SlideShare a Scribd company logo

Tips on Securing Drupal Sites

C
cgmonroe

Drupal Camp Ashville 2018 talk on Securing Drupal sites. This talk is a quick overview with lots of brief how to suggestions.

Technology
1 of 25
Download to read offline
Tips on Securing Drupal Sites Greg Monroe SolarWind MSP Drupal Camp Ashville 2018 The information here is my own and not the views of my employer
Drupal Camp Ashville 2018 Security… the Final Frontier This is a semi-case study based on my experiences Not a Deep Dive Will be trying to walk the line between DevOps and Site Admin / Builders Pick the tips that can help you
Drupal Camp Ashville 2018 Why you should care
Drupal Camp Ashville 2018 Some Common Threat Vectors Server Attacks, e.g. DDoS, SSL attacks, nuisance probes Code Attacks, e.g. DrupalGeddon#, Contrib bugs, non-Drupal code, Server bugs User access attacks, e.g. Brute force, Social Eng., Phishing "Internal" attacks, e.g. Valid users, Shared Resource Attacks
Drupal Camp Ashville 2018 Server Attack Tips Trip wires and Problem id tools Layered Defenses Use a CDN Varnish or Nginx proxy Htaccess rules Drupal Secure HTTP Headers Golden Rule: Keep attackers from using precious Drupal resources.
Drupal Camp Ashville 2018 Trip Wires and Problem ID Uptime Monitoring (Pingdom and the like/ use Post requests) Disclaimer Pingdom is owned by SolarWinds Disk Usage Monitoring (logs, site, and SQL database) CPU Monitoring 404 / 403 Errors Log Analysis Tools ( GoAccess.io ) Grep and Pipes, e.g. grep “14/Jul” access.log | grep -v <office ip> https://www.abuseipdb.com/
Drupal Camp Ashville 2018 Cloudflare Layered Defense In Minutes Low cost / high value Free SSL CDN lite with world wide proxy servers. World class protection against common hacks DDoS built in Page rules Requires control of your domain Another layer of cache to clear
Drupal Camp Ashville 2018 Traditional Alternatives CDN like AWS Cloudfront or Verizon Edgecast Varnish or Nginx caching front end .htaccess rules Deny unwanted crawlers Block DdoS or nuisance URL requests Drupal Configure cache properly Use Fast 404
Drupal Camp Ashville 2018 Some Sample .htaccess rules # Stop some bad web crawlers RewriteCond %{HTTP_USER_AGENT} AhrefsBot [NC,OR] RewriteCond %{HTTP_USER_AGENT} spbot [NC,OR] RewriteCond %{HTTP_USER_AGENT} DigExt [NC,OR] RewriteCond %{HTTP_USER_AGENT} Sogou [NC,OR] RewriteCond %{HTTP_USER_AGENT} MJ12 [NC,OR] RewriteCond %{HTTP_USER_AGENT} majestic12 [NC,OR] RewriteCond %{HTTP_USER_AGENT} 80legs [NC,OR] RewriteCond %{HTTP_USER_AGENT} SISTRIX [NC,OR] RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR] RewriteCond %{HTTP_USER_AGENT} Semrush [NC,OR] RewriteCond %{HTTP_USER_AGENT} Ezooms [NC,OR] RewriteCond %{HTTP_USER_AGENT} CCBot [NC,OR] RewriteCond %{HTTP_USER_AGENT} TalkTalk [NC,OR] RewriteCond %{HTTP_USER_AGENT} Ahrefs [NC] RewriteRule !^robots.txt$ - [F,L] # Stop problem URLs from flooding Drupal Log. RewriteRule ^/?autodiscover/autodiscover.xml$ - [R=404,L,NC] RewriteRule ^/?wp-login.php - [R=404,L,NC] RewriteCond %{REQUEST_METHOD} POST RewriteRule (^|/)events/ - [F,L] # Deny post to site index. RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} ^/$ RewriteRule ^ - [F,L]
Drupal Camp Ashville 2018 SSL Tools Test your SSL Strength https://www.ssllabs.com/ssltest/ Free SSL Certificates https://letsencrypt.org/ SSL Server Config https://mozilla.github.io/server-side- tls/ssl-config-generator/?hsts=no
Drupal Camp Ashville 2018 Secure HTTP Headers Do Your Research on These Security Kit Module (seckit) Content-Security-Policy https://wiki.mozilla.org/Security/CSP X-XSS-Protection X-Content-Type-Options X-Frame-Options Strict-Transport-Security Referrer-Policy https://securityheaders.com/
Drupal Camp Ashville 2018 Code Attack Tips Main Points Get Security updates and determine if they are Critical or not. Commit to Updating Critical Releases the same day they are released and non-Critical within a few days. Schedule reviews of the Update Report and related release notes. Update modules regularly. Keep the rest of the ‘stack’ updated
