Securitycheckpro User Guide v2!8!19

securitycheck.protegetuordenador.
com
Securitycheck Pro
user guide
Version 2.8.19
Copyright(c) 2017 Securitycheck Extensions Securitycheck

Extensions and Securitycheck Extensions logo are registered
trademarks owned by Jos A. Luque for its non-exclusive use.
No commercial use whatsoever may be made of these marks
without the express written permission of the mark owner.
Permission is granted to copy, distribute and / or modify this

document under the terms License Free Documentation License,
Version 3 or License GNU Free Documentation or any later
version published by the Free Software Foundation with no
Invariant Sections no Front-Cover Texts or Back-Cover Texts. A
copy of the license is included in the section entitled GNU Free
Documentation License.
Page 1
securitycheck.protegetuordenador.com
DISCLAIMER
No software can ensure a fully protection against any attack imaginable. The usage of this
extension NEVER should replace to adequate security measures. Make regular backups and keep
an eye for abnormal site behaviour even if you use this software. (You can see this entry in our
forum to get info about Joomla's security).
Overview
Securitycheck Pro has four main features: a component, a module and two plugins.
Securitycheck Web Firewall plugin has been designed as a web firewall to protect your site, while
Securitycheck Cron plugin allows us to launch tasks following an schedule.
The component shows what extensions (components, modules and plugins) installed on your
system are vulnerable, vulnerability details for each vulnerable extension and has a database of all
vulnerabilities discovered/published for each Joomla version. Also gets system file permissions to
show which of them are misconfigured and checks filesystem integrity to alert us when any file is
modified. It also look for suspicious patterns in files and gives us the possibility to check suspicious
files against an online free service with 40 anti-malware engines and millions of hash of infected
files.
The module shows you useful info about website's security state without goint to the component
main page.
Installation
Before install this extension, you should be sure you have direct access to your
Joomla website database to disable the plugin if it's neccesary (visit forum to see
how). Securitycheck Pro Web Firewall plugin is enabled by default and, in some
cases, you could get a 4xx error when you try to access to your site (both backend and
frontend). This IS NOT A BUG. We have found some templates that store cookies in
an unsafe way, so in this case the plugin blocks the access to the entire site.
Securitycheck Pro supports PHP 7.
Install Securitycheck Pro it's easy. You only have to go to Extension Manager, select Install
and navigate to your Securitycheck Pro zipped file:
Page 2
Push Upload & Install buttom. You`ll have a screen with a resume of the installation
process:
If you have Securitycheck installed, Securitycheck Pro will uninstall it to avoid conflicts
between plugins. Logs previously recorded will be erased.
There are other methods to install extensions; you can find them at this url:
https://www.siteground.com/tutorials/joomla/install-joomla-extension.htm
Per our policy regarding End-Of-Life Joomla! Release branches, some of this features are
available only in J3X version.
CPanel
Securitycheck Pro has a powerful control panel to manage all available options. When we
choose Securitycheck Pro from Components options, we'll see the following:
Extension status
Here we can see Overall security, Web Firewall Plugin, Cron, Logs, Update Database
plugin status and Spam Protection status* and if the extension is updated (see Liveupdate
paragraph). In the Log status option we will also see the number of unread logs.
* Update Database plugin is not included in the extension; it must be purchased separately.
Spam Protection plugin is a free plugin that can be downloaded.
Page 3
Main Menu
All the options available to manage the entire extension.
Statistics
There are three tabs: Historic, Detail and Lists.
The first one shows a graphic of every event triggered by the Web Firewall since the
extension was installed. Data is grouped in 3 categories: Firewall rules applied, Blocked access
attempts and User/session protection entries.
The second one shows links with the number of events generated by the Web Firewall in
certain periods (today, yesterday, last year...).
Page 4
The Lists tab shows the number of elements on each List (Blacklist, Whitelist and Dynamic
Blacklist) and the option to manage them using a button:
Easy config
Some Web Firewall filters may require your attention to work fine because they check for
patterns that may be present in certain attacks but also in legitimate queries. If you have a lot of
sites and no time to configure each one, if your site is commercial and you don't want to be worried
about this or if you have no idea about security, you should apply an 'Easy config' to the Web
Firewall.
All you have to do is to click in the button.
With 'Easy Config' you will set a conservative configuration in the Web Firewall by
disabling the filters which may require a higher attention to avoid false positives: a little bit less
secure but more functional.
'Default Config' will restore your previous configuration, with all filters enabled and your
own exceptions included.
Page 5
(Each button will be automatically generated depending of the config applied)
Help us
If you use Securitycheck Pro, please post a review in JED. There is an url to do it in
the main screen of the component. This will help us to improve the product and give
you a better service.
NOTE: We have a forum to answer your questions/problems. Please, use it before
posting your review.
Disclaimer
Check Vulnerabilities
This option checks for installed extensions (components, plugins and modules) and Joomla
core version, comparing them with its database. We can see if there is any vulnerable extension
through an easy color code and useful info about the Update Database plugin:
Page 6
If theres some vulnerable extensions, you can see an url in the extension name. If you click
on it, youll see all the known vulnerabilities for this product order by published date:
List of known vulnerabilities

Securitycheck has a complete database for each Joomla version that you can query, if you
have any doubt about the security of some component, plugin or module. We can see the vulnerable
product, description, class, published date, afected versions and solution proposed by the
manufacturer (if exists) for each vulnerability:
Page 7
File Manager
With File Manager we can check file permissions of our Joomla site. In File Manager
Control Panel window we can see two sections: Manual analysis and Analysis summary:
In Manual analysis section we have a 'Start' button to launch an analysis of file permissions.
We have a table with the start time, end time and current task of this process.
If we launch this check, we will get a progress bar to get info about the process status.
Please, don't navigate to another page until the process has finished or you get an error message.
Page 8
When this process ends, you'll see a completion message.
When you click on it, analysis summary table will be updated, showing us last check
timestamp, number of analized files and number of files/folder with with misconfigured permissions:
If you change permissions of a file in your system file, this change will not be
reflected in Analysis summary until a new check is launched.
View file permissions

