Let's Get Started
Today, personal computer systems and servers are being compromised at an
alarming rate. Servers such as yours that are hacked into are often used to sell "time"
by organized criminals around the world. They are selling time on desktops and
servers by the minute, hour, purpose, speed available, and other attributes. The
reason for their sale is to send out SPAM (unsolicited bulk email), to use as denial of
service attack points, or for any other unintended purpose.
Introduction
Joomla!, a very popular Content Management System (CMS), is as you may know
an easy-to-deploy-and-use content management system. This ease of use has lent
itself to rapid growth of both the CMS and extensions for it. You can install it on
almost any host, running Linux or Windows. This highly versatile software has
found itself in such lofty places as large corporate web portals, and humble places
such as the simple blog.
All of these share a common thread. They exist on the Web, which is one of the
most lawless places on the planet. Every day the "bad-guys" are out pacing the
good guys—and for a good reason. An ordinary user, who wants a powerful and
yet an easy-to-set-up website might choose Joomla!. He or she is not a specialist in
security, either good security or bad security. He or she is merely a target to be taken
down. While Joomla! itself is inherently safe but miscongurations of the CMS,
vulnerable components, hosts that are poorly congured, and weak passwords can
all contribute to the downfall of your site.
This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008
1010 SW High Ave., , Topeka, , 66604
Let’s Get Started
[ 8 ]
You will need to ensure that your copy of Joomla! is original and not compromised.
Once you install it, you will need to check a few key settings. And lastly, we'll
establish the permission settings of various les and folders. The intent of this
chapter is to get you prepared to have a good, solid setup before you go live. So let's
take a detailed look at the following:

•
•
•
•
•
•
This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008
1010 SW High Ave., , Topeka, , 66604
Chapter 1
[ 9 ]
Hosting—Selection and Unique Needs
In the "dot-bomb" days, everyone had an idea for the next Million Dollar deal. The
Internet enabled the clicks and bricks strategy of taking traditional businesses to the
Web or even an 'Internet' only business. Some like eBay and Amazon, survived the
"dot-bomb" days, as did others. But many failed to survive.
One interesting type of business that rose up to support the growth was hosting
companies. In those days, I met with several hosting companies in my career and
they were running very well, in fact, most of them are still running quite well. Yet
the advent of cheap hardware, the demand for growth in the Internet landscape, and
the abundance of high-speed software have caused a glut of cheap hosting. Many of
these hosts are not the best choices for you, due to the inadequate security models
they have set up.
In this section, we'll discuss a little about what a host is, and how to select one that
will t the needs of your Joomla! site and your business.
What Is a Host?
For the completely uninitiated, a "web host"' or host is a company that houses your
website on its servers. They typically provide DNS, email, tech support, registration
of your domain name, rewalls and security, and much more.
Choosing a Host
If you've spent any time at all searching for a host, you will no doubt have found

You will need to determine right away the type of hosting you need, shared or
dedicated. The questions to help you determine which one you need are beyond the
scope of this book, but we will discuss the differences between the two.
Questions to Ask a Prospective Host
You may be a two-person shop in your eld, but that makes you a leader. As a
leader, you cannot sit still; you must be planning for the future. You must be on the
lookout for threats to your business, and the opportunities to grow. Your host has
to be exible to accommodate your needs in this area. Face it, if you select a host
simply due to them being the lowest cost provider, you are being "penny wise and
pound foolish", which is to say that you are saving a penny through your efforts that
is costing you a dollar! Remember, selecting a provider on cost alone is a terrible
mistake; one that will cost you dearly. Take some time and review your competition
in your eld. Where are they hosted? Why are they hosted there? What are the costs
and the associated setup fees to set up there and so on. I am not advocating that you
follow them into the abyss of hosting. However, they may know something you do
not. Hosting is not your business, unless you are a hosting company. Your business
is whatever it is, yet, hosting is an integral part of your business web strategy and
should be considered as such. It's not an after-thought, anymore than, 'gee' I don't
care if I live in a terrible, crime ridden neighborhood while I don't have to; its 'cheap'.
Take the time to review what your web strategy is. Evaluate your strategy in terms of
your questions.
Facilities
What physical security measures do the hosts have in place? I have visited countless
data centers in my career; yet, the ones that stand out in my memory are those
that had a very strong security. This is not to mean that they have a card swipe on
the server room door. No, this is a strong perimeter set at the front door, a strong
authentication at the check-in desk that you are supposed to be there. Once there,
can you open the rack or cage of anyone's servers? If you can, this is a bad sign.
This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008
1010 SW High Ave., , Topeka, , 66604