Drupal Camp Ashville 2018 Code Attack Tips Drupal Core Keep your code updated Subscribe to Drupal Security Alerts Subscribe to the RSS Feed @ https://www.drupal.org/project/webma sters/issues/2965777 Follow Tweets by @drupalsecurity handle all security announcements are posted to an email list. To subscribe to email: log in, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab. Contrib Modules Use the core Update Reports module Read the release note / test before going to production Follow issues of any patches you use Check the status of any Dev releases you use If you use modules not covered by the security team, look closely at what they do.
Drupal Camp Ashville 2018 Code Attack Tips (cont.) Server Software Keep the OS and tools up to date Keep PhP up to date Keep Apache (or Nginx) up to date Keep your SQL software up to date If you control it, keep it updated. If you don’t make sure the people who do also keep it updated.
Drupal Camp Ashville 2018 User Attack Tips Main Points Use Two Factor Authentication Everywhere You Can Protect Your Site Login Capability Implement Good User Management Practices Enforce Strong Password Practices
Drupal Camp Ashville 2018 User Attack Tips TFA Quick Install Install and enable the modules: real_aes, key, encrypt, ga_login & tfa Create a random key in a file outside your web root with: dd if=/dev/urandom bs=32 count=1 | base64 -i - > path/to/my/encrypt.key Visit the Keys module's configuration page and "Add Key" Name your Key Key type: "Encryption" Provider: "File" File location: `path/to/my/encrypt.key` as generated above.
Drupal Camp Ashville 2018 User Attack Tips TFA(cont.) Visit the Encrypt module's configuration page and "Add Encryption Profile" Label your Encryption Profile Encryption method: "Authenticated AES (Real AES)" Encryption Key: Select the Key you created in the previous step. Visit the TFA module's configuration page. Enable TFA Select your desired Validation Plugin(s). Encryption Profile: Select the Encryption Profile you created in the previous step. Adjust other settings as desired. Grant "Set up TFA for account" to "Authenticated user" Consider granting "Require TFA process" for some roles
Drupal Camp Ashville 2018 User Attack Tips TFA(cont.) User Setup Need either Google Authenticator or Authy Login to the site Go to your user profile Select the Security Tab Follow the instructions there
Drupal Camp Ashville 2018 User Attack Tips Protected Logins Server Firewall Host Name IP .htaccess Module Login Login
Drupal Camp Ashville 2018 User Attack Tips Protected Logins Set up an 'edit' host name that with the same IP as your site, e.g. secret.example.com => www.example.com. Allow this host name access to the site (settings.php trusted host patterns) Modify the .htaccess rules to only allow access to /user, /admin, /devel, and node/*/* URLs from the edit host Require login to edit site using require_login and require_login_by_site See http://drupal.org/project/require_login_by_site for details
Drupal Camp Ashville 2018 User Attack Tips Login Management GUARDR Distro (www.drupal.org/project/guardr) Monitor Login Access (login_report) Block account after 5 invalid attempts ( login_security ) Login Screen should have an authorized only notice (modal block) Limit number of concurrent sessions ( session_limit ) Automatically log users out after a period of inactivity (autologout)
Drupal Camp Ashville 2018 User Attack Tips Strong Passwords Define strong Rules and enforce them with the password_policy module (use Dev version) Passwords must be at least 8 characters in length. Passwords must contain characters from three of the following four categories: English uppercase characters (A through Z). English lowercase characters (a through z). Base 10 digits (0 through 9). Non-alphabetic characters (for example, !, $, #, %). Password history: users should not be able to re-use the last five (5) passwords Password age: Passwords must be changed every 90 days.
Drupal Camp Ashville 2018 Internal Attacks Limit Permissions Peer Review Disable users who have not accessed site for 30 days (user_expire) Don’t use shared accounts Protect your data, limit access to any bulk download tools. Monitor logs for unusual activity
Drupal Camp Ashville 2018 Security Plans Overview This is not a set it up and forget it process... security takes vigilance. Basic Rules Define area’s of responsibility Define who is responsible for these Define an audit plan for the area Define response plans for the areas Where needed, defined who audits that the area’s plan is being done
Drupal Camp Ashville 2018 Questions? ?And Thank You Google: Slideshare CGMonroe Security Tips Drupal.org/u/cgmonroe