This option shows us file permissions status with the same color code used in Check
Vulnerabilities option:
As you can see, we can filter results choosing kind (file/folder), permissions (wrong, ok,
exceptions) or any other search term.
If there are more than 3000 files with incorrect permissions, you will see an alert in the top
of the page:
Page 9
There are three folders (and all files and subfolders under them) marked as exceptions:
/tmp, /logs and /cache.
If we have some files with misconfigured permissions, we can correct the problem selecting
them and clicking Repair option.
To change file/folder permissions, Securitycheck Pro can use two options, stablished in
Change permissions method (see Global Configuration --> File Manager option).
When the process ends, a log file is created and we get a completion screen:
Clicking in View log button we'll see an screen with the state of every change attempt;
failure attempts will be showed in red, and sucessful attempts in green:
Every time we click on Repair button, an entry is recorded in a log's file. By default, this file
is deleted every time, but you can change this behavior in Delete log file (see Global Configuration
--> File Manager option).
* Repair option works on UNIX-derivative Operating Systems (like Linux, Mac, Solaris), not
on Windows.
File Integrity
With File Integrity we can check file integrity of every file in our Joomla site. File integrity
will generate a hash value for each file; when a file is changed, even with a minimal modification,
it hash value will be modified and we will be alerted: nothing will happend in our system file
without our knowing.
In File Integrity Control Panel window we can see two sections: Manual integrity check
and Integrity check summary:
Page 10
In Manual integrity check section we have a 'Start' button to launch acheck of files integrity.
We have a table with the start time, end time and current task of this process.
This process can cause an overload of your server, afecting QoS, so this check
should be launched in a period of low server activity.
A standard Joomla installation has almost five thousand files, and every one has to be
checked, so this process can take a long time.
When this process ends, you'll see a completion message and the 'Start' button will be
transformed in a 'Refresh' button.
When you click on it, integrity check summary table will be updated, showing us last check
timestamp, number of analized files and number of new/modified files:
Page 11
When this task takes more time than your session lifetime, you will get the following
message:
This is not a big deal. You should clik the refresh button, (log in again if your session has
expired), and you will get the actual progress of the task:
You won't be able to launch a new task and access to File Integrity Status until the last
task has finished.
View files integrity

This option shows us files integrity status with the same color code used in Check
Vulnerabilities option:
Page 12
As you can see, we can filter results choosing integrity (compromised, ok, exceptions) or
any other search term.
If we have files marked as compromised and we know that there is no problem with them
(e.g. when we install an update of an extension), we must use Mark all as safe option:
If there are more than 3000 files with incorrect integrity, you will see an alert in the top of the page:
*First time you launch the File Integrity, all files are marked with wrong integrity; this is due
to there is no previous info about the files. Mark all of them as safe to create a baseline.
View Web Firewall Logs

In this section we can see the logs recorded by the plugin. They are sorted by most recent
date and we can specify a search to filter the results. Also, there are predefined sorts by description,
type and status:
When a log is recorded in the system is marked as Not readed with the following icon
Page 13
icon in the main screen. Every log should be checked by the webmaster and marked as Read.
To do this, we must select the Mark as read option and automatically will be marked as Read
We can also delete old logs and add offensive IPs to blacklist with Delete and Add to
blacklist options.
If you want to save your logs, choose the Export logs option and you will get a save dialog
to export your logs in .csv format.
Logs format
Every log recorded has the following format:
Ip: Ip address that generated the event.
Geolocation: Country and Continent to which the IP address belongs.
Time: Date of the event.
User: The user logged in when the event is captured.
Description: A description of the event. It also includes the method inspected, the
field implicated and a not modificable text box with the string that generated the
lock.
URL: URL from which the event was generated.
Component: The component involved in the query. This field is particulary useful if
the plugin is blocking requests that should not be blocked (see the section Plugin -->
Exceptions of this manual).
Type: A descriptive icon of the attack type (move the mouse over the image to obtain
information).
Readed: Log status. Every log should be checked and marked as Read by the
webmaster.
Logs type
Icon Meaning
IP blocked / IP Geoblocked
IP dynamically blocked
LFI (Local File Inclusion)
Page 14
LFI (Local File Inclusion) in base64

format
Second level protection
SQL Injection
SQL Injection in base64 format
XSS (Cross-Site Scripting)
XSS (Cross-Site Scripting) in base64

format
HTTP header 'user-agent' modification
User session protection (forbid concurrent

user logins and failed login attempts)
User session protection (session hijack

protection)
Spam protection
Url inspector
Upload scanner
I have no logs, how can I check if Securitycheck Pro is working fine?
A simple test to check if the plugin is working is use the pattern ' or 1=1-- in a field of our
Joomla website (log-in module, contact form, forum,...):
Page 15
We should see the following error message*...
* The previous screen will depend on the template used on your website.
... and should be a new entry in our logs:
So Securitycheck Pro is working fine!!
.htaccess protection
IMPORTANT NOTES FOR .HTACCESS NOOBS

As a configuration file, .htaccess is very powerful. Even the slightest syntax error
(like a missing space) can result in severe server malfuntion. Thus is crucial to
make backup copies of everything related to your site (including any original
.htaccess files) before working with your Hypertext Access file(s). It is also important
to check your entire website thoroughly after making changes to your .htaccess file. If
any error or other problems are encountered, employ your backups immediately to
restore original functionality.
.htaccess files are a powerful mechanism to avoid unauthorised access to our site and to add
a basic security mechanism to our site. There are 4 main areas to configure our .htaccess file:
Self-protection
This area include options to protect our own .htaccess files and our server.
Prevent access to .ht files

Any attempts to access ^.ht files (e.g. .htaccess and .htaccess.backup) will
result in a 403 error message
Page 16
Prevent Unauthorized Directory Browsing

