Professional Documents
Culture Documents
com
Securitycheck Pro
user guide
Version 2.8.19
Page 1
securitycheck.protegetuordenador.com
DISCLAIMER
No software can ensure a fully protection against any attack imaginable. The usage of this
extension NEVER should replace to adequate security measures. Make regular backups and keep
an eye for abnormal site behaviour even if you use this software. (You can see this entry in our
forum to get info about Joomla's security).
Overview
Securitycheck Pro has four main features: a component, a module and two plugins.
Securitycheck Web Firewall plugin has been designed as a web firewall to protect your site, while
Securitycheck Cron plugin allows us to launch tasks following an schedule.
The component shows what extensions (components, modules and plugins) installed on your
system are vulnerable, vulnerability details for each vulnerable extension and has a database of all
vulnerabilities discovered/published for each Joomla version. Also gets system file permissions to
show which of them are misconfigured and checks filesystem integrity to alert us when any file is
modified. It also look for suspicious patterns in files and gives us the possibility to check suspicious
files against an online free service with 40 anti-malware engines and millions of hash of infected
files.
The module shows you useful info about website's security state without goint to the component
main page.
Installation
Before install this extension, you should be sure you have direct access to your
Joomla website database to disable the plugin if it's neccesary (visit forum to see
how). Securitycheck Pro Web Firewall plugin is enabled by default and, in some
cases, you could get a 4xx error when you try to access to your site (both backend and
frontend). This IS NOT A BUG. We have found some templates that store cookies in
an unsafe way, so in this case the plugin blocks the access to the entire site.
Install Securitycheck Pro it's easy. You only have to go to Extension Manager, select Install
and navigate to your Securitycheck Pro zipped file:
Page 2
securitycheck.protegetuordenador.com
Push Upload & Install buttom. You`ll have a screen with a resume of the installation
process:
If you have Securitycheck installed, Securitycheck Pro will uninstall it to avoid conflicts
between plugins. Logs previously recorded will be erased.
There are other methods to install extensions; you can find them at this url:
https://www.siteground.com/tutorials/joomla/install-joomla-extension.htm
Per our policy regarding End-Of-Life Joomla! Release branches, some of this features are
available only in J3X version.
CPanel
Securitycheck Pro has a powerful control panel to manage all available options. When we
choose Securitycheck Pro from Components options, we'll see the following:
Extension status
Here we can see Overall security, Web Firewall Plugin, Cron, Logs, Update Database
plugin status and Spam Protection status* and if the extension is updated (see Liveupdate
paragraph). In the Log status option we will also see the number of unread logs.
* Update Database plugin is not included in the extension; it must be purchased separately.
Spam Protection plugin is a free plugin that can be downloaded.
Page 3
securitycheck.protegetuordenador.com
Main Menu
All the options available to manage the entire extension.
Statistics
There are three tabs: Historic, Detail and Lists.
The first one shows a graphic of every event triggered by the Web Firewall since the
extension was installed. Data is grouped in 3 categories: Firewall rules applied, Blocked access
attempts and User/session protection entries.
The second one shows links with the number of events generated by the Web Firewall in
certain periods (today, yesterday, last year...).
Page 4
securitycheck.protegetuordenador.com
The Lists tab shows the number of elements on each List (Blacklist, Whitelist and Dynamic
Blacklist) and the option to manage them using a button:
Easy config
Some Web Firewall filters may require your attention to work fine because they check for
patterns that may be present in certain attacks but also in legitimate queries. If you have a lot of
sites and no time to configure each one, if your site is commercial and you don't want to be worried
about this or if you have no idea about security, you should apply an 'Easy config' to the Web
Firewall.
All you have to do is to click in the button.
With 'Easy Config' you will set a conservative configuration in the Web Firewall by
disabling the filters which may require a higher attention to avoid false positives: a little bit less
secure but more functional.
'Default Config' will restore your previous configuration, with all filters enabled and your
own exceptions included.
Page 5
securitycheck.protegetuordenador.com
Help us
If you use Securitycheck Pro, please post a review in JED. There is an url to do it in
the main screen of the component. This will help us to improve the product and give
you a better service.
NOTE: We have a forum to answer your questions/problems. Please, use it before
posting your review.
Disclaimer
Check Vulnerabilities
This option checks for installed extensions (components, plugins and modules) and Joomla
core version, comparing them with its database. We can see if there is any vulnerable extension
through an easy color code and useful info about the Update Database plugin:
Page 6
securitycheck.protegetuordenador.com
If theres some vulnerable extensions, you can see an url in the extension name. If you click
on it, youll see all the known vulnerabilities for this product order by published date:
Page 7
securitycheck.protegetuordenador.com
File Manager
With File Manager we can check file permissions of our Joomla site. In File Manager
Control Panel window we can see two sections: Manual analysis and Analysis summary:
In Manual analysis section we have a 'Start' button to launch an analysis of file permissions.
