Drupal Security Intro

2,087 views

Published on

Introduction to Drupal security. These slides are based on a presentation I did at Drupal Camp Dallas 2011.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,087
On SlideShare
0
From Embeds
0
Number of Embeds
217
Actions
Shares
0
Downloads
37
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Drupal Security Intro

    1. 1. Intro intoDrupal Security @CashWilliams http://CashWilliams.com
    2. 2. What is Security
    3. 3. What is Security• Protecting website data
    4. 4. What is Security• Protecting website data • Protecting from unauthorized access
    5. 5. What is Security• Protecting website data • Protecting from unauthorized access • Protecting from modification
    6. 6. What is Security• Protecting website data • Protecting from unauthorized access • Protecting from modification • Protecting from destruction
    7. 7. What is Security• Protecting website data • Protecting from unauthorized access • Protecting from modification • Protecting from destruction• Maintaining access to the data
    8. 8. Attack Vectors
    9. 9. Attack Vectors• Drupal Vulnerabilities
    10. 10. Attack Vectors• Drupal Vulnerabilities • XSS
    11. 11. Attack Vectors• Drupal Vulnerabilities • XSS • Access Bypass
    12. 12. Attack Vectors• Drupal Vulnerabilities • XSS • Access Bypass • CSRF
    13. 13. Attack Vectors• Drupal Vulnerabilities • XSS • Access Bypass • CSRF • SQL Injection
    14. 14. Other Attack Vectors
    15. 15. Other Attack Vectors• General Vulnerabilities (a.k.a. What we’re not going to cover)
    16. 16. Other Attack Vectors• General Vulnerabilities (a.k.a. What we’re not going to cover) • Operating System
    17. 17. Other Attack Vectors• General Vulnerabilities (a.k.a. What we’re not going to cover) • Operating System • Web Server
    18. 18. Other Attack Vectors• General Vulnerabilities (a.k.a. What we’re not going to cover) • Operating System • Web Server • PHP
    19. 19. Other Attack Vectors• General Vulnerabilities (a.k.a. What we’re not going to cover) • Operating System • Web Server • PHP • MySQL
    20. 20. Other Attack Vectors• General Vulnerabilities (a.k.a. What we’re not going to cover) • Operating System • Web Server • PHP • MySQL • Javascript (Theme, WYSIWYG, etc...)
    21. 21. Other Attack Vectors• General Vulnerabilities (a.k.a. What we’re not going to cover) • Operating System • Web Server • PHP • MySQL • Javascript (Theme, WYSIWYG, etc...) • Authentication (Facebook, OpenID...)
    22. 22. Keep Up to Date• How to stay informed (Drupal) • Signup for emails from Security Team • RSS Feed • Twitter • Update Status module - with email setting
    23. 23. Security announcements from Drupal.org
    24. 24. RSS Feeds from Drupal.org• http://drupal.org/node/406142• http://drupal.org/security/rss.xml• http://drupal.org/security/contrib/ rss.xml• http://drupal.org/security/psa/rss.xml
    25. 25. Drupal Security from Twitter
    26. 26. Update Status Module• Enable the ‘Update status’ module from the modules page /admin/build/modules
    27. 27. Update Status Module• Adjust the settings at /admin/reports/updates/settings
    28. 28. Database Users
    29. 29. Database Users• Use different database users for each site you run
    30. 30. Database Users• Use different database users for each site you run• Only give needed permissions on proper database
    31. 31. Database Users• Use different database users for each site you run• Only give needed permissions on proper database• Limit hosts a user can connect from (‘username’@‘localhost’)
    32. 32. Database Users• Use different database users for each site you run• Only give needed permissions on proper database• Limit hosts a user can connect from (‘username’@‘localhost’)• Don’t use root!
    33. 33. HTTPS
    34. 34. HTTPS• Use HTTPS if at all possible • Session hijacking • Packet sniffing on open networks
    35. 35. HTTPS• Use HTTPS if at all possible • Session hijacking • Packet sniffing on open networks• Secure Pages module
    36. 36. HTTPS• Use HTTPS if at all possible • Session hijacking • Packet sniffing on open networks• Secure Pages module• OR .htaccess rule to redirect all traffic