Prevent unauthorized directory browsing by instructing the server to serve a
'xxx Forbidden Authorization Required' message for any request to view a directory. For example,
if your site is missing it's default index page, everything within the root of your site will be
accessible to all visitors.
Protect against file injection attacks

Protect against Local and Remote File Inclusion attacks.
Protect against /proc/self/environ attacks

Give us an additional layer of security against attacks using the
/proc/self/environ methods.
HTTP Headers Protection

This option add protection based on the HTTP header.
X-Frame Options
The X-Frame-Options HTTP response header can be used to indicate whether
or not a browser should be allowed to render a page in a frame or iframe. This can be used to avoid
clickjacking attacks, by ensuring that your content is not embedded into other sites.
DENY - This setting prevents any pages served from being placed in a frame even if it is on the
same website it originates from. should be used if you never intend for your pages to be used inside
of a frame.
SAMEORIGIN - This setting allows pages to be served in a frame of a page on the same website.
If an external site attempts to load the page in a frame the request will be denied.
Prevent 'mime' based attacks

This header prevents Internet Explorer from MIME-sniffing a response away
from the declared content-type as the header instructs the browser not to override the response
content type. With the nosniff option, if the server says the content is text/html, the browser will
render it as text/html.
Protection against malicious user-agents

Here we can forbid access to malicious bots, identifying them through the user-agent (you
can get more information about user-agents in this page:
http://whatsmyuseragent.com/WhatsAUserAgent.asp).
Use default user-agents banned list

Use Securitycheck Pro's blacklist feature. Securityheck Pro incorporate a
blacklist with the most common malicious user-agents to save you work. You can edit it clicking on
the Edit default user-agents button.
Banned user-agents
Do you have problems with a new bot that it's not included in our default
blacklist? Use this option to create a a new rule to block it.
For example, suppose you have a lot of entries like this in your access log (this file is
usually provided for your web hosting):
Page 17
xx.xx.xx.xx - - [11/Jan/2013:00:11:41 -0500] "GET /xxxxxt HTTP/1.0" 200 1195 "-" "Mozilla/5.0
(compatible; Ezooms/1.0; ezooms.bot@gmail.com)"
The last part of this entry is the user-agent of this bot. If you want to block the access to your
site, you only have to add ezooms to this option, save your changes and apply them. Remember
you have to enter only one user-agent per line.
This option has been created to made your life easier. If you want to block an user-
agent, you don't have to put the entire string to create a new rule. You only have to put
a string that appear in the user-agent to block it.
This is the reason you only have to put ezooms to block the bot of the example.
This option is a powerful mechanism to have your .htaccess file updated. But could
give you a lot of headaches if you set a wrong rule.
For example, if you use Mozilla/5.0 (compatible; Ezooms/1.0; ezooms.bot@gmail.com) instead
of ezooms to block the bot of the example, you will get an Internal Server Error in your
entire site. Please, test every new rule before using it in your site.
Own code
Write your own code to be added to the file. As I told you in the previous
paragraph, a single mistake can result in an Internal Server Error.
Fingerprinting Protection
When a hacker wants to attack a website, he usually have to identify what kind of
technology is used. In our case, there is a lot of signals that identify a Joomla CMS. With .htaccess
files we can add a basic protection to avoid this techniques.
The following measures only refers to avoid fingerprinting using .htaccess files. You
are NOT protected against this techniques applying only this options. You must
configure a lot of things, even on server level, to mitigate this techniques.
Disable server signature

Disabling the digital signature that would otherwise identify the server.
For example, if you forbid access to README.txt file and this option is not applied,
you will see information about the server if you try to access to that file:
Page 18
If this option is applied, you will not see that info:
Disallow PHP Easter Eggs

PHP contains a flaw that may lead to an unauthorized information disclosure.
The issue is triggered when a remote attacker makes certain HTTP requests with crafted arguments,
which will disclose PHP version and another sensitive information resulting in a loss of
confidentiality.
For example, if this option it's not applied and we make an special request to our site,
we will see information about PHP credits of the version installed in our site:
If this option is applied, this query will result in an 403 error:
Page 19
Disallow Access to Sensible Files

Disallow direct access to files.
By default, it will foribd access to htaccess.txt, configuration.php, configuration.php-dist,
joomla.xml, README.txt, web.config.txt, CONTRIBUTING.md, phpunit.xml.dist and
plugin_googlemap2_proxy.php files.
For example, if this option is not enabled, you will be able to access to joomla.xml,
that include information about our Joomla version:
With this option enabled, the access to that files will result in a 403 error:
Backend protection
One of the main problems of Joomla is that everybody can reach the backend login page:
you only have to write <your_site/administrator> . This makes easy to launch brute force and
dictionary attacks. To avoid this, we have developed an option to add a 20 characters secret key to
the url. If you don't provide this key, you will be redirected to the page set in the url to be
redirected to field:
You can create keys of 5, 10, 15 or 20 characters, and you can set this value under Global
configuration --> Tuning. By default, it is stablished to 20 characters.
Page 20
You only have to click in the 'Generate key' button and a new key will be generated. To
protect your site, click in the 'Protect' option and the current key will be applied to your backend
url:
Since then, to access your site backend you will have to write:
http://192.168.56.30/administrator/?0cbryum6jf0nyl1m5l2pw
If you try to access using the old url, you will be redirected to a 'not_found' url:
If you don't remember your secret key, you only have to access your site using a ftp
application and delete your .htaccess file. Then you will be able to access your site
backend using the <your_site/administrator> url.
If you use another component to hide your backend url, you must disable or
uninstall it. If you don't do it, you won't be able to access your backend.
Page 21
Exceptions
You can configure exceptions to backend protection. This will allow direct access without
adding the secret key. This is valid, for instance, for some CiViCRM files, which need direct access
to work.
Once you have configured your values, you can choose any of the following options:
Delete .htaccess
Use this option to delete your current .htaccess file (this option will not appear if there is
no .htaccess file).
Protect
This option will create a backup of your current .htaccess file (named .htaccess.backup),
delete the current .htaccess file and create a new .htaccess file in your root path using the configured
values.
If all options are set to 'No', a default .htaccess file will be created.
Save & Close

