2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3
•
4 likes•477 views
Hardening TYPO3
Recommended
More Related Content
What's hot
What's hot (20)
Similar to 2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3
Similar to 2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3 (20)
More from TYPO3 CertiFUNcation
More from TYPO3 CertiFUNcation (20)
Recently uploaded
Recently uploaded (20)
2018 - CertiFUNcation - Helmut Hummel: Hardening TYPO3
- 1. Hardening TYPO3 Helmut Hummel <typo3@helhum.io> Inspiring people to shareHardening TYPO3
- 2. 2 @helhum
- 4. 4 “Hardening is the process of securing a system by reducing its surface of vulnerability” https://en.wikipedia.org/wiki/Hardening_(computing)
- 5. 5 “Hardening is the process of securing a system by reducing its surface of vulnerability” https://en.wikipedia.org/wiki/Hardening_(computing)
- 6. 6 “Hardening is the process of securing a system by reducing its surface of vulnerability” https://en.wikipedia.org/wiki/Hardening_(computing)
- 7. 7 Security
- 9. Layers of a TYPO3 application OS TYPO3 DBMS Webserver PHP 9 Extensions
- 10. Each layer can be attacked OS TYPO3 DBMS Webserver PHP 10 Extensions
- 11. An application is only as secure as its weakest link 11
- 12. Every layer needs attention 12
- 13. Here is what will be covered today 13
- 22. OS 22
- 23. Other services running on your OS 23
- 24. FTP 24
- 25. It's 2018 25
- 27. Only jweiland knows how many TYPO3 sites have been hacked using a sniffed FTP password 27
- 28. Disable every service, not strictly required 28
- 29. Keep your OS up to date 29
- 30. …including your Docker containers 30
- 31. Hardening OS Recap • Remove FTP • Disable every service you don't need (or don't even install it) • Update regularly • Containers need updates too • (There is much more on OS hardening) 31
- 32. 32 Webserver
- 34. Remember? 34
- 35. It's 2018 35
- 36. Enable SSL 36
- 37. It's easy 37
- 38. It's free 38
- 39. It's secure 39
- 40. But what about TYPO3 rsaauth extension? 40
- 41. Isn't that secure enough? 41
- 43. Imagine a yard around that house 43
- 44. Now imagine a door protecting access to the yard 44
- 45. 45
- 46. That's the protection you get from rsaauth 46
- 47. tl;dr 47
- 48. Enable SSL, disable rsaauth 48
- 50. Write protect every folder 50
- 51. Hardening Webserver Folders that require write access • fileadmin • uploads • typo3temp 51
- 52. But Extension Manager does not work any more if typo3conf is read only 52
- 53. 🤷 53
- 55. Disable PHP execution in folders with write access 55
- 56. RemoveHandler .php RemoveType .php php_flag engine off 56
- 57. The only remaining place to add exploit code is typo3temp/var/Cache/Code 57
- 58. Warm up code caches during deployment 58
- 59. (Still a bit challenging for Fluid caches) 59
- 60. Write protect cache folders, too 60
- 61. • Updates, update, updates • SSL, SSL, SSL • Write protect all the things all possible folders • If possible also code cache folders • Automated deployment helps you with that • Disable PHP handler in writable folders Hardening Webserver Recap 61
- 62. 62 TYPO3
- 64. Tell TYPO3 you are serious about SSL 64
- 68. $GLOBALS['TYPO3_CONF_VARS']['BE']['debug'] = false; $GLOBALS['TYPO3_CONF_VARS']['FE']['debug'] = false; $GLOBALS['TYPO3_CONF_VARS']['SYS']['devIPmask'] = ''; $GLOBALS['TYPO3_CONF_VARS']['SYS']['displayErrors'] = 0; $GLOBALS['TYPO3_CONF_VARS']['SYS']['enableDeprecationLog'] = ''; $GLOBALS['TYPO3_CONF_VARS']['SYS']['sqlDebug'] = 0; 68
- 69. Log errors and warnings 69
- 70. Monitor logs! 70
- 73. Or delete install.php on deploy 73
- 74. Use TYPO3 Console for emergency maintenance 74
- 75. Restrict backend access to internal domain 75
- 76. Only ship code that is required 76
- 77. Why to avoid installing code you don't need? 77
- 78. Every security flaw is a bug in code 78
- 79. Every code has bugs 79
- 80. Every code potentially has security flaws 80
- 81. 100% secure code is NO code 81
- 82. TYPO3 comes as one package with a lot of code 82
- 83. All system extensions are present, albeit deactivated 83
- 84. … and you never need all of them 84
- 85. But there is a solution 85
- 87. Security TYPO3 Subtree split • Every core extension is available as individual composer package • typo3/cms-core, typo3/cms-backend, … • All TYPO3 versions starting from 8.7.9 are available • MANDATORY since TYPO3 9.0 (you cannot require typo3/cms ^9.0) • If you have composer based TYPO3 8.7 projects, use it NOW 87
- 88. But I don't use Composer 88
- 89. 🤷 89
- 92. But there is more … 92
- 95. Every additional file in your document root increases the attack surface and is potentially leaking private information 95
- 96. How does a possible TYPO3 document root look like? 96
- 97. 97 $ ll total 208 drwxr-xr-x 11 helmut staff 374 Jun 20 22:10 . drwxr-xr-x 5 helmut staff 170 Jun 20 14:54 .. drwxr-xr-x 15 helmut staff 510 Jun 20 22:10 .git -rw-r--r-- 1 helmut staff 66 Jun 20 22:08 .gitignore -rw-r--r-- 1 helmut staff 227 Jun 20 22:08 composer.json -rw-r--r-- 1 helmut staff 94010 Jun 20 22:08 composer.lock -rw-r--r-- 1 helmut staff 800 Jun 20 22:10 index.php drwxr-xr-x 5 helmut staff 170 Jun 20 22:10 typo3 drwxrwsr-x 3 helmut staff 102 Jun 20 22:10 typo3conf drwxrwsr-x 3 helmut staff 102 Jun 20 22:10 typo3temp drwxr-xr-x 15 helmut staff 510 Jun 20 22:10 vendor
- 98. How to fix that? 98
- 99. Security Step 1 99 "extra": { "typo3/cms": { "web-dir": "public" } }
- 100. Security Step 2 100 "extra": { "typo3/cms": { "root-dir": "private", "web-dir": "public" } }
- 101. Security Step 3 101 composer require helhum/typo3-secure-web
- 102. Hardening TYPO3 Recap • Updates, Updates, Updates • No debug settings • Log errors and monitor logs • Disable install tool • Restrict backend access • Only install code that you need • Only expose public resources and defined entry points 102
- 103. Thanks! 103
- 105. Hardening TYPO3 References • https://docs.typo3.org/typo3cms/SecurityGuide/ • Images • http://emmayajewel.com/ • https://pixabay.com/en/child-protection-umbrella-rain-2956973/ • http://formidableengineeringconsultants.com/ 105