider
    1. Probably no decision is more critical to your site's security than the choice of hosts. Due to the wide variety of hosting options, it's not possible to provide a complete check list for every situation.
    2. If you are on a tight budget, you can get by on a shared hosting plan, but you must understand the risks, and know how to choose a qualified provider. [Related Discussion] [FAQ].
    3. Check this unbiased list of recommended hosts.
    4. For a real eye-opener, read this report on about 11,000 sites that allowed Google to index the results of phpinfo(). Don't make this mistake on your site too!
    4. Development
    1. Use an Integrated Development Environment (IDE). [FAQ]
    2. Test all upgrades on a local development server first. [FAQ]
    3. Be sure you can roll back to an earlier version of your site using a modern version control system, such as CVS or Subversion.
    4. Check out the Joomla! community's list of popular Developer Software and Tools.
    5. Installing, Upgrading, and Configuring Joomla! Core and Apache Server
    1. Always upgrade to the latest stable Joomla! version.
    2. Download Joomla! from official sites, such as the Joomla! Forge, and check the MD5 hash. See this post for an example of what can happen if you download Joomla! from an unsafe site.
    3. Delete left over files. The installation process will require you to deleted the installation directory and all its contents. Do this! If you upload files to your site as compressed archives (xxxx.zip for example), don't forget to remove the compressed file when finished with it. In general, do not leave any files, compressed or otherwise, on a public server unless they are required for the functioning of your site.
    4. Increase the security of the all-critical configuration.php file by moving it outside of public_html. [FAQ]
    5. Change the user name of the default admin user. This simple step greatly increases the security of this critical account. [FAQ]
    6. Block typical exploit attempts with .htaccess files. [FAQ]
    7. Password protect sensitive directories, such as administrator, with .htaccess files. [FAQ]
    8. Restrict access to sensitive directories by IP Address, using .htaccess. [FAQ]
    9. Depending on your host, you may be able to increase security by switching to PHP5. [FAQ]
    10. Follow the "Least Privilege" principle for running PHP using tools such as PHPsuExec, php_suexec or suPHP.
    11. Configure Apache mod_security and mod_rewrite filters to block PHP attacks.
      Google Search Example: http://www.google.com/search?q=apache%20mod_security
      Google Search Example: http://www.google.com/search?q=apache%20mod_rewrite
    12. Be sure MySQL accounts are set with limited access. The initial install of MySQL is insecure; careful configuration is required.
      MySQL Documentation
    13. Currently, both PHP4 and PHP5 are maintained. Before PHP4 becomes obsolite, upgrade your code to PHP5. By the way, you don't worry about Joomla! Core. It's already PHP 5 compatible. PHP News
    14. Avoid the use of PHP safe_mode. [FAQ]
      Turn Joomla! Register Globals Emulation OFF by editing the file, globals.php. (Found in the root directory of your Joomla! site.) Although Joomla! emulation is safer than PHP register_globals, it's best not to allow register_globals at all. Beginning with PHP 6, this will not even be an option. Note that poorly-written extensions may fail with register_globals OFF. Best advise: Don't use such extensions! Here's the correct setting for your globals.php file:

      define( 'RG_EMULATION', 0 );

      Related Forum Discussion

    15. Ensure that all configurable paths to world writable directories (document repositories, image galleries, caches) are outside web_root. Check third party extensions, such as DOCMan and Gallery2, for editable settings. Note that there is currently no easy way to move the standard Joomla image directory.
    16. Once your site is configured and stable, write-protect directories and files by changing directory permissions to 755, and file permissions to 644. There is a feature in Site --> Global Configuration --> Server to set all folder and file permissions at once. Test third party extensions afterwards. Note: You'll need to reset write permissions to install more extensions.
      Post: Shell script for setting file and directory permissions
    17. Remove all design templates not needed by your site. Do not put security logic in template files.
      Post: Suggest Ability to turn off/on template change
    18. If you use a VPS or dedicated server, run TripWire or SAMHAIN (GNU/GPL) . They perform exhaustive file checking and reporting functionality, and can be installed in a stealthy manner to help protect themselves in the event of a serious infiltration.
    19. Hire a professional Joomla! security consultant to review your configurations.
    6. Installing, Upgrading, and Configuring Joomla! Extensions (Components, Modules, Bots, and Plugins)
    • 6.1: BEFORE installing new extensions backup your site and your site's database.
    • 6.2: BEFORE installing third party extensions, check: Official List of Vulnerable 3rd Party/Non Joomla! Extensions
    • 6.3: Only download extensions from trusted sites. The official definition of a "trusted site" is one that YOU trust.
    • 6.4: User beware! Third party extensions come in all flavors of quality and age. Although Joomla! coding standards exist, extensions listed on the official Joomla! site are not reviewed for compliance. Test all extensions on a development site before installing on a production site. [FAQ (Part 1)] [FAQ (Part 2)]
    • 6.5: Most security vulnerabilities are caused by third party extensions. In fact there's an entire forum dedicated to this subject. Subscribe to it using the Notify button.
    • 6.6: Remove unused extensions, and double check that all related folders and files were removed by the uninstall scripts. Note that many third party extensions leave files on your server, and many leave the related database tables untouched. This is either a feature or a bug, depending on your point of view.
    • 6.7: Remove or fix any Joomla! extension that require register_globals ON.
      How to fix an extension that requires register_globals ON

