Your SlideShare is downloading. ×
0
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Hardening Drupal setup
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Hardening Drupal setup

1,901

Published on

DrupalCamp Helsinki 27.9.2011

DrupalCamp Helsinki 27.9.2011

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,901
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Transcript

    • 1. Hardening Drupal setup DrupalCamp Helsinki 27.9.2011 Tero Alén
    • 2. BackgroundsCTO at Zeeland Group which is 5th biggest marketing company in FinlandFocus on Symfony and DrupalZeeland Group has team of 10 developers who has backgrounds in ITUsed Drupal from version 4
    • 3. AgendaWhy should I care?Know your enemiesPrinciples of securityHardening your serverHardening you Drupal
    • 4. Why should I careWe don’t process money so we are not interesting target for crackersSome possible uses for random websites Defacing Spreading malware for your visitors Using your box for spam delivery
    • 5. Why should I careWe don’t process money so we are not interesting target for crackersSome possible uses for random websites Defacing Spreading malware for your visitors Using your box for spam delivery
    • 6. Why should I careWe don’t process money so we are not interesting target for crackersSome possible uses for random websites
    • 7. Why should I careWe don’t process money so we are not interesting target for crackersSome possible uses for random websites Defacing
    • 8. Why should I careWe don’t process money so we are not interesting target for crackersSome possible uses for random websites Defacing Spreading malware for your visitors
    • 9. Why should I careWe don’t process money so we are not interesting target for crackersSome possible uses for random websites Defacing Spreading malware for your visitors Using your box for spam delivery
    • 10. How they do it?Common vulnerabilities: XSS, SQL injection, remote file inclusion, etc See more from OWASP - Open Web Application Security ProjectInclude (malware) code to page via XSS or SQL injectionUpload PHP shell via remote file inclusion or insecure file uploadUpload spam script via remote file inclusion or insecure file uploadLot of other ways which you have hard to even imagine
    • 11. Basics first
    • 12. Keep it simple
    • 13. Run only services which you really need Keep it simple
    • 14. Run only services which you really need Enable only modules/extension you need (from Apache, PHP and Drupal) Keep it simple
    • 15. Run only services which you really need Enable only modules/extension you need (from Apache, PHP and Drupal) Keep it simple Every new application in stack is new possibility for exploitation
    • 16. Using phpMyAdmin?/PMA2005/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.0‐rc3/scripts/setup.php:
1
Time(s) /phpmy‐admin/scripts/setup.php:
2
Time(s)/admin/phpmyadmin/scripts/setup.php:
1
Time(s) /phpMyAdmin‐2.6.1‐pl1/scripts/setup.php:
2
Time(s) /phpmyadmin/scripts/setup.php:
2
Time(s)/admin/pma/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.1‐pl2/scripts/setup.php:
2
Time(s) /phpmyadmin1/scripts/setup.php:
2
Time(s)/admin/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.1‐pl3/scripts/setup.php:
1
Time(s) /phpmyadmin2/scripts/setup.php:
2
Time(s)/admm/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.1‐rc1/scripts/setup.php:
1
Time(s) /pma/scripts/setup.php:
1
Time(s)/admn/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.1/scripts/setup.php:
2
Time(s) /pma2005/scripts/setup.php:
2
Time(s)/databaseadmin/scripts/setup.php:
1
Time(s) /phpMyAdmin‐2.6.2‐beta1/scripts/setup.php:
1
Time(s) /scripts/setup.php:
2
Time(s)/db/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.2‐pl1/scripts/setup.php:
2
Time(s) /sqlmanager/scripts/setup.php:
2
Time(s)/dbadmin/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.2‐rc1/scripts/setup.php:
1
Time(s) /sqlweb/scripts/setup.php:
2
Time(s)/myadmin/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.2/scripts/setup.php:
1
Time(s) /typo3/phpmyadmin/scripts/setup.php:
1
Time(s)/mysql‐admin/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.3‐pl1/scripts/setup.php:
1
Time(s) /web/scripts/setup.php:
1
Time(s)/mysql/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.3‐rc1/scripts/setup.php:
2
Time(s) /webadmin/scripts/setup.php:
2
Time(s)/mysqladmin/scripts/setup.php:
4
Time(s) /phpMyAdmin‐2.6.3/scripts/setup.php:
3
Time(s) /webdb/scripts/setup.php:
1
Time(s)/mysqlmanager/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.4‐pl1/scripts/setup.php:
2
Time(s) /websql/scripts/setup.php:
4
Time(s)/p/m/a/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.4‐pl2/scripts/setup.php:
1
Time(s) /xampp/phpmyadmin/scripts/setup.php:
2
Time(s)/php‐my‐admin/scripts/setup.php:
4
Time(s) /phpMyAdmin‐2.6.4‐pl3/scripts/setup.php:
1
Time(s)/php‐myadmin/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.4‐pl4/scripts/setup.php:
2
Time(s)/phpMyAdmin‐2.2.3/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.4‐rc1/scripts/setup.php:
2
Time(s)/phpMyAdmin‐2.2.6/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.4/scripts/setup.php:
2
Time(s)/phpMyAdmin‐2.5.1/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.7.0‐beta1/scripts/setup.php:
1