We have a table with the start time, end time and current task of this process.
If we launch this check, we will get a progress bar to get info about the process status.
Please, don't navigate to another page until the process has finished or you get an error message.
Page 8
securitycheck.protegetuordenador.com
When you click on it, analysis summary table will be updated, showing us last check
timestamp, number of analized files and number of files/folder with with misconfigured permissions:
If you change permissions of a file in your system file, this change will not be
reflected in Analysis summary until a new check is launched.
As you can see, we can filter results choosing kind (file/folder), permissions (wrong, ok,
exceptions) or any other search term.
If there are more than 3000 files with incorrect permissions, you will see an alert in the top
of the page:
Page 9
securitycheck.protegetuordenador.com
There are three folders (and all files and subfolders under them) marked as exceptions:
/tmp, /logs and /cache.
If we have some files with misconfigured permissions, we can correct the problem selecting
them and clicking Repair option.
To change file/folder permissions, Securitycheck Pro can use two options, stablished in
Change permissions method (see Global Configuration --> File Manager option).
When the process ends, a log file is created and we get a completion screen:
Clicking in View log button we'll see an screen with the state of every change attempt;
failure attempts will be showed in red, and sucessful attempts in green:
Every time we click on Repair button, an entry is recorded in a log's file. By default, this file
is deleted every time, but you can change this behavior in Delete log file (see Global Configuration
--> File Manager option).
* Repair option works on UNIX-derivative Operating Systems (like Linux, Mac, Solaris), not
on Windows.
File Integrity
With File Integrity we can check file integrity of every file in our Joomla site. File integrity
will generate a hash value for each file; when a file is changed, even with a minimal modification,
it hash value will be modified and we will be alerted: nothing will happend in our system file
without our knowing.
In File Integrity Control Panel window we can see two sections: Manual integrity check
and Integrity check summary:
Page 10
securitycheck.protegetuordenador.com
In Manual integrity check section we have a 'Start' button to launch acheck of files integrity.
We have a table with the start time, end time and current task of this process.
If we launch this check, we will get a progress bar to get info about the process status.
Please, don't navigate to another page until the process has finished or you get an error message.
This process can cause an overload of your server, afecting QoS, so this check
should be launched in a period of low server activity.
A standard Joomla installation has almost five thousand files, and every one has to be
checked, so this process can take a long time.
When this process ends, you'll see a completion message and the 'Start' button will be
transformed in a 'Refresh' button.
When you click on it, integrity check summary table will be updated, showing us last check
timestamp, number of analized files and number of new/modified files:
Page 11
securitycheck.protegetuordenador.com
When this task takes more time than your session lifetime, you will get the following
message:
This is not a big deal. You should clik the refresh button, (log in again if your session has
expired), and you will get the actual progress of the task:
You won't be able to launch a new task and access to File Integrity Status until the last
task has finished.
Page 12
securitycheck.protegetuordenador.com
As you can see, we can filter results choosing integrity (compromised, ok, exceptions) or
any other search term.
If we have files marked as compromised and we know that there is no problem with them
(e.g. when we install an update of an extension), we must use Mark all as safe option:
There are three folders (and all files and subfolders under them) marked as exceptions:
/tmp, /logs and /cache.
If there are more than 3000 files with incorrect integrity, you will see an alert in the top of the page:
*First time you launch the File Integrity, all files are marked with wrong integrity; this is due
to there is no previous info about the files. Mark all of them as safe to create a baseline.
When a log is recorded in the system is marked as Not readed with the following icon
Page 13
securitycheck.protegetuordenador.com
icon in the main screen. Every log should be checked by the webmaster and marked as Read.
To do this, we must select the Mark as read option and automatically will be marked as Read
We can also delete old logs and add offensive IPs to blacklist with Delete and Add to
blacklist options.
If you want to save your logs, choose the Export logs option and you will get a save dialog
to export your logs in .csv format.
Logs format
Every log recorded has the following format:
Ip: Ip address that generated the event.
Geolocation: Country and Continent to which the IP address belongs.
Time: Date of the event.
User: The user logged in when the event is captured.
Description: A description of the event. It also includes the method inspected, the
field implicated and a not modificable text box with the string that generated the
lock.
URL: URL from which the event was generated.
Component: The component involved in the query. This field is particulary useful if
the plugin is blocking requests that should not be blocked (see the section Plugin -->
Exceptions of this manual).
Type: A descriptive icon of the attack type (move the mouse over the image to obtain
information).