Save your changes and go to Control Panel.
Save
Save your changes. You have to use this option before using 'Protect' if you have made a
change. If you make changes and don't save them, they will not be applied.
If an option has been applied to the current .htaccess file, you will see the following info:
Troubleshooting
Depending on your web server settings, some of these options may be incompatible with
your site. In this case you will get a blank page or an Internal Server Error 500 error page
Page 22
when trying to access any part of your site. If this happens, you have to remove the .htaccess file
from your site's root directory using an FTP application or the File Manager feature of your hosting
control panel. Your old .htaccess file is saved as .htaccess.backup. You can rename that file back to
.htaccess to revert to the last known good state. If you are unsure how this works, please consult
your host before trying to create a new .htaccess file using this tool.
We strongly suggest that you begin by setting all options to 'No' and then enable them one
by one, creating a new .htaccess file after you have enabled each one of them. If you bump into a
blank or error page you will know that the last option you tried is incompatible with your host. In
that case, remove the .htaccess file, set the option to 'No' and continue with the next one.
Unfortunately, there is no other way than trial and error to deduce which options may be
incompatible with your server.
Malware Scanner
The malware scanner feature looks for suspicious patterns on your files, suspicious
filenames and malware files hidden by false filetypes. That patterns can also be used in legitimate
files, so sometimes is really difficult to identify a threat. This is why we have included a powerful
ally: Metasdefender cloud service. Metadefender Cloud is a free online file scanning service
powered by OPSWATs Metascan technology, a multiple engine malware scanning solution which
help us to identify threats. So our malware scanner will check for suspicious patterns and
Metadefender Cloud will tell us if there are infected files on our system. Result: the most advanced
malware scanner on the market.
To use the Metadefender Cloud feature we only need an API key.To obtain it, please create an
account or log into the OPSWAT portal and find the Metadefender Clooudsection under 'Licenses'.
Expand this section to access your free Metadefender Cloud API key.
This Free API keys obtained through the OPSWAT Portal allow 25 file scans and 1000 hash
lookups per hour.
IMPORTANT NOTICE: The malware scanner is not an antivirus solution. We look for
suspicious patterns and words which are included in known malware, but they can also be
used in legitimate files.
For instance, the following eval (base64_decode) pattern is used on a trojan file as a technique to
hide its behaviour:
<?php
eval ( base64_decode ("IglmICggaXNzZXQoICRfQ...") ); ?>
But the same pattern is also used on several extensions; for example, a popular extension to create
contact forms:
So a file marked as suspicious is not always a malware file. It means that has been detected
a suspicious pattern.
This is why we have included the Metadefender Cloud service: to check suspicious files against
more than 40 anti-malware engines. If after an online scan a file is marked as malware, you can be
sure that the file contains malware.
Malwarescan options enabled
Page 23
In the Malwarescan options enabled we get a resume of the options we have selected for this
feature:
Deep scan status

This option has been designed to check for suspicious words. Those words
may also be used for legitimate purposes, so enabling this option you will have a high number of
false positives. You should enable this option with caution. Default value stablished is: Disabled.
Submission type
The 'Hashes option' is faster because it looks for the file hash in a complete
database of millions of malware files, while the 'Files option' sends the entire file to be analyzed for
more than 40 commercial anti-malware engines. Default value stablished is: Hashes.
Timeline
Look for suspicious patterns only in files modified/created during the latests
selected days. Default value stablished is: 7.
Below that we can see two sections: Manual Malware scan check and Malware scan
summary:
In Manual Malware scan check section we have a 'Start' button to launch a check over our
filesystem. We have a table with the start time, end time and current task of this process.
This process can cause an overload of your server, afecting QoS, so this check
should be launched in a period of low server activity.
Page 24
A standard Joomla installation has almost five thousand files, and every one has to be
checked, so this process can take a long time.
When this process ends, you'll see a completion message.
When you click on it, malware scan summary table will be updated, showing us last check
timestamp, number of analized files and suspicious files found:
View suspicious files

If the malware scanner find suspicious files, you can check then selecting this option. We
will see a detailed info about the threat: path, size, last modified, malware type, alert level, malware
description, malware code found and the online check status:
An alert level of High means you should keep an eye over the file even if the online check
shows no warning. Some encoded files are not detected by anti-malware engines. If you have
doubts, don't hesitate to ask me.
Every time a new malware scan is launched, all online check status appear as Not checked
even if files have been previously submitted to the metascan service. This is due to the dinamic
behaviour of the service: every anti-malware engine is updated every day, so a not detected threat
today can be detected tomorrow.
We also see two* buttons: Add file(s) as exception and Metadefender Cloud Check (files|
hashes):
Page 25
* If the limit per hour is reached, the second button will not be available and an alert will be
displayed:
The first one add selected files as exceptions and the second one check hashes of selected
files or send selected files to be analyzed by the Metadefender Cloud free service and send us to the
Manage logs screen.
If we choose the Quarantined option in the dropddown, then we have two options: Restore
files and Delete:
The first one restore selected files to their original folder, and the second one deletes them.
There are also two buttons to Delete and View file. The first one deletes* all files selected and the
second one allows us to see the file content; this is useful before deleting it.
* Please, take note that files are marked as suspicious, so maybe there are false positives. Be fully
sure the file is malicious before deleting it or the entire site can crash.
Manage logs
Choosing this option we can see all online check logs stored. It shows us info about the
filename created, number of analyzed files, threats found and creation date:
Clicking on the View log button, we will see a complete report of the scan:
Page 26
You can download or delete files selecting them and choosing the desired button:
Global Configuration
Here we can configure Component, Tuning, File Manager, File Integrity, Malware scan,
Performance and Permissions options:
Page 27
Component
Download ID
Put here your Download ID ( you can find this value in your Download ID
link from your User Menu) to get access to Securitycheck Pro updates.
Tuning
Memory limit
This is the maximum amount of memory in bytes that the extension is
allowed to allocate. If you have a large site and File Manager or File Integrity tasks doesn't end,
maybe you should increase this value.
Secret key length
This is the length of the secret key that will be generated when using
'Backend protection' in .htaccess protection option.
Scan executable files only

