Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3

116 views

Published on

Hardening TYPO3

Published in: Internet
  • Be the first to comment

2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3

  1. 1. Hardening TYPO3 Helmut Hummel <typo3@helhum.io> Inspiring people to shareHardening TYPO3
  2. 2. 2 @helhum
  3. 3. What is Hardening? 3
  4. 4. 4 “Hardening is the process of securing a system by reducing its surface of vulnerability” https://en.wikipedia.org/wiki/Hardening_(computing)
  5. 5. 5 “Hardening is the process of securing a system by reducing its surface of vulnerability” https://en.wikipedia.org/wiki/Hardening_(computing)
  6. 6. 6 “Hardening is the process of securing a system by reducing its surface of vulnerability” https://en.wikipedia.org/wiki/Hardening_(computing)
  7. 7. 7 Security
  8. 8. 8 Reduce Attack Surface
  9. 9. Layers of a TYPO3 application OS TYPO3 DBMS Webserver PHP 9 Extensions
  10. 10. Each layer can be attacked OS TYPO3 DBMS Webserver PHP 10 Extensions
  11. 11. An application is only as secure as its weakest link 11
  12. 12. Every layer needs attention 12
  13. 13. Here is what will be covered today 13
  14. 14. OS TYPO3 DBMS Webserver PHP 14 Extensions ✅❌
  15. 15. OS TYPO3 DBMS Webserver PHP 15 Extensions ✅❌
  16. 16. OS TYPO3 DBMS Webserver PHP 16 Extensions ✅❌
  17. 17. OS TYPO3 Webserver PHP 17 Extensions DBMS ✅❌
  18. 18. OS TYPO3 Webserver 18 Extensions DBMS PHP ✅❌
  19. 19. OS Webserver 19 Extensions DBMS PHP TYPO3 ✅❌
  20. 20. OS TYPO3 DBMS Webserver PHP 20 Extensions ✅❌
  21. 21. OS TYPO3 Webserver 21 ✅
  22. 22. OS 22
  23. 23. Other services running on your OS 23
  24. 24. FTP 24
  25. 25. It's 2018 25
  26. 26. Disable FTP access! 26
  27. 27. Only jweiland knows
 how many TYPO3 sites have been hacked using a sniffed FTP password 27
  28. 28. Disable every service, not strictly required 28
  29. 29. Keep your OS up to date 29
  30. 30. …including your Docker containers 30
  31. 31. Hardening OS Recap • Remove FTP • Disable every service you don't need (or don't even install it) • Update regularly • Containers need updates too • (There is much more on OS hardening) 31
  32. 32. 32 Webserver
  33. 33. Update regularly 33
  34. 34. Remember? 34
  35. 35. It's 2018 35
  36. 36. Enable SSL 36
  37. 37. It's easy 37
  38. 38. It's free 38
  39. 39. It's secure 39
  40. 40. But what about TYPO3 rsaauth extension? 40
  41. 41. Isn't that secure enough? 41
  42. 42. Imagine a house 42
  43. 43. Imagine a yard around that house 43
  44. 44. Now imagine a door protecting access to the yard 44
  45. 45. 45
  46. 46. That's the protection you get from rsaauth 46
  47. 47. tl;dr 47
  48. 48. Enable SSL, disable rsaauth 48
  49. 49. Enforce SSL (HSTS) 49
  50. 50. Write protect every folder 50
  51. 51. Hardening Webserver Folders that require write access • fileadmin • uploads • typo3temp 51
  52. 52. But Extension Manager does not work any more if typo3conf is read only 52
  53. 53. 🤷 53
  54. 54. Hardening ❤ Automation 54
  55. 55. Disable PHP execution in folders with write access 55
  56. 56. RemoveHandler .php RemoveType .php php_flag engine off 56
  57. 57. The only remaining place to add exploit code is typo3temp/var/Cache/Code 57
  58. 58. Warm up code caches during deployment 58
  59. 59. (Still a bit challenging for Fluid caches) 59
  60. 60. Write protect cache folders, too 60
  61. 61. • Updates, update, updates • SSL, SSL, SSL • Write protect all the things all possible folders • If possible also code cache folders • Automated deployment helps you with that • Disable PHP handler in writable folders Hardening Webserver Recap 61
  62. 62. 62 TYPO3