Time(s)/phpMyAdmin‐2.5.4/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.7.0‐pl1/scripts/setup.php:
2
Time(s)/phpMyAdmin‐2.5.5‐pl1/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.7.0‐pl2/scripts/setup.php:
1
Time(s)/phpMyAdmin‐2.5.5‐rc1/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.7.0‐rc1/scripts/setup.php:
1
Time(s)/phpMyAdmin‐2.5.5‐rc2/scripts/setup.php:
1
Time(s) /phpMyAdmin‐2.7.0/scripts/setup.php:
2
Time(s)/phpMyAdmin‐2.5.5/scripts/setup.php:
1
Time(s) /phpMyAdmin‐2.8.0‐beta1/scripts/setup.php:
2
Time(s)/phpMyAdmin‐2.5.6‐rc1/scripts/setup.php:
1
Time(s) /phpMyAdmin‐2.8.0‐rc1/scripts/setup.php:
1
Time(s)/phpMyAdmin‐2.5.6‐rc2/scripts/setup.php:
1
Time(s) /phpMyAdmin‐2.8.0‐rc2/scripts/setup.php:
1
Time(s)/phpMyAdmin‐2.5.6/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.8.0.1/scripts/setup.php:
2
Time(s)/phpMyAdmin‐2.5.7‐pl1/scripts/setup.php:
1
Time(s) /phpMyAdmin‐2.8.0.2/scripts/setup.php:
2
Time(s)/phpMyAdmin‐2.5.7/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.8.0.3/scripts/setup.php:
1
Time(s)/phpMyAdmin‐2.6.0‐alpha/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.8.0.4/scripts/setup.php:
2
Time(s)/phpMyAdmin‐2.6.0‐alpha2/scripts/setup.php:
1
Time(s) /phpMyAdmin‐2.8.0/scripts/setup.php:
1
Time(s)/phpMyAdmin‐2.6.0‐beta1/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.8.1‐rc1/scripts/setup.php:
2
Time(s)/phpMyAdmin‐2.6.0‐beta2/scripts/setup.php:
1
Time(s) /phpMyAdmin‐2.8.1/scripts/setup.php:
1
Time(s)/phpMyAdmin‐2.6.0‐pl2/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.8.2/scripts/setup.php:
2
Time(s)/phpMyAdmin‐2.6.0‐pl3/scripts/setup.php:
1
Time(s) /phpMyAdmin‐2/scripts/setup.php:
2
Time(s)/phpMyAdmin‐2.6.0‐rc1/scripts/setup.php:
1
Time(s) /phpMyAdmin/scripts/setup.php:
3
Time(s)/phpMyAdmin‐2.6.0‐rc2/scripts/setup.php:
2
Time(s) /phpadmin/scripts/setup.php:
2
Time(s) /phpmanager/scripts/setup.php:
2
Time(s)
    • 17. Use checklists
    • 18. Hardening Apache
    • 19. Restrict information leakage
    • 20. Restrict information leakage ServerTokens Prod ServerSignature Off
    • 21. Load only modules really needed
    • 22. Load only modules really needed#LoadModule ldap_module modules/mod_ldap.so#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so#LoadModule include_module modules/mod_include.so#LoadModule dav_module modules/mod_dav.so#LoadModule dav_fs_module modules/mod_dav_fs.so
    • 23. Start by restrictive rules
    • 24. Start by restrictive rules <Directory / > Options None AllowOverride None Order allow,deny </Directory>
    • 25. Hardening PHP
    • 26. Use Suhosin(both patch and extension)
    • 27. Disable url_fopen
    • 28. Don’t expose PHP
    • 29. Don’t expose PHP expose_php = Off
    • 30. Enable open_basedir
    • 31. Do NOT display errors in any circumstances on production
    • 32. Disable ‘dangerous’ functions
    • 33. fpassthru Disable ‘dangerous’ functions
    • 34. crack_*fpassthru Disable ‘dangerous’ functions
    • 35. crack_*fpassthru psock-functions Disable ‘dangerous’ functions
    • 36. crack_*fpassthru psock-functions ini-functions Disable ‘dangerous’ functions
    • 37. crack_*fpassthru psock-functions ini-functions Disable ‘dangerous’ functions shell_exec, exec, passthru, system
    • 38. crack_*fpassthru psock-functions ini-functions Disable ‘dangerous’ functions shell_exec, exec, passthru, system chown,hell-exec,dl
    • 39. crack_* fpassthru psock-functions ini-functions Disable ‘dangerous’ functionspopen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status,proc_close shell_exec, exec, passthru, system chown,hell-exec,dl
    • 40. crack_* fpassthru psock-functions posix_* ini-functions Disable ‘dangerous’ functionspopen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status,proc_close shell_exec, exec, passthru, system chown,hell-exec,dl
    • 41. Hardening Drupal
    • 42. Enable update module!
    • 43. Make Drupal’s fingerprint less visible by removing files not needed
    • 44. Make Drupal’s fingerprint less visible by removing files not needed *.txt install.php
    • 45. Make Drupal’s fingerprint less visible by removing files not needed *.txt CHANGELOG.txt will tell if you lack by updates install.php
    • 46. Allow web server user to write only sites/[default]/files
    • 47. Allow web server user to write only sites/[default]/filesDisable PHP interpreter if you haven’t enable .htaccess (as reccomened for Apache hardening)
    • 48. Allow web server user to write only sites/[default]/filesDisable PHP interpreter if you haven’t enable .htaccess (as reccomened for Apache hardening)SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006Options NoneOptions +FollowSymLinks
    • 49. Some security modulesSecure Pages redirect important pages to SSL versionSecurity Review one kind of checklistLogin Security or Flood Control login attempt limiterPassword Policy password constraintsSalt (for Drupal 6) salt password hashes
    • 50. Some paranoia is good when selecting modules. Use only well known modules.
    • 51. Some further readingNational Security Agency Hardening Guideshttp://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtmlOWASP - Open Web Application Security Projecthttps://www.owasp.org/index.php/Main_PageDrupal Security Advisorieshttp://drupal.org/security
    • 52. Thank you Tero Alén tero.alen@zeeland.fi twitter.com/teroalen

    ×