31. Hardening OS
Recap
• Remove FTP
• Disable every service you don't need (or don't even install it)
• Update regularly
• Containers need updates too
• (There is much more on OS hardening)
31
61. • Updates, update, updates
• SSL, SSL, SSL
• Write protect all the things all possible folders
• If possible also code cache folders
• Automated deployment helps you with that
• Disable PHP handler in writable folders
Hardening Webserver
Recap
61
87. Security
TYPO3 Subtree split
• Every core extension is available as individual composer package
• typo3/cms-core, typo3/cms-backend, …
• All TYPO3 versions starting from 8.7.9 are available
• MANDATORY since TYPO3 9.0 (you cannot require typo3/cms ^9.0)
• If you have composer based TYPO3 8.7 projects, use it NOW
87
95. Every additional file in your document root increases
the attack surface and is potentially leaking private
information
95
96. How does a possible TYPO3 document root look like?
96
97. 97
$ ll
total 208
drwxr-xr-x 11 helmut staff 374 Jun 20 22:10 .
drwxr-xr-x 5 helmut staff 170 Jun 20 14:54 ..
drwxr-xr-x 15 helmut staff 510 Jun 20 22:10 .git
-rw-r--r-- 1 helmut staff 66 Jun 20 22:08 .gitignore
-rw-r--r-- 1 helmut staff 227 Jun 20 22:08 composer.json
-rw-r--r-- 1 helmut staff 94010 Jun 20 22:08 composer.lock
-rw-r--r-- 1 helmut staff 800 Jun 20 22:10 index.php
drwxr-xr-x 5 helmut staff 170 Jun 20 22:10 typo3
drwxrwsr-x 3 helmut staff 102 Jun 20 22:10 typo3conf
drwxrwsr-x 3 helmut staff 102 Jun 20 22:10 typo3temp
drwxr-xr-x 15 helmut staff 510 Jun 20 22:10 vendor
102. Hardening TYPO3
Recap
• Updates, Updates, Updates
• No debug settings
• Log errors and monitor logs
• Disable install tool
• Restrict backend access
• Only install code that you need
• Only expose public resources and defined entry points
102