Secure your site
Upcoming SlideShare
Loading in...5
×
 

Secure your site

on

  • 3,074 views

An introduction to securing a Drupal site.

An introduction to securing a Drupal site.

Statistics

Views

Total Views
3,074
Views on SlideShare
3,074
Embed Views
0

Actions

Likes
1
Downloads
14
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Secure your site Secure your site Presentation Transcript

  • Secure Your Site Matt Farina Lead Engineer HP Cloud
  • You can get the slides at... http://bit.ly/SecureYourSite
  • • @mattfarina on twitter • Drupal.org UID 25701 (Over 8 Years) • Co-Author of Drupal 7 Module Development • Lead Engineer at HP Cloud
  • Did you hear, Adobe was hacked http://techcrunch.com/2013/10/03/adobe-gets-hacked-product-source-code-and-data-for-2-9m-customers-likely-accessed/
  • A Picture Of The Internet http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever
  • 420,000 Hacked Linux Based Systems http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever
  • 71% attacked sites of orgs with less than 100 People http://www.forbes.com/sites/cherylsnappconner/2013/09/14/are-you-prepared-71-of-cyber-attacks-hit-small-business/
  • Scan port 22 (ssh) for the Internet in a day http://blog.erratasec.com/2013/09/we-scanned-internet-for-port-22.html
  • I’ve Watched Attacks Happen
  • I’ve Found Hacked Servers
  • For the sake of your users, secure your site.
  • Harden Your Servers https://help.ubuntu.com/12.04/serverguide/security.html
  • Keep packages up to date for security releases https://help.ubuntu.com/community/AutoWeeklyUpdateHowTo
  • Lock Down Access Web Server DB Server
  • Use A VPN http://openvpn.net/
  • Removing X-Powered-By Header > curl -i -X HEAD https://drupal.org ... X-Powered-By: PHP/5.3.27 ... ; In your php.ini file set expose_php = off http://stackoverflow.com/questions/2661799/removing-x-powered-by
  • On to Drupal
  • Use HTTPS/SSL/TLS
  • You can redirect to https via .htaccess # Redirect when the request comes to http RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
  • Secure Pages Module https://drupal.org/project/securepages
  • Secure UID 1 https://drupal.org/node/947312
  • If you’re on Drupal 6 use real password hashing https://drupal.org/project/password
  • PHP Password API http://php.net/password
  • PHP Password API Backward Compatability https://github.com/ircmaxell/password_compat
  • Change Admin passwords regularly and make them strong.
  • Remove the clues it’s Drupal • Remove the text files (e.g., CHANGELOG.txt) • Remove install.php • web.config or .htaccess if not in use
  • Remove Generator Meta Tag <meta name="generator" content="Drupal 7 (http://drupal.org)" /> /** * Implements hook_html_head_alter(). */ function custom_html_head_alter(&$head_elements) { if (isset($head_elements['system_meta_generator'])) { unset($head_elements['system_meta_generator']); } }
  • Remove X-Generator Header > curl -i -X HEAD https://2013.drupalcampmi.org ... X-Generator: Drupal 7 (http://drupal.org) ... // Override the header. drupal_add_http_header(‘X-Generator’, ‘’) https://api.drupal.org/api/drupal/includes!bootstrap.inc/function/drupal_add_http_header/7
  • Add X-Frame-Options Header > curl -i -X HEAD https://marketplace.hpcloud.com ... X-Frame-Options: SAMEORIGIN ... drupal_add_http_header('X-Frame-Options', 'SAMEORIGIN'); https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
  • Secure The Filesystem http://www.lullabot.com/blog/article/keeping-drupals-files-safe
  • Web server user should not have write permission to Drupal
  • Backup to offsite location http://www.hpcloud.com/products-services/object-storage
  • Backup and Migrate Module https://drupal.org/project/backup_migrate
  • Encrypt Backups https://drupal.org/project/aes
  • Backup Creds Not On Production Server Web Server DB Server Backup Server Storage
  • I shouldn’t have to tell you but...
  • Keep Drupal Up To Date https://drupal.org/project/usage/drupal
  • Update Manager Module https://drupal.org/documentation/modules/update
  • Sign-up For Security Announcements
  • Encrypt Sensitive Information
  • AES Encryption Module https://drupal.org/project/aes
  • PHP Secure Communications Library http://phpseclib.sourceforge.net/
  • Encrypted Field Modules • Encrypted Settings Field https://drupal.org/project/encset • Field Encryption https://drupal.org/project/field_encrypt • Encrypted Text https://drupal.org/project/encrypted_text
  • Or, Store Them In A Secure Service
  • drupal_http_request() does not check SSL certificates.
  • Guzzle http://guzzlephp.org/
  • Using Guzzle // A simple example GuzzleHttpStaticClient::mount(); $response = Guzzle::get('http://guzzlephp.org'); // A little more complicated $client = new GuzzleHttpClient('http://guzzlephp.org'); $request = $client->get('/'); $response = $request->send();
  • Inject Cert To drupal_http_request() $opts = array( ‘ssl’ => array( ‘verify_host’ => TRUE, ‘verify_peer’ => TRUE, ‘allow_self_signed’ => FALSE, ‘cafile’ => ‘path/to/cert.pem’, ), ); $context = stream_create_context($opts); $ops = array( ‘context’ => $context, ); $res = drupal_http_request(‘http://example.com’, $ops);
  • Review Your Logs Regularly
  • Logstash http://logstash.net/
  • Loggly http://www.loggly.com/
  • Automated Alerts http://www.loggly.com/docs/alerts-overview/
  • This is just the beginning...
  • Questions? Slides are at... http://bit.ly/SecureYourSite