With this option enabled scans will also look for executable files and
exceptions will not be included in database. This will decrease CPU and memory usage and will
generate less heavy scans. Choose this option if you have hosting restrictions.
Remove meta tag

Remove the Joomla's meta tag.
Page 28
If this option is disabled, we will see the following in the source code of out Joomla
website, which is used in some attacks to identify Joomla websites.
Geolite2 automatic updates

This option allows us to automatically update the Geolite2 database, used to
geolocate Ips. This task will be done every month.
By default is set to No, so we will get a popup in Cpanel everytime an update
should be launched. In this pop up we can choose to automatically launch the task or going to
Geoblock option to launch it manually.
Check ACL
If this option is enabled a basic security ACL check will be perform. Public
and Guests groups ACLs will be checked looking for insecure configurations showing an alert
everytime an administrator is logged into backend:
File Manager
Base path
It's the path from which permissions are checked. If it's not established, all
system file is checked. Leave 'Use Default' unless you know what you are doing. THIS OPTION
APPLIES BOTH FILE MANAGER AND FILE INTEGRITY.
Files/Folder exceptions; comma separated values

Put here file/folders exceptions to file permissions checking.
Recursive folder exceptions
Page 29
If this option is enabled, all files included in a folder exception will be also
exceptions. For example, if the set /var/www/cli as an exceptions, all files included in this directory
will appear as exceptions. By default it's stablished to No because of performance.
Include exceptions in database

If this option is enabled, all exceptions will be stored in database. This is
more secure but more heavy. If you have a large site and all your files under your strict control, you
can disable this option.
Change permissions method

Method used to change file/folder permissions:
chmod (default): tries to change permissions using php chmod method.
ftp: tries to change permissions using Joomla ftp configuration ( Site -->
Global Configuration --> Server --> FTP Settings).
To change file/folder permissions using chmod, Apache has to be the owner of file
system.
Delete log file

Delete log file created every time Repair option is launched. By default is
stablished to Yes, so a clean log file will be created.
File Integrity
Hash algorithm
Hash algorithm used to calculate file's hash. By default it's stablished as
SHA1.
Page 30
Files/Folder exceptions; comma separated values

Put here file/folders exceptions to file permissions checking. For example, if
you have a folder where users upload files, you can set it as a exception.
Recursive folder exceptions

If this option is enabled, all files included in a folder exception will be also
exceptions. For example, if the set /var/www/cli as an exceptions, all files included in this directory
will appear as exceptions. By default it's stablished to No because of performance.
Include exceptions in database

If this option is enabled, all exceptions will be stored in database. This is
more secure but more heavy. If you have a large site and all your files under your strict control, you
can disable this option.
Look for malware

Look for malware patterns on each file with wrong integrity.
Move to quarantine
If it's enabled, new/modified suspicious files rated as High will be moved to
the quarantine folder. This is really useful, for example, if our site has been cleaned after an
infection. If there are remaining threats or the server is infected, then new threats will be moved to
quarantine to prevent a new infection.
This option MAY BREAK YOUR SITE; use it WITH CAUTION.
Send email if integrity is wrong

If cron task of File Integrity finds new/modified files, it will send us an email
alerting about this. It will use to, From (email) and From (name) parameters stablished at WAF
Configuration --> Email notifications.
Email's subject
Subject of the email which will be send if File Integrity is wrong. If empty, it
will use the value set in WAF Configuration --> Email notifications
Malware scan
Page 31
File extensions
Look for malware patterns on files with any of extensions placed here. Comma
separated values.
Use File Integrity exceptions

Use exceptions stablished on File Integrity option.
Deep scan
Look for suspicious words. These words can also be used for legitimate purposes, so
enabling this option will increase the number of false positives.
File exceptions
Files excluded from malware scan.
Opswat Free API key

API key from the Opswat Portal which allows you to send files/hashes to be
analyzed.
Submission type
Method used to send suspicious files to the Metadefender Cloud service.
Timeline
Page 32
Look for suspicious patterns only on files created/modified during the selected
period.
Logs stored
Store only the number of online check log files stablished here.
Performance
Database tables
Select which tables will be shown during the optimization process. Despite only
MyISAM tables are repaired and optimized, we can see all database tables or only MyISAM tables.
Permissions
We can manage permissions used for all content in the component. We can set two actions:
Manage and Access Administration Interface. The fisrt option allows us to access the component,
but we can't not modify 'Global Configuration' options. The second one restricts the access to the
entire component.
Web Firewall Configuration

