Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Drupal Security Intro

2,136 views

Published on

Introduction to Drupal security. These slides are based on a presentation I did at Drupal Camp Dallas 2011.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Drupal Security Intro

  1. 1. Intro intoDrupal Security @CashWilliams http://CashWilliams.com
  2. 2. What is Security
  3. 3. What is Security• Protecting website data
  4. 4. What is Security• Protecting website data • Protecting from unauthorized access
  5. 5. What is Security• Protecting website data • Protecting from unauthorized access • Protecting from modification
  6. 6. What is Security• Protecting website data • Protecting from unauthorized access • Protecting from modification • Protecting from destruction
  7. 7. What is Security• Protecting website data • Protecting from unauthorized access • Protecting from modification • Protecting from destruction• Maintaining access to the data
  8. 8. Attack Vectors
  9. 9. Attack Vectors• Drupal Vulnerabilities
  10. 10. Attack Vectors• Drupal Vulnerabilities • XSS
  11. 11. Attack Vectors• Drupal Vulnerabilities • XSS • Access Bypass
  12. 12. Attack Vectors• Drupal Vulnerabilities • XSS • Access Bypass • CSRF
  13. 13. Attack Vectors• Drupal Vulnerabilities • XSS • Access Bypass • CSRF • SQL Injection
  14. 14. Other Attack Vectors
  15. 15. Other Attack Vectors• General Vulnerabilities (a.k.a. What we’re not going to cover)
  16. 16. Other Attack Vectors• General Vulnerabilities (a.k.a. What we’re not going to cover) • Operating System
  17. 17. Other Attack Vectors• General Vulnerabilities (a.k.a. What we’re not going to cover) • Operating System • Web Server
  18. 18. Other Attack Vectors• General Vulnerabilities (a.k.a. What we’re not going to cover) • Operating System • Web Server • PHP
  19. 19. Other Attack Vectors• General Vulnerabilities (a.k.a. What we’re not going to cover) • Operating System • Web Server • PHP • MySQL
  20. 20. Other Attack Vectors• General Vulnerabilities (a.k.a. What we’re not going to cover) • Operating System • Web Server • PHP • MySQL • Javascript (Theme, WYSIWYG, etc...)
  21. 21. Other Attack Vectors• General Vulnerabilities (a.k.a. What we’re not going to cover) • Operating System • Web Server • PHP • MySQL • Javascript (Theme, WYSIWYG, etc...) • Authentication (Facebook, OpenID...)
  22. 22. Keep Up to Date• How to stay informed (Drupal) • Signup for emails from Security Team • RSS Feed • Twitter • Update Status module - with email setting
  23. 23. Security announcements from Drupal.org
  24. 24. RSS Feeds from Drupal.org• http://drupal.org/node/406142• http://drupal.org/security/rss.xml• http://drupal.org/security/contrib/ rss.xml• http://drupal.org/security/psa/rss.xml
  25. 25. Drupal Security from Twitter
  26. 26. Update Status Module• Enable the ‘Update status’ module from the modules page /admin/build/modules
  27. 27. Update Status Module• Adjust the settings at /admin/reports/updates/settings
  28. 28. Database Users
  29. 29. Database Users• Use different database users for each site you run
  30. 30. Database Users• Use different database users for each site you run• Only give needed permissions on proper database
  31. 31. Database Users• Use different database users for each site you run• Only give needed permissions on proper database• Limit hosts a user can connect from (‘username’@‘localhost’)
  32. 32. Database Users• Use different database users for each site you run• Only give needed permissions on proper database• Limit hosts a user can connect from (‘username’@‘localhost’)• Don’t use root!
  33. 33. HTTPS
  34. 34. HTTPS• Use HTTPS if at all possible • Session hijacking • Packet sniffing on open networks
  35. 35. HTTPS• Use HTTPS if at all possible • Session hijacking • Packet sniffing on open networks• Secure Pages module
  36. 36. HTTPS• Use HTTPS if at all possible • Session hijacking • Packet sniffing on open networks• Secure Pages module• OR .htaccess rule to redirect all traffic