    37. 37. HTTPS • Use HTTPS if at all possible • Session hijacking • Packet sniffing on open networks • Secure Pages module • OR .htaccess rule to redirect all trafficRewriteCond %{SERVER_PORT} 80RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R,L]php_value session.cookie_secure 1
    38. 38. Security Modules
    39. 39. Security Modules• securepages & securepages_prevent_hijack
    40. 40. Security Modules• securepages & securepages_prevent_hijack• password_policy
    41. 41. Security Modules• securepages & securepages_prevent_hijack• password_policy• security_review
    42. 42. Security Modules• securepages & securepages_prevent_hijack• password_policy• security_review• salt (Drupal 6 only)
    43. 43. Security Modules• securepages & securepages_prevent_hijack• password_policy• security_review• salt (Drupal 6 only)• login_security (Drupal 6 only)
    44. 44. Security Modules• securepages & securepages_prevent_hijack• password_policy• security_review• salt (Drupal 6 only)• login_security (Drupal 6 only)• paranoia
    45. 45. Secure Pages & Secure Pages Prevent Hijack• http://drupal.org/project/securepages• http://drupal.org/project/ securepages_prevent_hijack (Drupal 6 only)• Redirects selected pages to use SSL• Protects a few common pages by default• Drupal 6 needs session hijack prevention
    46. 46. Password Policy• http://drupal.org/project/ password_policy• Allows site builders to define a password complexity level for users• Also implements a password expiration feature
    47. 47. Security Review• http://drupal.org/project/ security_review• Checklist for site security integrated into your site• Still relies on you to do the manual work
    48. 48. Salt• http://drupal.org/project/salt• Adds ‘salt’ to passwords stored in the database• Helps fight against dictionary attacks on password dump• Not needed for Drupal 7
    49. 49. Paranoia• http://drupal.org/project/paranoia• Disables granting of the "use PHP for block visibility" permission• Disables creation of input formats that use the PHP filter• Disables editing the user #1 account• Disables disabling itself
    50. 50. Login Security
    51. 51. Login Security• http://drupal.org/project/login_security• Drupal 6 only (Built in to Drupal 7 core)• Limit the number of invalid login attempts• Can lock user accounts based on login failures
    52. 52. Input Formats/Filters
    53. 53. Input Formats/Filters• Default Input filter = EVERYONE has access• Better Formats module (Only needed for Drupal 6)• Some type of filtered input should be default
    54. 54. Input Formats/Filters
    55. 55. Input Formats/Filters• Use HTML filter • Configure allowed tags • Dangerous - SCRIPT, IMG, IFRAME, EMBED, OBJECT, INPUT, LINK, STYLE, META, FRAMESET, DIV, BASE, TABLE, TR, TD • WYSIWYG editors - Don’t allow all tags
    56. 56. Input Formats/Filters• PHP Filter module (comes in core)• Don’t use it!• Some recommend removing the module from the code base• If you do use it, make sure you know who has access
    57. 57. File Uploads• Don’t allow unsafe uploads• Both core file uploads and fields/cck files
    58. 58. Protect Drupal from Outside
    59. 59. Protect Drupal from Outside• Use a firewall to deny access
    60. 60. Protect Drupal from Outside• Use a firewall to deny access• Deny access at the web server
    61. 61. Protect Drupal from Outside • Use a firewall to deny access • Deny access at the web server<LocationMatch "/(user|login|admin)/"> Order Deny,Allow Deny from all Allow from 127.0.0.1 #Example Network 1 Allow from 165.91.200.0/255.255.252.0 ...</LocationMatch>
    62. 62. Other Gotchas
    63. 63. Other Gotchas• Settings.php • ONLY web server needs read access to this file • Should not be writable
    64. 64. Other Gotchas• Settings.php • ONLY web server needs read access to this file • Should not be writable• Leaving a sql dump in a web accessible folder
    65. 65. Other Gotchas• Settings.php • ONLY web server needs read access to this file • Should not be writable• Leaving a sql dump in a web accessible folder• Don’t e-mail passwords • !password token
    66. 66. Security Reviews
    67. 67. Security Reviews• Custom Security Review • https://www.acquia.com/products- services/acquia-professional-services/ service-offerings

    ×