Securitycheck Pro Plugin has been designed as a Web Firewall. The plugin is enabled by
default in the installation process and its divided into the following sections:
Page 33
Lists
In this section we have three lists: a dynamic blacklist, a blacklist and a whitelist. In the
dynamic blacklist are added automatically ips that reach the max number of hacking attempts
established (5 by default). They are blocked during the time specified in the IP blocked time (in
seconds) field (600 seconds by default):
In the blacklist we put the ip addresses that are not permitted to access our web site. If any ip
in the list tries to access the website, it will obtain a 403 error. With Include in email notifications,
we can set if we want to receive and email when a blacklisted ip tries to access our site. If this
option is set to 'Yes', we can reach email's limit easily.
In the whitelist we put the ip addresses that will not apply any filter. The ip addresses of this
list do not generate any log, so use this list carefully.
Both list use the common ip format (IPv4 and IPv6 Addressing Notation), like this:
192.168.1.40, 2001:13d0::1.
We can also specify IPv4 ranges usign the * sign as a wildcard: 192.168.1.*, 192.168.*.*, or a
CIDR notation: 192.168.100.14/24 . Ipv6 only allows CIDR notation to specify ranges:
2001:13d0::/29
Page 34
With the Priority box we can shoose the preference of the previous lists. We can set the
order to which the lists will be applied: Dynamic blacklist, blacklist, Whitelist and Geoblock.
For example, suppose we have the following scenario:
Theres a conflict because ip 192.160.5.70 is included in the ip range 192.160.5.* so if we

have an attack from the ip in the whitelist, it will be blocked? The priority box have the response.
If blacklist is stablished in the first field and Whitelist in the second field, the ip will be blocked. If
whitelist is stablished in the first field and Blacklist in the second filed, the ip will pass the filters.
If an ip is blocked by the dynamic blacklist or blacklist, the user gets a 403 error page when
tries to access the website:
Page 35
We can export/import Ips. We can also use external IP files, but must have the format: IP,IP,IP (this
is comma separated values). No text is allowed.
Methods
It tells us what methods will be inspected by the plugin. We will check every POST, GET
and REQUEST processing by Joomla.
Mode
In this section we can see the mode use by our plugin. With the Strict mode the attacker get
an error message. In the Alert mode the plugin tries to sanitize the request to continue normally.
Page 36
For example, suppose an attacker writes the following string in a forum post field:
<IMG SRC=javascript:alert('xss');>
In Strict mode, the attacker get a 400 error page:
Page 37
In Alert mode, the plugin sanitizes the string and the attacker doesnt get any message:
In the previous case, the string sanitized is equal to a blank string. If the attacker tries an
attack with the select * from members where username='admin'--' string, the result in Alert mode
is:
Logs
There are four options: log the attacks, stablish the maximum number of logs per IP and day
and the option to exclude logs from Geoblocked Ips and also of blocked IPs. With the first option
enabled, all the attacks will be recorded.
The second option stablish the maximum number of entries per offensive IP and day.
Page 38
If we disable this feature we will get the following alert in the View logs option:
With the second option we can limit the number of entries of each IP in the database per day.
This is useful to avoid lots of entries of the same IP, for instance, if we have a blocked IP that tries
to access to our site every hour. If this value is set to 0 (default), there will be no limit.
The other options allow us to exclude Ips from logs; this way, geoblocked and also blocked ips
access attempts are not stored in logs.
Redirection
The plugin redirects to the Joomla default error page if an attack is detected and this feature
is enabled. If its disabled, the attacker gets the code in the Blocked IPs message field..
Page 39
For example, suppose an attacker modifies the url http://mysiteurl/ to

http://mysiteurl?page=../../../../../../../etc/ passwd
With this feature set to Yes and redirect options to Joomla default error page, we see something
like this:
If redirect option is set to My own page, then the url below will be used to redirect the attacker:
Page 40
If its set to No, the plugin drops the connection and the attacker gets the code of the
Blocked IPs message:
Second level protection

This section provides an extra level of protection. With this option enabled, plugin will look for
strings of most common attacks. If the present number of suspicious words is equal to or greater
than 3, the plugin will block the request. We can modify this limit to adapt it to our requeriments.
An example of the suspicious words included in the check are: "drop","admin","select",
$dbprefix,"user","password","concat","login", "load_file","ascii","char","union","from", Each
of these words separately indicates nothing, but together they may indicate an attack not included in
our filters. We can add or delete words of this list to adapt it to our requeriments.
If this option is enabled we can notice an increase in false positives.
Page 41
Emails notification
We can be alerted by email when the plugin block a request. We can configure the typical
fields of a common email message: subject, body, to and from fields. We can also include a line with
the rule applied to the plugin to obtain more information about the attack type. To avoid inbox
saturation we can configure the maximun number of emails that will be sending per day in the
emails' limit field:
This feature is disabled by default because depends of our Joomla mail function. Be
sure your email functions works fine before activate this feature. If this function is
active and the mail function not works correctly, an attacker will get the following
error message:
Exceptions
In this section we can establish exceptions for every filter used by the plugin. This allows us
to configure our plugin for our installation of Joomla. Despite having tested the plugin with the
most popular and rated extensions, we can not be sure of their absolute compatibility. So if we have
any kind of problem, we can add an exception for the component which has generated the problem.
Page 42
All the installed components in our Joomla website can be viewed in the dropbox at the
header of this section.
If you want to disable a component for a given filter, we need only write his name in the
corresponding text box. We can write multiple values in each text box separating the values with
commas.
In this section you can also configure strings in base64 format checking. Many attackers use
this format to camouflage the attacks. Despite our efforts, we can notice an increase in false
positives if we enabled this option, so we have included a section for base64 exceptions.
You can disable entirely each filter adding a * character as exception. For
example, if you want that 'Escape strings' doesn't be applied, you must configure
it as the following image:
Exclude exceptions if vulnerable
With this option we can avoid security risks if we have a vulnerable extension which is
configured as exception in a filter. If it's enabled, exceptions for vulnerable components installed
in our website will be ignored.
How can I find out which component is responsible for blocking a request?
Page 43
Each log generated by our plugin includes the component active in the blocked request:
For instance, if we want to add an exception based on the previous screenshot, we should
add com_k2 to XSS filter.
User session protection

With this option we protect Joomla user sessions. If Forbid concurrent user logins is
enabled, an user can not start concurrent sessions in the site. When a user tries to log in in the site
from two different locations, both sessions are closed and the user obtains a 403 error page. With
Session hijack protection enable we add an extra feature to protect sessions from hijacking checking
IP address and User-agent of every legitimate session started in the site. In the Groups to apply
protection field we can choose to which groups apply above features (Guest groups is not listed and,
by default, both features will be aplied to Super Users group).
Failed logins
This feature allows us to track every failed login attempt to the site and take
actions against it.
Track failed logins