Readed: Log status. Every log should be checked and marked as Read by the
webmaster.
Logs type
Icon Meaning
IP blocked / IP Geoblocked
IP dynamically blocked
Page 14
securitycheck.protegetuordenador.com
SQL Injection
Spam protection
Url inspector
Upload scanner
A simple test to check if the plugin is working is use the pattern ' or 1=1-- in a field of our
Joomla website (log-in module, contact form, forum,...):
Page 15
securitycheck.protegetuordenador.com
* The previous screen will depend on the template used on your website.
.htaccess protection
.htaccess files are a powerful mechanism to avoid unauthorised access to our site and to add
a basic security mechanism to our site. There are 4 main areas to configure our .htaccess file:
Self-protection
This area include options to protect our own .htaccess files and our server.
Page 16
securitycheck.protegetuordenador.com
X-Frame Options
The X-Frame-Options HTTP response header can be used to indicate whether
or not a browser should be allowed to render a page in a frame or iframe. This can be used to avoid
clickjacking attacks, by ensuring that your content is not embedded into other sites.
DENY - This setting prevents any pages served from being placed in a frame even if it is on the
same website it originates from. should be used if you never intend for your pages to be used inside
of a frame.
SAMEORIGIN - This setting allows pages to be served in a frame of a page on the same website.
If an external site attempts to load the page in a frame the request will be denied.
Banned user-agents
Do you have problems with a new bot that it's not included in our default
blacklist? Use this option to create a a new rule to block it.
For example, suppose you have a lot of entries like this in your access log (this file is
usually provided for your web hosting):
Page 17
securitycheck.protegetuordenador.com
xx.xx.xx.xx - - [11/Jan/2013:00:11:41 -0500] "GET /xxxxxt HTTP/1.0" 200 1195 "-" "Mozilla/5.0
(compatible; Ezooms/1.0; ezooms.bot@gmail.com)"
The last part of this entry is the user-agent of this bot. If you want to block the access to your
site, you only have to add ezooms to this option, save your changes and apply them. Remember
you have to enter only one user-agent per line.
This option has been created to made your life easier. If you want to block an user-
agent, you don't have to put the entire string to create a new rule. You only have to put
a string that appear in the user-agent to block it.
This is the reason you only have to put ezooms to block the bot of the example.
This option is a powerful mechanism to have your .htaccess file updated. But could
give you a lot of headaches if you set a wrong rule.
For example, if you use Mozilla/5.0 (compatible; Ezooms/1.0; ezooms.bot@gmail.com) instead
of ezooms to block the bot of the example, you will get an Internal Server Error in your
entire site. Please, test every new rule before using it in your site.
Own code
Write your own code to be added to the file. As I told you in the previous
paragraph, a single mistake can result in an Internal Server Error.
Fingerprinting Protection
When a hacker wants to attack a website, he usually have to identify what kind of
technology is used. In our case, there is a lot of signals that identify a Joomla CMS. With .htaccess
files we can add a basic protection to avoid this techniques.
The following measures only refers to avoid fingerprinting using .htaccess files. You
are NOT protected against this techniques applying only this options. You must
configure a lot of things, even on server level, to mitigate this techniques.
For example, if you forbid access to README.txt file and this option is not applied,
you will see information about the server if you try to access to that file:
Page 18
securitycheck.protegetuordenador.com
which will disclose PHP version and another sensitive information resulting in a loss of
confidentiality.
For example, if this option it's not applied and we make an special request to our site,
we will see information about PHP credits of the version installed in our site:
Page 19
securitycheck.protegetuordenador.com
For example, if this option is not enabled, you will be able to access to joomla.xml,
that include information about our Joomla version:
With this option enabled, the access to that files will result in a 403 error:
Backend protection
One of the main problems of Joomla is that everybody can reach the backend login page:
you only have to write <your_site/administrator> . This makes easy to launch brute force and
dictionary attacks. To avoid this, we have developed an option to add a 20 characters secret key to
the url. If you don't provide this key, you will be redirected to the page set in the url to be
redirected to field:
You can create keys of 5, 10, 15 or 20 characters, and you can set this value under Global
configuration --> Tuning. By default, it is stablished to 20 characters.
Page 20
securitycheck.protegetuordenador.com
You only have to click in the 'Generate key' button and a new key will be generated. To
protect your site, click in the 'Protect' option and the current key will be applied to your backend
url:
Since then, to access your site backend you will have to write:
http://192.168.56.30/administrator/?0cbryum6jf0nyl1m5l2pw
If you try to access using the old url, you will be redirected to a 'not_found' url:
If you don't remember your secret key, you only have to access your site using a ftp
application and delete your .htaccess file. Then you will be able to access your site
backend using the <your_site/administrator> url.