Are the windows shatter-proof?
•
•
•
•
•
•
•
•
•
•
This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008
1010 SW High Ave., , Topeka, , 66604
Let’s Get Started
[ 12 ]
Environmental Questions about the Facility
Is your re protection system in place?
Are you near a ood zone?
What emergency power are you provided with?
How long can the system run on that emergency power? (hours/days)
Is the data center on a "raised oor"?
Is there water detection under this raised oor?
How much cooling is provided in the data center?
Is there redundant cooling?
Do you have a humidity-controlled environment?
Do you have a site disaster plan? If so how often is it tested?
Site Monitoring and Protection
What is your plan to protect the "digital perimeter" of the data center?
This should include rewalls, intrusion detection system
(IDS), virus scanning, and so on.

patching of the O/S and the web server (in our example, Linux and Apache.) For
instance, when a critical vulnerability is discovered in the Linux kernel, you should
be able to know if it affects your shared or dedicated hosts. You should know when
it will be patched by the host (shared, virtual, or private), and if they maintain the
O/S for you on your dedicated equipment when it will be handled. Time matters
when vulnerability becomes public. Knowing the patch methodology (identication,
documentation, build of the patch, testing, and deployment) is just a part and parcel
of your security experience. Remember, you are ultimately responsible for the
uptime and security of your site. Turning a blind eye to the host won't make you
secure. They may have the task and responsibility of patching, for instance, but at
the end of the day, your customers will not care whose fault it is, if you are breached.
They will want you to explain it.
Shared Hosting
In essence, shared hosting is renting space on a server. This, by far, is the most
economical route to get your website published, and the author would venture to
guess the most common route. This means they "carve out" a small portion of the
server's bandwidth, CPU, memory, and disk and assign it to you. You may see
something like the following screenshot when you FTP in:
This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008
1010 SW High Ave., , Topeka, , 66604
Let’s Get Started
[ 14 ]
As you can see, there are several shared server folders displayed, namely, the
public_html and www folders. These may vary based on your host, but the point
is "above" these folders are areas that their administrators can see, but we cannot.
Next in the directory there would be another set of folders that host another website.
We don't have the appropriate permissions to see them or interact with them. The
memory, disk, CPU, network bandwidth, and other portions of the server are shared
with everyone on this physical server. This shared model is economical because the
cost to run it is spread across many websites. The hosting company is responsible

panel looks like. However, many hosts do use the cPanel hosting applet. Dedicated
hosting often uses the same panel and features, but exceptions abound.
Dedicated Hosting
Often a dedicated host is what you will choose if you want the full power of the
server. You might want this if you are expecting a ton of trafc to the site, in which
you would not want to "share" the resources of the box.
This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008
1010 SW High Ave., , Topeka, , 66604
Let’s Get Started
[ 16 ]
In this case, you will have to either administer the system or pay the host to
administer the box for you. You probably will have to do the patching of the
operating system, in addition to the other components. You may not have to keep the
hardware running, as you are renting an entire box.
Other forms of dedicated hosting are when you purchase the hardware yourself and
place it into a co-location facility. Known as a co-lo, these businesses provide you
"pipe, power, and ping". In other words, they will give you a secure place to house
your machine, provide the power, provision the IP address, and provide security.
Both these options are very costly, with the last one being the most time and money
consuming on your part.
How do you choose what to do? If you are starting out for the rst time, a convenient
and economical choice is to go with the shared hosting, month-to-month. This way, if
you discover problems with the hosting, you can always move and not incur a great
deal of expense.
Again, the author does not make any recommendations for hosting; however, a
couple of great places to start your search are:
http://www.webhostingtalk.com/
http://whreviews.com/searchstrategy.htm
These two sites can provide you with a great deal of knowledge about different
hosts, their costs, the level of support you can expect and so forth.