Track failed login attempts.
Logins to monitorize
Choose which logins do you want to monitorize. We can select only
frontend logins, backend logins or both.
Page 44
Write log
Writes a log entry and send an email to administrator (if configured in
Email notifications).
Include password in log

Include password used on login failure in log (it won't be send by
email).
Actions
Action to take on a failed login attempt.
Admin logins
Email on backend login
If this feature is enabled, it will send an email when someone logs into
the backend. The email will be sent to the email set in the Email notifications.
Frontend login forbidden

Forbid frontend login to members of Super Users group.
Forbid new super users

Forbid new accounts with administrator privileges. If this option is
enabled new accounts will be automatically deleted.
Geoblock
This option allows us to block access to our site based on its geographic location. We can
choose between Continents and Countries:
When an IP address is blocked by this feature, we will see an IP blocked entry in our logs,
but it will also include the 'Geoblock' label:
Page 45
This product includes GeoLite data created by MaxMind, available from

http://www.maxmind.com.
Upload scanner
This option allows us to scan uploaded files looking for malware patterns, multiple
file extensions (used to bypass filters) and forbidden file extensions.
Upload scanner
Enable this feature.
Check multiple extensions

Look for files with multiple extensions (for instance, malware.php.txt)
Extensions blacklist
Forbid uploaded files with this filetype (use comma separated values).
Delete files
Delete uploaded files.
Actions
We can do nothing or add offensive IP to dynamic blacklist.
Spam Protection
Page 46
This option needs the free plugin Spam Protection, which allows us to check the
username, ip and email against the best spammers database, stopforumspam, during the registration
process. This way we will forbid spammers registration into our website.
Check if user is a spammer

Check if users trying to register in our website appears in stopforumspam.
Action
Action to take if the user is marked as spammer.
Write log
Write a log when an user is blocked during registration process.
Frequency
Number of times to consider an ip, username or email as spammer.
Page 47
Url Inspector
This feature allows us to ban IPs that use forbidden words in urls. This way we have a powerful
mechanism to control all queries to our website, even those that are redirected to a 404 page.
For example, if we receive an url to access to wp-admin.php, that is typical of Wordpress sites, the
url inspector can be configured to add the IP to blacklist because it's clear that it's not a valid query.
This feature doesn't break other sef extensions installed.
Important: The url inspector only inspects urls routed by Joomla, so direct accesses to files
won't be analyzed.
Write log
Writes a log everytime a forbidden word appears in an url.
Actions
Action to take: Nothing, add IP to dynamic blacklist and app IP to blacklist.
Send email
Sends an email.
Forbidden words
Lists of the words that are not allowed. If any of them appears in an url, it will take
the action set.
Cron Configuration
This plugin has been designed to schedule launch heavy tasks, like file integrity and file
permissions checks. We can launch them when the server is not overloaded, having our system file
always under control:
Page 48
Planning
Scheduled task(s): We can choose the task(s) to launch: Alternate permissions and
integrity checking, only check permissions, only check integrity and check both
permissions and integrity.
Launching interval: The time period when the task(s) will be launched. It will remain
disabled if you launch task(s) every X hours. Launching this task(s) frequently will
cause a server overload. Some hosting providers can apply you limits, so if you have
problems set a daily interval.
Periodicity: Launch task(s) every X hours, every day or every week. Tasks consume
high values of CPU and memory, so use the option every X hours carefully (for
instance, if your site has been hacked and you need to monitorize file changes
during a certain period of days).
We have designed this plugin avoiding to modify any Joomla file and we also don't
stablish any operating system requeriment. We only need a visit to our site during
the launching interval to launch the task(s).
Securitycheck Pro Info Module

Securitycheck Pro Info Module has been designed to show us useful info about
Securitycheck Pro state, so we can see if we have vulnerable extensions installed, if there are unread
logs or if there is a new Securitycheck Pro version available from Joomla Control Panel:
Joomla 2.5
Page 49
Joomla 3.x
With this module and Administrator can save a lot of time going to the component option
he/she is interested in.
In the module can appear the following icons:
Icon Meaning Destination when do click
Joomla 3.x
There aren't vulnerable components
installed in the system
There are vulnerable components

Joomla 3.x
installed in the system but Joomla
version for which they are vulnerable Securitycheck Pro Main Page
is not specified
Joomla 3.x
There are vulnerable components
installed in the system
Joomla 3.x
There aren't unread logs
Securitycheck Pro View logs Page
Joomla 3.x
There are unread logs
Joomla 3.x
Permissions OK
File Manager Control Panel
Joomla 3.x
Permissions WRONG
Joomla 3.x
Integrity OK
File Integrity Control Panel
Joomla 3.x
Integrity WRONG
No malware patterns found