If you use another component to hide your backend url, you must disable or
uninstall it. If you don't do it, you won't be able to access your backend.
Page 21
securitycheck.protegetuordenador.com
Exceptions
You can configure exceptions to backend protection. This will allow direct access without
adding the secret key. This is valid, for instance, for some CiViCRM files, which need direct access
to work.
Once you have configured your values, you can choose any of the following options:
Delete .htaccess
Use this option to delete your current .htaccess file (this option will not appear if there is
no .htaccess file).
Protect
This option will create a backup of your current .htaccess file (named .htaccess.backup),
delete the current .htaccess file and create a new .htaccess file in your root path using the configured
values.
If all options are set to 'No', a default .htaccess file will be created.
Save
Save your changes. You have to use this option before using 'Protect' if you have made a
change. If you make changes and don't save them, they will not be applied.
If an option has been applied to the current .htaccess file, you will see the following info:
Troubleshooting
Depending on your web server settings, some of these options may be incompatible with
your site. In this case you will get a blank page or an Internal Server Error 500 error page
Page 22
securitycheck.protegetuordenador.com
when trying to access any part of your site. If this happens, you have to remove the .htaccess file
from your site's root directory using an FTP application or the File Manager feature of your hosting
control panel. Your old .htaccess file is saved as .htaccess.backup. You can rename that file back to
.htaccess to revert to the last known good state. If you are unsure how this works, please consult
your host before trying to create a new .htaccess file using this tool.
We strongly suggest that you begin by setting all options to 'No' and then enable them one
by one, creating a new .htaccess file after you have enabled each one of them. If you bump into a
blank or error page you will know that the last option you tried is incompatible with your host. In
that case, remove the .htaccess file, set the option to 'No' and continue with the next one.
Unfortunately, there is no other way than trial and error to deduce which options may be
incompatible with your server.
Malware Scanner
The malware scanner feature looks for suspicious patterns on your files, suspicious
filenames and malware files hidden by false filetypes. That patterns can also be used in legitimate
files, so sometimes is really difficult to identify a threat. This is why we have included a powerful
ally: Metasdefender cloud service. Metadefender Cloud is a free online file scanning service
powered by OPSWATs Metascan technology, a multiple engine malware scanning solution which
help us to identify threats. So our malware scanner will check for suspicious patterns and
Metadefender Cloud will tell us if there are infected files on our system. Result: the most advanced
malware scanner on the market.
To use the Metadefender Cloud feature we only need an API key.To obtain it, please create an
account or log into the OPSWAT portal and find the Metadefender Clooudsection under 'Licenses'.
Expand this section to access your free Metadefender Cloud API key.
This Free API keys obtained through the OPSWAT Portal allow 25 file scans and 1000 hash
lookups per hour.
IMPORTANT NOTICE: The malware scanner is not an antivirus solution. We look for
suspicious patterns and words which are included in known malware, but they can also be
used in legitimate files.
For instance, the following eval (base64_decode) pattern is used on a trojan file as a technique to
hide its behaviour:
<?php
eval ( base64_decode ("IglmICggaXNzZXQoICRfQ...") ); ?>
But the same pattern is also used on several extensions; for example, a popular extension to create
contact forms:
So a file marked as suspicious is not always a malware file. It means that has been detected
a suspicious pattern.
This is why we have included the Metadefender Cloud service: to check suspicious files against
more than 40 anti-malware engines. If after an online scan a file is marked as malware, you can be
sure that the file contains malware.
Page 23
securitycheck.protegetuordenador.com
In the Malwarescan options enabled we get a resume of the options we have selected for this
feature:
Submission type
The 'Hashes option' is faster because it looks for the file hash in a complete
database of millions of malware files, while the 'Files option' sends the entire file to be analyzed for
more than 40 commercial anti-malware engines. Default value stablished is: Hashes.
Timeline
Look for suspicious patterns only in files modified/created during the latests
selected days. Default value stablished is: 7.
Below that we can see two sections: Manual Malware scan check and Malware scan
summary:
In Manual Malware scan check section we have a 'Start' button to launch a check over our
filesystem. We have a table with the start time, end time and current task of this process.
If we launch this check, we will get a progress bar to get info about the process status.
Please, don't navigate to another page until the process has finished or you get an error message.
This process can cause an overload of your server, afecting QoS, so this check
should be launched in a period of low server activity.
Page 24
securitycheck.protegetuordenador.com
A standard Joomla installation has almost five thousand files, and every one has to be
checked, so this process can take a long time.