  63. 63. Update regularly 63
  64. 64. Tell TYPO3 you are serious about SSL 64
  65. 65. $GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'] = true; 65
  66. 66. $GLOBALS['TYPO3_CONF_VARS']['SYS']['cookieSecure'] = 1; 66
  67. 67. Disable debug settings 67
  68. 68. $GLOBALS['TYPO3_CONF_VARS']['BE']['debug'] = false; $GLOBALS['TYPO3_CONF_VARS']['FE']['debug'] = false; $GLOBALS['TYPO3_CONF_VARS']['SYS']['devIPmask'] = ''; $GLOBALS['TYPO3_CONF_VARS']['SYS']['displayErrors'] = 0; $GLOBALS['TYPO3_CONF_VARS']['SYS']['enableDeprecationLog'] = ''; $GLOBALS['TYPO3_CONF_VARS']['SYS']['sqlDebug'] = 0; 68
  69. 69. Log errors and warnings 69
  70. 70. Monitor logs! 70
  71. 71. Disable install tool 71
  72. 72. $GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword'] = ''; 72
  73. 73. Or delete install.php on deploy 73
  74. 74. Use TYPO3 Console for emergency maintenance 74
  75. 75. Restrict backend access to internal domain 75
  76. 76. Only ship code that is required 76
  77. 77. Why to avoid installing code you don't need? 77
  78. 78. Every security flaw is a bug in code 78
  79. 79. Every code has bugs 79
  80. 80. Every code potentially has security flaws 80
  81. 81. 100% secure code is NO code 81
  82. 82. TYPO3 comes as one package with a lot of code 82
  83. 83. All system extensions are present, albeit deactivated 83
  84. 84. … and you never need all of them 84
  85. 85. But there is a solution 85
  86. 86. TYPO3 Subtree Split 86
  87. 87. Security TYPO3 Subtree split • Every core extension is available as individual composer package • typo3/cms-core, typo3/cms-backend, … • All TYPO3 versions starting from 8.7.9 are available • MANDATORY since TYPO3 9.0 (you cannot require typo3/cms ^9.0) • If you have composer based TYPO3 8.7 projects, use it NOW 87
  88. 88. But I don't use Composer 88
  89. 89. 🤷 89
  90. 90. Hardening ❤ Automation 90
  91. 91. Automation ❤ Composer 91
  92. 92. But there is more … 92
  93. 93. Attack Surface 93
  94. 94. Information Disclosure 94
  95. 95. Every additional file in your document root increases the attack surface and is potentially leaking private information 95
  96. 96. How does a possible TYPO3 document root look like? 96
  97. 97. 97 $ ll total 208 drwxr-xr-x 11 helmut staff 374 Jun 20 22:10 . drwxr-xr-x 5 helmut staff 170 Jun 20 14:54 .. drwxr-xr-x 15 helmut staff 510 Jun 20 22:10 .git -rw-r--r-- 1 helmut staff 66 Jun 20 22:08 .gitignore -rw-r--r-- 1 helmut staff 227 Jun 20 22:08 composer.json -rw-r--r-- 1 helmut staff 94010 Jun 20 22:08 composer.lock -rw-r--r-- 1 helmut staff 800 Jun 20 22:10 index.php drwxr-xr-x 5 helmut staff 170 Jun 20 22:10 typo3 drwxrwsr-x 3 helmut staff 102 Jun 20 22:10 typo3conf drwxrwsr-x 3 helmut staff 102 Jun 20 22:10 typo3temp drwxr-xr-x 15 helmut staff 510 Jun 20 22:10 vendor
  98. 98. How to fix that? 98
  99. 99. Security Step 1 99 "extra": { "typo3/cms": { "web-dir": "public" } }
  100. 100. Security Step 2 100 "extra": { "typo3/cms": { "root-dir": "private", "web-dir": "public" } }
  101. 101. Security Step 3 101 composer require helhum/typo3-secure-web
  102. 102. Hardening TYPO3 Recap • Updates, Updates, Updates • No debug settings • Log errors and monitor logs • Disable install tool • Restrict backend access • Only install code that you need • Only expose public resources and defined entry points 102
  103. 103. Thanks! 103
  104. 104. https://speakerdeck.com/helhum/hardening-typo3 104
  105. 105. Hardening TYPO3 References • https://docs.typo3.org/typo3cms/SecurityGuide/ • Images • http://emmayajewel.com/ • https://pixabay.com/en/child-protection-umbrella-rain-2956973/ • http://formidableengineeringconsultants.com/ 105

×