Joomla 3.x
Page 50
Malware patterns found Malware scanner Control Panel

Joomla 3.x
System Info
This option give us info about our Joomla, PHP and Mysql configuration, and will also show
the overall status of security and extension. This will give you an idea of the level of protection
applied by the extension's settings, the ability to know more about each setting and the option to
increase it (available only in Joomla 3X version) :
Every feature shows the status of all options covered, showing a button with More info about
the option and a button to solve it.
Control Center Configuration
Page 51
With this option we can remotelly manage the extension using Securitycheck Pro Control
Center.
To use this feature, we must generate a Secret key to cipher communication between the
extensions and set the 'Enabled' field to Yes:
To know more about Securitycheck Pro Control Center, please read it user guide visiting our
Documentation section.
* This feature requires openssl php's library to work. If this library is not installed in your
system, this feature will not be enabled. In that case, please ask your hosting provider.
Rules Management
Sometimes we don't need to apply Web firewall rules to everyone that uses our site, because
we trust in the users of certain group, for instance, users that belong to Administrator or Publisher
groups. Or we have a Buyer group and we want that users of this group are not disturbed.
This is why we have created this option. Here you can see the groups to which to want apply
the rules:
If an user belongs to several group, rules will not be applied if there is, at least, one
group marked to No.
Page 52
Despite of having this type of 'privileged' users, we can see a log of the trusted entries on
the system selecting the option 'View trusted entries':
Tasks
Initialize Data
Sometimes we may need to delete Securitycheck Pro file permissions database; for example,
if we launch a check over the entire system file and we change base path in Global Configuration.
If we don't initialize data in this case, we'll see all system file permissions although permissions
checking will be only made in the new base path.
To clear database info we only have to click on 'Clear' button:
Live Update
Securitycheck Pro has incorporated the well known Akeeba Live Update system to easily
manage product updates. Securitycheck Pro is updated frequently to be up to date about the latest
vulnerabilities and the new techniques to exploit Joomla bugs. The component inform us if we have
installed the latest Securitycheck Pro version or if there is a new version: Clicking in the above icon
you will get info about your installed version:
Page 53
If a new version is available, you'll see the following icon:
Cliking on it you will see the new release info:
To update your version you only have to click on Update to the latest release.
If your server don't support Live update, you will get the following icon:
Clicking on it you will get a little explanation of what's hapenning:
Page 54
Securitycheck Pro Live Update uses cURL PHP extension or URL fopen() wrappers
to check updates. If this function is not installed on your system, updates will not be
available and you will get the previous screen, although the component will work fine.
If you see the following alert:
please, go to Global Configuration --> Component and fill in the Download ID text area.
You can find this value in your Download ID link from your My account Menu (available after
login):
If Download ID it's not valid or your subscription has expired, Securitycheck Pro will fail
when tries to update. You will see the following message:
Page 55
If this is your case, please check your Download ID and/or your subscriptions to be sure
they are correct.
Export Config
This option will export your current settings of Web Firewall, Cron, .Htaccess protection and
Control Center (except secret key, which will be delete for security reasons) into a file.
Import Config
This option will OVERWRITE your current settings of Web Firewall, Cron, .Htaccess
protection and Control Center (except secret key, which will be delete for security reasons) by
importing a previous exported file.
Performance
This feature has been designed to improve Joomla's performance.
Database optimization
This feature will optimize and repair all MyISAM tables of your Mysql database. With the
flow of inserts and deletes, the Mysql tables performance can drop. Regularly optimize and repair
Mysql tables allow to rebuild the indexes and limit the disk space used by Mysql on the server.
It's impossible to compute a InnoDB table fragmentation, this is why those tables are not included
on optimization process.
Database administrators recommend a MONTHLY optimization of MyISAM tables.
Purge sessions
This feature will purge (completely empty) the sessions table. Doing so will log everybody
out of the site, including yourself. Use this option olny when you observe severe problems when
users are trying to lo into the site.
Troubleshooting
There is 1 important setting in our website to avoid problems with the extension: Memory limit.
This setting is related with File Manager/ File Integrity/Malware scan checking. We store
data of the check in memory before inserting them in files. If this value is not high enough for our
Page 56
website, there will be no space in memory to store data, so we will have a 500 error page or the
check will never end*.
A value of 256M should be valid for most websites (sites until 150k files). If we have a large site,
we must increase this value. This value can be set by the own extension*, under Global
Configuration Fine Tuning option.
* In some shared hosting providers or VPS this is not possible due to server directives.
If for some reason you are not allowed to increase this value, you can disable the Cron plugin and
the Web Application Firewall will still work.
Page 57

Securitycheckpro User Guide v2!8!19

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Securitycheckpro User Guide v2!8!19

Uploaded by

Copyright:

Available Formats

securitycheck.protegetuordenador.

Copyright(c) 2017 Securitycheck Extensions Securitycheck

Permission is granted to copy, distribute and / or modify this

Securitycheck Pro supports PHP 7.

(Each button will be automatically generated depending of the config applied)

List of known vulnerabilities

When this process ends, you'll see a completion message.

View file permissions

View files integrity

View Web Firewall Logs

LFI (Local File Inclusion)

LFI (Local File Inclusion) in base64

Second level protection

SQL Injection in base64 format

XSS (Cross-Site Scripting)

XSS (Cross-Site Scripting) in base64

HTTP header 'user-agent' modification

User session protection (forbid concurrent

User session protection (session hijack

I have no logs, how can I check if Securitycheck Pro is working fine?

We should see the following error message*...

... and should be a new entry in our logs:

So Securitycheck Pro is working fine!!

IMPORTANT NOTES FOR .HTACCESS NOOBS

Prevent access to .ht files

Prevent Unauthorized Directory Browsing

Protect against file injection attacks

Protect against /proc/self/environ attacks

HTTP Headers Protection

Prevent 'mime' based attacks

Protection against malicious user-agents

Use default user-agents banned list

Disable server signature

If this option is applied, you will not see that info:

Disallow PHP Easter Eggs

If this option is applied, this query will result in an 403 error:

Disallow Access to Sensible Files

Save & Close

Malwarescan options enabled

Deep scan status

When this process ends, you'll see a completion message.

View suspicious files

Scan executable files only

Remove meta tag

Geolite2 automatic updates

Files/Folder exceptions; comma separated values

Recursive folder exceptions

Include exceptions in database

Change permissions method

Delete log file

Files/Folder exceptions; comma separated values

Recursive folder exceptions

Include exceptions in database

Look for malware

Send email if integrity is wrong

Use File Integrity exceptions

Opswat Free API key

Web Firewall Configuration

For example, suppose we have the following scenario:

Theres a conflict because ip 192.160.5.70 is included in the ip range 192.160.5.* so if we

In Strict mode, the attacker get a 400 error page:

For example, suppose an attacker modifies the url http://mysiteurl/ to

Second level protection

If this option is enabled we can notice an increase in false positives.