Free advertising for your Joomla business
× The best place to ask questions about problems that you might be having with Joomla is the forum at JoomlaOz. We may be able to help you if you post your question here.

Question Security

  • Laurie
  • Laurie's Avatar Topic Author
  • Offline
  • Senior Member
  • Senior Member
More
3 years 2 months ago - 3 years 2 months ago #147 by Laurie
Security was created by Laurie
G'day there!

I'm building a file transfer site for a client. There are requirements for the files to stay on an Australian server and completely within our hosting server.

There's also a requirement for the files to be virus free.

Files will come from a couple of sub-contractors and find their way to the organization's computers and server.

There are several file security extensions out there including Admin Tools Professional.

My understanding of virus threats is limited so I'm worried that the protection offered by these Joomla extensions relates to malware that may damage a website but not to viruses that may get into a computer or organization's the server.

Here's a typical extension blurb:
jHackGuard is designed by SiteGround to protect Joomla websites from hacking attacks. Just add it to your Joomla and it will be safe against SQL Injections, Remote URL/File Inclusions, Remote Code Executions and XSS Based Attacks!

Does this cover the range of viruses that may be hidden in files and that could infect a computer or server?

Thanks,
Laurie.
Last edit: 3 years 2 months ago by Laurie.

Please Log in or Create an account to join the conversation.

More
3 years 2 months ago - 3 years 2 months ago #148 by sozzled
Replied by sozzled on topic Security
I'll be the first to admit that I don't have any experience with running anti-virus software on file servers in cases where I have no direct control over what I allow to be uploaded. Sure, there are ways to protect websites from potential security holes (for example, in forum software such as Kunena, that have built-in counter measures to safeguard against XSS exploits or SQL injections) and from Javascript or problems with embedded content (via the <SCRIPT> <APPLET> or <EMBED> tags). These are all fairly-well safeguarded within Joomla, typically by disabling the use of these tags when people create articles, for example.

On the other hand, allowing people to upload file content (which may, or may not, be used as website content), usually by some FTP mechanism, this creates a whole new series of possible headaches.

When you say that there's a "requirement for the files to be virus-free", I accept that as somewhat of a truism. That's something of an ideal but how does one ensure this will be the case? As we all know, no AV software is 100% guaranteed.

Most of us, in our day-to-day world, protect ourselves from the threat of computer viruses when we access material on our personal computers. For these purposes, we use personal computer AV software. In effect, our PC AV software is like the "first-pass" test of whether data we access may be a threat. In the business world (particularly in areas where data security is an operational imperative), business websites usually install firewalls to protect their data assets.

So, if you're asking me to guide you through the maze of data security in an area where data can be input from a variety of sources (even if the "couple of contractors" have satisfied your client that they have the relevant security clearance and agreed to operate under a tight security protocol), my advice would be to ensure that the data transfer should be conducted over a VPN, with encryption, key-logging enabled, regular backups and with firewall protection.

Are there "relatively" cheap products on the market that will do this? Hmm, that's an interesting question. Are there Joomla extensions that can provide the kind of access control and threat containment that you're looking for? I honestly haven't looked.

I also haven't really examined what "standard" AV measures may be incorporated with the file server. When you say that the file transfers will "find their way to the organisation's computers and servers", are these file servers (and, I'm guessing, web server) inhouse or external to the organisation. If the servers are external, does the host have built-in AV software as well as secure data transfer tools? You may also want to look at CDNs , too.

Viral threats can be injected in a variety of ways, such as the few that you've mentioned. Viruses can be embedded via MS Word, MS Excel (using VisualBasic) and, even within some images. Viruses can be simple malware (junk software masquerading as something quite innocent) to more damaging self-modifying code that worms its way throughout the files on a computer. The effects can range from corrupting data with misinformation to denial of service.

How much does a good firewall cost? Most decent "military-grade" (i.e. vetted by Defence Signals Directorate that advises all Australian government agencies) equipment can set you back a few tens of thousands of dollars. I don't think I'm the best person to advise you on this matter because a) I haven't had the personal need to provide access to a sub-contractor to upload material on data storage that's under my direct control and b) my experience in dealing with security (firewalls, etc.) has been in an environment that has a large budget (hundreds of thousands of dollars) tied up in the investment of equipment and personnel whose job it was to protect the organisation's data assets.

I think the first, and most important, security counter measure to adopt (when we're dealing with a small enterprise organisation) is to remain vigilant. If you, in your day-to-day activity, remain vigilant about what files you handle yourself that's a good start; if you can inculcate that same behaviour into those you may have to trust in handling similar material when they transfer files to your server, that's also a step in the right direction. But, if you're asking me if there's some fool-proof detection mechanism that resides on the data server that adds an extra layer of security after the initial "filtering" process has occurred, I'm sorry but I'm a bit out of my depth on that one insofar as I have made assumptions about your request for information.