  37. 37. HTTPS • Use HTTPS if at all possible • Session hijacking • Packet sniffing on open networks • Secure Pages module • OR .htaccess rule to redirect all trafficRewriteCond %{SERVER_PORT} 80RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R,L]php_value session.cookie_secure 1
  38. 38. Security Modules
  39. 39. Security Modules• securepages & securepages_prevent_hijack
  40. 40. Security Modules• securepages & securepages_prevent_hijack• password_policy
  41. 41. Security Modules• securepages & securepages_prevent_hijack• password_policy• security_review
  42. 42. Security Modules• securepages & securepages_prevent_hijack• password_policy• security_review• salt (Drupal 6 only)
  43. 43. Security Modules• securepages & securepages_prevent_hijack• password_policy• security_review• salt (Drupal 6 only)• login_security (Drupal 6 only)
  44. 44. Security Modules• securepages & securepages_prevent_hijack• password_policy• security_review• salt (Drupal 6 only)• login_security (Drupal 6 only)• paranoia
  45. 45. Secure Pages & Secure Pages Prevent Hijack• http://drupal.org/project/securepages• http://drupal.org/project/ securepages_prevent_hijack (Drupal 6 only)• Redirects selected pages to use SSL• Protects a few common pages by default• Drupal 6 needs session hijack prevention
  46. 46. Password Policy• http://drupal.org/project/ password_policy• Allows site builders to define a password complexity level for users• Also implements a password expiration feature
  47. 47. Security Review• http://drupal.org/project/ security_review• Checklist for site security integrated into your site• Still relies on you to do the manual work
  48. 48. Salt• http://drupal.org/project/salt• Adds ‘salt’ to passwords stored in the database• Helps fight against dictionary attacks on password dump• Not needed for Drupal 7
  49. 49. Paranoia• http://drupal.org/project/paranoia• Disables granting of the "use PHP for block visibility" permission• Disables creation of input formats that use the PHP filter• Disables editing the user #1 account• Disables disabling itself
  50. 50. Login Security
  51. 51. Login Security• http://drupal.org/project/login_security• Drupal 6 only (Built in to Drupal 7 core)• Limit the number of invalid login attempts• Can lock user accounts based on login failures
  52. 52. Input Formats/Filters
  53. 53. Input Formats/Filters• Default Input filter = EVERYONE has access• Better Formats module (Only needed for Drupal 6)• Some type of filtered input should be default
  54. 54. Input Formats/Filters
  55. 55. Input Formats/Filters• Use HTML filter • Configure allowed tags • Dangerous - SCRIPT, IMG, IFRAME, EMBED, OBJECT, INPUT, LINK, STYLE, META, FRAMESET, DIV, BASE, TABLE, TR, TD • WYSIWYG editors - Don’t allow all tags
  56. 56. Input Formats/Filters• PHP Filter module (comes in core)• Don’t use it!• Some recommend removing the module from the code base• If you do use it, make sure you know who has access
  57. 57. File Uploads• Don’t allow unsafe uploads• Both core file uploads and fields/cck files
  58. 58. Protect Drupal from Outside
  59. 59. Protect Drupal from Outside• Use a firewall to deny access
  60. 60. Protect Drupal from Outside• Use a firewall to deny access• Deny access at the web server
  61. 61. Protect Drupal from Outside • Use a firewall to deny access • Deny access at the web server<LocationMatch "/(user|login|admin)/"> Order Deny,Allow Deny from all Allow from 127.0.0.1 #Example Network 1 Allow from 165.91.200.0/255.255.252.0 ...</LocationMatch>
  62. 62. Other Gotchas
  63. 63. Other Gotchas• Settings.php • ONLY web server needs read access to this file • Should not be writable
  64. 64. Other Gotchas• Settings.php • ONLY web server needs read access to this file • Should not be writable• Leaving a sql dump in a web accessible folder
  65. 65. Other Gotchas• Settings.php • ONLY web server needs read access to this file • Should not be writable• Leaving a sql dump in a web accessible folder• Don’t e-mail passwords • !password token
  66. 66. Security Reviews
  67. 67. Security Reviews• Custom Security Review • https://www.acquia.com/products- services/acquia-professional-services/ service-offerings

×