Securing Joomla 1.5 with GuardXT

GuardXT is an open source extension for Joomla 1.5 that monitors filesystem changes and performs periodic security checks. Ideally you should install it immediately after setting up a clean Joomla installation.

Update: Development on GuardXT has stopped with version 1.00.04 for Joomla 1.5. I am keeping these notes online for reference purposes, but I have moved on to using Admin Tools, another security extension.

Download GuardXT and install it in the usual way. There is no RSS security feed to subscribe to; one of the few weaknesses of this excellent product.

Go to Components – GuardXT, acknowledge the first time splash screen, and click on Settings. Enter your email address and directories to exclude. I like to exclude /administrator/cache;/ANALOG_REPORTS;/cache;/images;/tmp;. To minimize runtime, GuardXT’s author recommends disabling healthcheck on initialization and not calculating hash values for large files (say, greater than 200 KB). Make any other changes as desired and press “Save”.

Apropos hash values above, executables are the most important files to monitor, and they tend to be smaller than non-executables. This is particularly true if your Joomla users have the bad habit of uploading multi-megabyte photos straight from the camera. Thus it is often reasonable to set a cutoff file size for hash value calculation. 200 KB works well for me; your mileage may vary.

The Security News section displays the most recent announcements from the Joomla security team. Not all of them will apply to your installation, but do review them all and act upon them as appropriate.

The Version Checks section informs you if your versions of Joomla and GuardXT are current. Update them if not. The “Check additional components” item is of limited utility to me; I find it more useful to subscribe to the RSS security feeds of all installed extensions.

In the File Guard section, perform an initial run (which builds a database of all the files on your Joomla installation) and a check run (which confirms that directories and files have appropriate ownership and permissions). Insure that the time and date of performing the initial and check runs correctly appear. The “health check” can be skipped: a vestige from previous versions, this is now performed automatically as required.

You will be warned of many unconfirmed file and folder changes. Don’t worry; on first use this simply means that you have to confirm the results of the initial run . Press “Review now” and confirm them all.

You will likely be warned of files and directories that do not have recommended permissions; review and change them as appropriate. Unless you have reason to do otherwise, apply the recommended settings.

When GuardXT informs you that the file and directory permissions problems have been fixed, run another check run to confirm. If the same issues reappear, this indicates a deeper permissions problem on the server that needs to be addressed before continuing (see “Preparation” in my Installing Joomla notes). Come back here after fixing it.

In the Joomla Server Configuration Check section, GuardXT identifies needed .htaccess files, and will offer to create them for you. Every site’s needs are different, so you should use these newly created files merely as a first draft and modify them as needed. In particular, the advice to password protect the administrator/ directory is in my opinion overkill for many installations. To suppress the warning I create an empty .htaccess file (touch joomla_docroot/administrator/.htaccess); bear in mind this adds no extra security.

In the PHP Checks section, nothing should appear in red. If so, modify your docroot .htaccess or php.ini file as appropriate — more likely the latter if you are using php-cigwrap or similar — according to these instructions.

The initial run built a database of all the files of your Joomla installation. In subsequent check runs, the current state of the Joomla installation is compared against the database. Each new or modified file goes into the list of unconfirmed files. You should periodically review this list and confirm that all flagged items are benign, e.g. due to a newly installed extension. Files with insecure permissions will likewise be flagged; correct them as appropriate. It is thus prudent to manually perform a check run immediately before and immediately after installing a new extension.

Performing manual check runs before and after installing extensions is good, but you should also have GuardXT run a daily automated check with cron.

If GuardXT fails with the error message “Maximum execution time of X seconds exceeded”, this is because GuardXT needs more time than PHP is giving it to do its work. Solutions to this fall into two broad categories: reduce GuardXT’s workload, or configure PHP to allow more time:

  • Begin by reducing GuardXT’s workload. Insure that it is configured as recommended above: that unnecessary directories are excluded, that hash values for large files are not calculated, and the healthcheck on initialization is disabled. Consider excluding additional directories that are less critical from a security standpoint. Consider adjusting the hash value cutoff.
  • If those measures are insufficient, then configure PHP to allow more processing time by increasing the value of max_execution_time the minimum amount needed.

One user encountered and resolved an interaction problem between GuardXT, JoomlaPack, and conservative server settings. If you use JoomlaPack or its successor Akeeba Backup, perform a manual backup after your first use of GuardXT to insure that all is well.

If GuardXT discovers a directory of the form /administrator/mediainstall_* ending in random characters, you are probably seeing the leftover from a failed component installation. You should delete it, given that this directory’s permissions are often 777.

If you migrate a site to a new host, GuardXT’s file guard will consider most or all of the files as changed. Quickly review them all. Don’t bother confirming any wanted files, but do delete any stray files that are specific to the old server. Once you are sure everything that remains is wanted, perform a new initial run — this is GuardXT’s reset button — and repeat the tasks in the “configuration and first use” section above.

GuardXT is available at no cost and depends upon the sale of user manuals to sustain the project. If you find it useful, consider purchasing a manual or making a donation.

GuardXT served my needs well on Joomla 1.5 and worked out of the box with virtually no setup. If you use more recent versions of Joomla or have different needs, you might be interested in the offerings in the Joomla extensions directory in the categories of security tools, site monitoring, and site protection. In particular these open source extensions look promising:

GuardXT support forum


About Warren Post

So far: Customer support guy, jungle guide, IT consultant, beach bum, entrepreneur, teacher, diplomat, over-enthusiastic cyclist. Tomorrow: who knows?
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

2 Responses to Securing Joomla 1.5 with GuardXT

  1. anonymous says:

    Lovgret writes:GuardXT is no longer maintained / supportet. Any alternatives?

  2. Pingback: Updating Joomla 1.0 and 1.5 | A maze of twisty little passages

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s