When you click on it, malware scan summary table will be updated, showing us last check
timestamp, number of analized files and suspicious files found:
An alert level of High means you should keep an eye over the file even if the online check
shows no warning. Some encoded files are not detected by anti-malware engines. If you have
doubts, don't hesitate to ask me.
Every time a new malware scan is launched, all online check status appear as Not checked
even if files have been previously submitted to the metascan service. This is due to the dinamic
behaviour of the service: every anti-malware engine is updated every day, so a not detected threat
today can be detected tomorrow.
We also see two* buttons: Add file(s) as exception and Metadefender Cloud Check (files|
hashes):
Page 25
securitycheck.protegetuordenador.com
* If the limit per hour is reached, the second button will not be available and an alert will be
displayed:
The first one add selected files as exceptions and the second one check hashes of selected
files or send selected files to be analyzed by the Metadefender Cloud free service and send us to the
Manage logs screen.
If we choose the Quarantined option in the dropddown, then we have two options: Restore
files and Delete:
The first one restore selected files to their original folder, and the second one deletes them.
There are also two buttons to Delete and View file. The first one deletes* all files selected and the
second one allows us to see the file content; this is useful before deleting it.
* Please, take note that files are marked as suspicious, so maybe there are false positives. Be fully
sure the file is malicious before deleting it or the entire site can crash.
There are three folders (and all files and subfolders under them) marked as exceptions:
/tmp, /logs and /cache.
Manage logs
Choosing this option we can see all online check logs stored. It shows us info about the
filename created, number of analyzed files, threats found and creation date:
Clicking on the View log button, we will see a complete report of the scan:
Page 26
securitycheck.protegetuordenador.com
You can download or delete files selecting them and choosing the desired button:
Global Configuration
Here we can configure Component, Tuning, File Manager, File Integrity, Malware scan,
Performance and Permissions options:
Page 27
securitycheck.protegetuordenador.com
Component
Download ID
Put here your Download ID ( you can find this value in your Download ID
link from your User Menu) to get access to Securitycheck Pro updates.
Tuning
Memory limit
This is the maximum amount of memory in bytes that the extension is
allowed to allocate. If you have a large site and File Manager or File Integrity tasks doesn't end,
maybe you should increase this value.
Secret key length
This is the length of the secret key that will be generated when using
'Backend protection' in .htaccess protection option.
Page 28
securitycheck.protegetuordenador.com
If this option is disabled, we will see the following in the source code of out Joomla
website, which is used in some attacks to identify Joomla websites.
Check ACL
If this option is enabled a basic security ACL check will be perform. Public
and Guests groups ACLs will be checked looking for insecure configurations showing an alert
everytime an administrator is logged into backend:
File Manager
Base path
It's the path from which permissions are checked. If it's not established, all
system file is checked. Leave 'Use Default' unless you know what you are doing. THIS OPTION
APPLIES BOTH FILE MANAGER AND FILE INTEGRITY.
Page 29
securitycheck.protegetuordenador.com
If this option is enabled, all files included in a folder exception will be also
exceptions. For example, if the set /var/www/cli as an exceptions, all files included in this directory
will appear as exceptions. By default it's stablished to No because of performance.
To change file/folder permissions using chmod, Apache has to be the owner of file
system.
File Integrity
Hash algorithm
Hash algorithm used to calculate file's hash. By default it's stablished as
SHA1.
Page 30
securitycheck.protegetuordenador.com
Move to quarantine
If it's enabled, new/modified suspicious files rated as High will be moved to
the quarantine folder. This is really useful, for example, if our site has been cleaned after an
infection. If there are remaining threats or the server is infected, then new threats will be moved to
quarantine to prevent a new infection.
This option MAY BREAK YOUR SITE; use it WITH CAUTION.
Email's subject
Subject of the email which will be send if File Integrity is wrong. If empty, it
will use the value set in WAF Configuration --> Email notifications
Malware scan
Page 31
securitycheck.protegetuordenador.com
File extensions
Look for malware patterns on files with any of extensions placed here. Comma
separated values.
Deep scan
Look for suspicious words. These words can also be used for legitimate purposes, so
enabling this option will increase the number of false positives.
File exceptions
Files excluded from malware scan.
Submission type
Method used to send suspicious files to the Metadefender Cloud service.
Timeline
Page 32
securitycheck.protegetuordenador.com
Look for suspicious patterns only on files created/modified during the selected
period.
Logs stored
Store only the number of online check log files stablished here.
Performance
Database tables
Select which tables will be shown during the optimization process. Despite only
MyISAM tables are repaired and optimized, we can see all database tables or only MyISAM tables.
Permissions
We can manage permissions used for all content in the component. We can set two actions:
Manage and Access Administration Interface. The fisrt option allows us to access the component,
but we can't not modify 'Global Configuration' options. The second one restricts the access to the
entire component.