Read my blog and
File Attachment:
Last edit: 3 years 2 months ago by sozzled.

Please Log in or Create an account to join the conversation.

  • Laurie
  • Laurie's Avatar Topic Author
  • Offline
  • Senior Member
  • Senior Member
More
3 years 2 months ago #149 by Laurie
Replied by Laurie on topic Security
Thanks for the lengthy reply Machael.

The organization runs an internal server with 500 computers connected. I understand the same computers are connected to the www.

The file transfer site will be on the organization's shared hosting. At present the proof of concept version is on my hosting. Not my good hosting, a development hosting account.

There are two graphic design sub-contractors and a handful of the organization's employees who will transfer files each way. It would also be handy for me to transfer an Akeeba Backup file, one direction or the other, if need be.

I understand that most files are for print, though some PDF and DOCX files are used on the organization's website. There would also be JPG and PNG files for print and web.

Please Log in or Create an account to join the conversation.

More
3 years 2 months ago - 3 years 2 months ago #150 by sozzled
Replied by sozzled on topic Security
I still reckon that the site should invest in a firewall (if it hasn't already done so), including the establishment of a DMZ, to safeguard against unauthorised intrusion from outside. The communication channel, that allows incoming traffic to deposit files on the server, should also be conducted using some kind of VPN.

Surely, one would expect that an organisation that allows internet access for a network comprising 500 personal computers would have invested in technologies to guard against external hacking attempts such as DoS, brute-force, or email-infected viruses. In the case of email-borne virus attacks, the general approach is to install enterprise AV software that checks email contents against known virus signatures. I mean, in this case, we're talking about more than "freeware" AV software that many people use in their homes and install on their PCs (e.g. AVG, Avast, etc.) and we're talking fairly big dollar amounts, too. I suspect, however, that's outside your brief.

As far as the security of PDF, DOCX, JPG and PNG files is concerned, DOCX files probably pose the largest risk (because they allow VBS). It is, for this reason, that websites eschew DOCX files on their servers because they present a risk to the community of users who access files on the internet. Put it another way, PDF is a [generally] safer means to distribute web-based documents than DOCX. If the site operators don't have the time to "convert" MS Word-developed if they don't have the ability, "luxury" of time or inclination to manufacture HTML or use a CMS for articles managed by the server-side script parser (such as PHP, Cold Fusion, ASP or JSP) then PDF is probably the next-best thing in my opinion.

I would even go so far as to embed images into PDF documents. PDF has its uses if you're distributing a document that you scanned (as an image) or a technical manual that people might want to print themselves. Sometimes the decision to use (and distribute) PDF or DOCX is subjective; sometimes it's because it's "quicker" to do it. Look around the internet: depending on what you might be looking for (as a member of the public) when you visit a site, would you prefer to see the information as a [HTML] web-page or as something you had to download (and require the appropriate software to be installed on your computer), by clicking a link? Depends, of course, on the audience, I guess.

As I mentioned before, I really don't have any specific advice to give you about server-side AV software or, more especially, any Joomla extensions that readily meet your goals.

Read my blog and
File Attachment:
Last edit: 3 years 2 months ago by sozzled.

Please Log in or Create an account to join the conversation.

  • Laurie
  • Laurie's Avatar Topic Author
  • Offline
  • Senior Member
  • Senior Member
More
3 years 2 months ago #151 by Laurie
Replied by Laurie on topic Security
Thanks Michael, for the useful info.

I'll pass all this onto my IT man.

As I understand it, the server is secured in the way you have described. I understand the requirement is to ensure files entering the server, via the website on the www, are clean.

I've found an extension on the JED called Centrora Security. extensions.joomla.org/extensions/extensi...ty/centrora-security . I wonder if you have time to check it out. You'll likely understand the blurb better than I.

I've had an online chat with the developer (an employee I reckon) and it sounds like it will do the job as well as any. I doubt that any AV software can be entirely virus proof and 100% reliable.

Seems to me the solution is to restrict the file types uploaded, put stringent requirements on the sub-contractors and add Centrora extension to the site. Maybe a SSL certificate. The client doesn't wish to go to a VPS but that may be worth reconsidering.

Our host (shared hosting) offers some extra protection on a VPS. I'll read through that again.

Today I'll create a clone of the proof of concept site and install Centrora. I should be able to learn more.

Regards,
Laurie.

Please Log in or Create an account to join the conversation.

Time to create page: 0.367 seconds