    7. Configuring php.ini
    • 7.1: Understand how PHP configurations are controlled by reading the well-documented default php.ini file included with every PHP install.
      Latest default php.ini file
    • 7.2: Understand how to work with the php.ini file.
    • 7.3: Study the Official List of php.ini Directives at www.php.net
    • 7.4: On shared servers you can't edit the main php.ini file, but you may be able to add a custom file. If so, you'll need to copy that file to every sub-directory that requires the custom php.ini settings. Luckily a free set of scripts do the hard work for you:
      B&T's Tips and Scripts
    • 7.5: Read the following post, by Beat, Q&T Workgroup Member, for a list of php.ini methods sorted in order of preference:
      Secure it with php.ini
    • 7.6: Set register_globals OFF. This directive determines whether or not to register the EGPCS (Environment, GET, POST, Cookie, Server) variables as global variables. This is an important setting to turn OFF. If you can't gain access to php.ini, see the switch to PHP5 using .htaccess techique above.
      ZEND Chapter 29. Using Register Globals
    • 7.7: Use disable_functions to disable dangerous PHP functions that are not needed by your site.
    • 7.8: Disable allow_url_fopen. This option enables the URL-aware fopen wrappers that enable accessing URL object like files. Default wrappers are provided for the access of remote files using the ftp or http protocol, some extensions like zlib may register additional wrappers. Note: This can only be set in php.ini due to security reasons.
    • 7.9: Adjust the magic_quotes_gpc directive as needed for your site. The recommended setting for Joomla! 1.0.x is ON to protect against poorly-written extensions. Joomla! 1.5 ignores this setting and works fine either way.
      PHP Manual, Chapter 31. Magic Quotes.
    • 7.10: open_basedir (should be enabled and correctly configured)
      Limit the files that can be opened by PHP to the specified directory-tree. This directive is NOT affected by whether Safe Mode is ON or OFF. The restriction specified with open_basedir is a prefix, not a directory name. This means that "open_basedir = /dir/incl" also allows access to "/dir/include" and "/dir/incls" if they exist. To restrict access to only the specified directory, end with a slash.
      PHP Security and Safe Mode Configuration Directives
    • 7.11: Example php.ini directives for the above suggestions:

      Quote

      register_globals = 0
      disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
      allow_url_fopen = 0
      magic_quotes_gpc = 1
      safe_mode = 1
      open_basedir = /dir/to/include/change/me


    8. Joomla! Hardening for Maximum Security
    • 8.1: Don't use a shared server. Some experts differ here. The point is, no matter how your server is configured, make sure you and the vendors you trust are the only organizations with access. [FAQ]
    • 8.2: Use an SSL server for confidential transactions. Read this enlightening discussion on the need for SSL any time security is important. (Note that Joomla! version 1.0.11 does not allow you to assign an SSL server to individual sub-directories. Can someone tell me if 1.0.12 changes this?) [FAQ]
    • 8.3: For an additional layer of password protection, use .htaccess files in critical directories. [FAQ]

    9. Ongoing Site Administration
    • 9.1: Use Well-Formed Passwords: Change passwords regularly and keep them unique. Use a random combination of letters, numbers, or symbols and avoid using single names or words found in a dictionary. Never use the names of your relatives, pets, etc. Wizzie has supplied a script that automatically changes passwords. This is a great tool for administrators or multiple sites. Automatic Admin PW Generator
    • 9.2: Follow a Password Leveling Scheme
      Most users may not need more than three levels of passwords and webmasters no more than five. Each level must be completely unrelated to the others in terms of which usernames and passwords are used. [FAQ]
    • 9.3: Maintain a Strong Site Backup Process: Never rely on others' backups. Take responsibility for your backup procedures. Many ISPs state in their contract that you can not rely solely on their backups.
    • 9.4: Perform Automated Intrusion Detection: Use an Intrusion Prevention/Detection Systems to block/alert on malicious HTTP requests.
      Google Search Example: http://www.google.com/search?q=Intrusion+Prevention
    • 9.5: Perform Manual Intrusion Detection: Regularly check raw logs for suspicious activity. Don't rely on summaries and graphs. There is a good discussion of creative ways to automatically check log files in this topic.
    • 9.10: Stay Current with Security Patches and Upgrades Apply vendor-released security patches ASAP.
    • 9.11: Proactively Seek Web Vulnerabilities: Perform frequent web scanning.
      Google Search Example: http://www.google.com/search?q=%22web+scanning%22
    • 9.12: Proactively Seek SQL Injections Vulnerabilities: Use tools such as Paros Proxy for conducting automated SQL Injection tests against your PHP applications.
      Google Search Example: http://www.google.com/search?q=%22SQL+Injection%22
      Wikipedia: http://en.wikipedia.org/wiki/SQL_injection
    • 9.13: Use Shell Scripts to Automate Security Tasks: If you're comfortable with shell scripts (and you should be), you may want to try the following scripts supplied for free to the community by Wizzie
      Joomla! Version Checking
      Joomla! Component/Module Version Checking
      Exploit Checking
    • 9.14: Learn all you can about security software: Sadly, there's no one tool that you can install to protect your site. If there were, it would be so heavily targeted that it would probably become a liability. Related topic.
    • 9.15: If you're a developer, prepare for the approaching release of Joomla! 1.5, the most significant upgrade in Joomla!'s history.
      - Monitor 1.5 development status.
      - Start playing with the beta version.
      - Learn about Model, View, Control (MVC).
      - Develop a conversion plan for extensions you've written.
      - Develop a conversion plan for your existing sites.

    10. Site Recovery
    • 10.1: Know how to hack free when your site's been compromised. [FAQ]
    • 10.2: Know how to find exploit attempts using the *NIX shell. [FAQ]

    11. Your Turn...
    • 11.1: Please post critical security issues with the Joomla! core here.
    • 11.2: Please post any correction/additions to this document here.