Page 33
securitycheck.protegetuordenador.com
Lists
In this section we have three lists: a dynamic blacklist, a blacklist and a whitelist. In the
dynamic blacklist are added automatically ips that reach the max number of hacking attempts
established (5 by default). They are blocked during the time specified in the IP blocked time (in
seconds) field (600 seconds by default):
In the blacklist we put the ip addresses that are not permitted to access our web site. If any ip
in the list tries to access the website, it will obtain a 403 error. With Include in email notifications,
we can set if we want to receive and email when a blacklisted ip tries to access our site. If this
option is set to 'Yes', we can reach email's limit easily.
In the whitelist we put the ip addresses that will not apply any filter. The ip addresses of this
list do not generate any log, so use this list carefully.
Both list use the common ip format (IPv4 and IPv6 Addressing Notation), like this:
192.168.1.40, 2001:13d0::1.
We can also specify IPv4 ranges usign the * sign as a wildcard: 192.168.1.*, 192.168.*.*, or a
CIDR notation: 192.168.100.14/24 . Ipv6 only allows CIDR notation to specify ranges:
2001:13d0::/29
Page 34
securitycheck.protegetuordenador.com
With the Priority box we can shoose the preference of the previous lists. We can set the
order to which the lists will be applied: Dynamic blacklist, blacklist, Whitelist and Geoblock.
If an ip is blocked by the dynamic blacklist or blacklist, the user gets a 403 error page when
tries to access the website:
Page 35
securitycheck.protegetuordenador.com
We can export/import Ips. We can also use external IP files, but must have the format: IP,IP,IP (this
is comma separated values). No text is allowed.
Methods
It tells us what methods will be inspected by the plugin. We will check every POST, GET
and REQUEST processing by Joomla.
Mode
In this section we can see the mode use by our plugin. With the Strict mode the attacker get
an error message. In the Alert mode the plugin tries to sanitize the request to continue normally.
Page 36
securitycheck.protegetuordenador.com
For example, suppose an attacker writes the following string in a forum post field:
<IMG SRC=javascript:alert('xss');>
Page 37
securitycheck.protegetuordenador.com
In Alert mode, the plugin sanitizes the string and the attacker doesnt get any message:
In the previous case, the string sanitized is equal to a blank string. If the attacker tries an
attack with the select * from members where username='admin'--' string, the result in Alert mode
is:
Logs
There are four options: log the attacks, stablish the maximum number of logs per IP and day
and the option to exclude logs from Geoblocked Ips and also of blocked IPs. With the first option
enabled, all the attacks will be recorded.
The second option stablish the maximum number of entries per offensive IP and day.
Page 38
securitycheck.protegetuordenador.com
If we disable this feature we will get the following alert in the View logs option:
With the second option we can limit the number of entries of each IP in the database per day.
This is useful to avoid lots of entries of the same IP, for instance, if we have a blocked IP that tries
to access to our site every hour. If this value is set to 0 (default), there will be no limit.
The other options allow us to exclude Ips from logs; this way, geoblocked and also blocked ips
access attempts are not stored in logs.
Redirection
The plugin redirects to the Joomla default error page if an attack is detected and this feature
is enabled. If its disabled, the attacker gets the code in the Blocked IPs message field..
Page 39
securitycheck.protegetuordenador.com
With this feature set to Yes and redirect options to Joomla default error page, we see something
like this:
If redirect option is set to My own page, then the url below will be used to redirect the attacker:
Page 40
securitycheck.protegetuordenador.com
If its set to No, the plugin drops the connection and the attacker gets the code of the
Blocked IPs message:
Page 41
securitycheck.protegetuordenador.com
Emails notification
We can be alerted by email when the plugin block a request. We can configure the typical
fields of a common email message: subject, body, to and from fields. We can also include a line with
the rule applied to the plugin to obtain more information about the attack type. To avoid inbox
saturation we can configure the maximun number of emails that will be sending per day in the
emails' limit field:
This feature is disabled by default because depends of our Joomla mail function. Be
sure your email functions works fine before activate this feature. If this function is
active and the mail function not works correctly, an attacker will get the following
error message:
Exceptions
In this section we can establish exceptions for every filter used by the plugin. This allows us
to configure our plugin for our installation of Joomla. Despite having tested the plugin with the
most popular and rated extensions, we can not be sure of their absolute compatibility. So if we have
any kind of problem, we can add an exception for the component which has generated the problem.
Page 42
securitycheck.protegetuordenador.com
All the installed components in our Joomla website can be viewed in the dropbox at the
header of this section.
If you want to disable a component for a given filter, we need only write his name in the
corresponding text box. We can write multiple values in each text box separating the values with
commas.
In this section you can also configure strings in base64 format checking. Many attackers use
this format to camouflage the attacks. Despite our efforts, we can notice an increase in false
positives if we enabled this option, so we have included a section for base64 exceptions.
You can disable entirely each filter adding a * character as exception. For
example, if you want that 'Escape strings' doesn't be applied, you must configure
it as the following image:
With this option we can avoid security risks if we have a vulnerable extension which is
configured as exception in a filter. If it's enabled, exceptions for vulnerable components installed
in our website will be ignored.
How can I find out which component is responsible for blocking a request?
Page 43
securitycheck.protegetuordenador.com
Each log generated by our plugin includes the component active in the blocked request:
For instance, if we want to add an exception based on the previous screenshot, we should
add com_k2 to XSS filter.
Failed logins
This feature allows us to track every failed login attempt to the site and take
actions against it.
Logins to monitorize
Choose which logins do you want to monitorize. We can select only
frontend logins, backend logins or both.
Page 44
securitycheck.protegetuordenador.com
Write log
Writes a log entry and send an email to administrator (if configured in
Email notifications).
Admin logins
Email on backend login
If this feature is enabled, it will send an email when someone logs into
the backend. The email will be sent to the email set in the Email notifications.
Geoblock
This option allows us to block access to our site based on its geographic location. We can
choose between Continents and Countries:
When an IP address is blocked by this feature, we will see an IP blocked entry in our logs,
but it will also include the 'Geoblock' label:
Page 45
securitycheck.protegetuordenador.com
Upload scanner
This option allows us to scan uploaded files looking for malware patterns, multiple
file extensions (used to bypass filters) and forbidden file extensions.
Upload scanner
Enable this feature.
Extensions blacklist
Forbid uploaded files with this filetype (use comma separated values).
Delete files
Delete uploaded files.
Actions
We can do nothing or add offensive IP to dynamic blacklist.
Spam Protection
Page 46
securitycheck.protegetuordenador.com
This option needs the free plugin Spam Protection, which allows us to check the
username, ip and email against the best spammers database, stopforumspam, during the registration
process. This way we will forbid spammers registration into our website.
Action
Action to take if the user is marked as spammer.
Write log
Write a log when an user is blocked during registration process.
Frequency
Number of times to consider an ip, username or email as spammer.
Page 47
securitycheck.protegetuordenador.com
Url Inspector
This feature allows us to ban IPs that use forbidden words in urls. This way we have a powerful
mechanism to control all queries to our website, even those that are redirected to a 404 page.
For example, if we receive an url to access to wp-admin.php, that is typical of Wordpress sites, the
url inspector can be configured to add the IP to blacklist because it's clear that it's not a valid query.
This feature doesn't break other sef extensions installed.
Important: The url inspector only inspects urls routed by Joomla, so direct accesses to files
won't be analyzed.
Write log
Writes a log everytime a forbidden word appears in an url.
Actions
Action to take: Nothing, add IP to dynamic blacklist and app IP to blacklist.
Send email
Sends an email.
Forbidden words
Lists of the words that are not allowed. If any of them appears in an url, it will take
the action set.
Cron Configuration
This plugin has been designed to schedule launch heavy tasks, like file integrity and file
permissions checks. We can launch them when the server is not overloaded, having our system file
always under control:
Page 48
securitycheck.protegetuordenador.com
Planning
Scheduled task(s): We can choose the task(s) to launch: Alternate permissions and
integrity checking, only check permissions, only check integrity and check both
permissions and integrity.
Launching interval: The time period when the task(s) will be launched. It will remain
disabled if you launch task(s) every X hours. Launching this task(s) frequently will
cause a server overload. Some hosting providers can apply you limits, so if you have
problems set a daily interval.
Periodicity: Launch task(s) every X hours, every day or every week. Tasks consume
high values of CPU and memory, so use the option every X hours carefully (for
instance, if your site has been hacked and you need to monitorize file changes
during a certain period of days).
We have designed this plugin avoiding to modify any Joomla file and we also don't
stablish any operating system requeriment. We only need a visit to our site during
the launching interval to launch the task(s).
Joomla 2.5
Page 49
securitycheck.protegetuordenador.com
Joomla 3.x
With this module and Administrator can save a lot of time going to the component option
he/she is interested in.
In the module can appear the following icons:
Joomla 3.x
There aren't vulnerable components
installed in the system
Joomla 3.x
There are vulnerable components
installed in the system
Joomla 3.x
There aren't unread logs
Securitycheck Pro View logs Page
Joomla 3.x
There are unread logs
Joomla 3.x
Permissions OK
File Manager Control Panel
Joomla 3.x
Permissions WRONG
Joomla 3.x
Integrity OK
File Integrity Control Panel
Joomla 3.x
Integrity WRONG
Page 50
securitycheck.protegetuordenador.com
System Info
This option give us info about our Joomla, PHP and Mysql configuration, and will also show
the overall status of security and extension. This will give you an idea of the level of protection
applied by the extension's settings, the ability to know more about each setting and the option to
increase it (available only in Joomla 3X version) :
Every feature shows the status of all options covered, showing a button with More info about
the option and a button to solve it.
Page 51
securitycheck.protegetuordenador.com
With this option we can remotelly manage the extension using Securitycheck Pro Control
Center.
To use this feature, we must generate a Secret key to cipher communication between the
extensions and set the 'Enabled' field to Yes:
To know more about Securitycheck Pro Control Center, please read it user guide visiting our
Documentation section.
* This feature requires openssl php's library to work. If this library is not installed in your
system, this feature will not be enabled. In that case, please ask your hosting provider.
Rules Management
Sometimes we don't need to apply Web firewall rules to everyone that uses our site, because
we trust in the users of certain group, for instance, users that belong to Administrator or Publisher
groups. Or we have a Buyer group and we want that users of this group are not disturbed.
This is why we have created this option. Here you can see the groups to which to want apply
the rules:
If an user belongs to several group, rules will not be applied if there is, at least, one
group marked to No.
Page 52
securitycheck.protegetuordenador.com
Despite of having this type of 'privileged' users, we can see a log of the trusted entries on
the system selecting the option 'View trusted entries':
Tasks
Initialize Data
Sometimes we may need to delete Securitycheck Pro file permissions database; for example,
if we launch a check over the entire system file and we change base path in Global Configuration.
If we don't initialize data in this case, we'll see all system file permissions although permissions
checking will be only made in the new base path.
Live Update
Securitycheck Pro has incorporated the well known Akeeba Live Update system to easily
manage product updates. Securitycheck Pro is updated frequently to be up to date about the latest
vulnerabilities and the new techniques to exploit Joomla bugs. The component inform us if we have
installed the latest Securitycheck Pro version or if there is a new version: Clicking in the above icon
you will get info about your installed version:
Page 53
securitycheck.protegetuordenador.com
To update your version you only have to click on Update to the latest release.
If your server don't support Live update, you will get the following icon:
Page 54
securitycheck.protegetuordenador.com
Securitycheck Pro Live Update uses cURL PHP extension or URL fopen() wrappers
to check updates. If this function is not installed on your system, updates will not be
available and you will get the previous screen, although the component will work fine.
please, go to Global Configuration --> Component and fill in the Download ID text area.
You can find this value in your Download ID link from your My account Menu (available after
login):
If Download ID it's not valid or your subscription has expired, Securitycheck Pro will fail
when tries to update. You will see the following message:
Page 55
securitycheck.protegetuordenador.com
If this is your case, please check your Download ID and/or your subscriptions to be sure
they are correct.
Export Config
This option will export your current settings of Web Firewall, Cron, .Htaccess protection and
Control Center (except secret key, which will be delete for security reasons) into a file.
Import Config
This option will OVERWRITE your current settings of Web Firewall, Cron, .Htaccess
protection and Control Center (except secret key, which will be delete for security reasons) by
importing a previous exported file.
Performance
This feature has been designed to improve Joomla's performance.
Database optimization
This feature will optimize and repair all MyISAM tables of your Mysql database. With the
flow of inserts and deletes, the Mysql tables performance can drop. Regularly optimize and repair
Mysql tables allow to rebuild the indexes and limit the disk space used by Mysql on the server.
It's impossible to compute a InnoDB table fragmentation, this is why those tables are not included
on optimization process.
Purge sessions
This feature will purge (completely empty) the sessions table. Doing so will log everybody
out of the site, including yourself. Use this option olny when you observe severe problems when
users are trying to lo into the site.
Troubleshooting
There is 1 important setting in our website to avoid problems with the extension: Memory limit.
This setting is related with File Manager/ File Integrity/Malware scan checking. We store
data of the check in memory before inserting them in files. If this value is not high enough for our
Page 56
securitycheck.protegetuordenador.com
website, there will be no space in memory to store data, so we will have a 500 error page or the
check will never end*.
A value of 256M should be valid for most websites (sites until 150k files). If we have a large site,
we must increase this value. This value can be set by the own extension*, under Global
Configuration Fine Tuning option.
* In some shared hosting providers or VPS this is not possible due to server directives.
If for some reason you are not allowed to increase this value, you can disable the Cron plugin and
the Web Application Firewall will still work.
Page 57