Recommended

Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Practical django secuirty
Practical django secuirtyPractical django secuirty
Practical django secuirtyAndy Dai
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Securitylevigross
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security PoliciesMatias Korhonen
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User SecurityDre Armeda
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Slides
SlidesSlides
Slidesvti
 
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJava Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJosef Cacek
 

Recommended

Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Practical django secuirty
Practical django secuirtyPractical django secuirty
Practical django secuirtyAndy Dai
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Securitylevigross
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security PoliciesMatias Korhonen
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User SecurityDre Armeda
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Slides
SlidesSlides
Slidesvti
 
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJava Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJosef Cacek
 
WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011Dre Armeda
 
A Drush Primer - DrupalCamp Chattanooga 2013
A Drush Primer - DrupalCamp Chattanooga 2013A Drush Primer - DrupalCamp Chattanooga 2013
A Drush Primer - DrupalCamp Chattanooga 2013Chris Hales
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupChris Hales
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009Brad Williams
 
Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Josef Cacek
 
Nagios Conference 2013 - Sheeri Cabral - Alerting With MySQL and Nagios
Nagios Conference 2013 - Sheeri Cabral - Alerting With MySQL and NagiosNagios Conference 2013 - Sheeri Cabral - Alerting With MySQL and Nagios
Nagios Conference 2013 - Sheeri Cabral - Alerting With MySQL and NagiosNagios
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
Defeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyDefeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyFrancois Marier
 
«Ruby integration testing tools»
«Ruby integration testing tools»«Ruby integration testing tools»
«Ruby integration testing tools»Olga Lavrentieva
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013Thor Kristiansen
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaWordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaDre Armeda
 
WordPress Need For Speed
WordPress Need For SpeedWordPress Need For Speed
WordPress Need For Speedpdeschen
 
XSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkearyXSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkearyEoin Keary
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security PolicyMarkus Wichmann
 
Progressive Downloads and Rendering
Progressive Downloads and RenderingProgressive Downloads and Rendering
Progressive Downloads and RenderingStoyan Stefanov
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeScott Helme
 
Stampede con 2014 cassandra in the real world
Stampede con 2014 cassandra in the real worldStampede con 2014 cassandra in the real world
Stampede con 2014 cassandra in the real worldzznate
 
All in one_seo_pack
All in one_seo_packAll in one_seo_pack
All in one_seo_packHuman Relationships
 
Reversing & malware analysis training part 11 exploit development advanced
Reversing & malware analysis training part 11 exploit development advancedReversing & malware analysis training part 11 exploit development advanced
Reversing & malware analysis training part 11 exploit development advancedAbdulrahman Bassam
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure ProgrammingBalavignesh Kasinathan
 
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)cgmonroe
 
Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaGábor Hojtsy
 

More Related Content

What's hot

WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011Dre Armeda
 
A Drush Primer - DrupalCamp Chattanooga 2013
A Drush Primer - DrupalCamp Chattanooga 2013A Drush Primer - DrupalCamp Chattanooga 2013
A Drush Primer - DrupalCamp Chattanooga 2013Chris Hales
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupChris Hales
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009Brad Williams
 
Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Josef Cacek
 
Nagios Conference 2013 - Sheeri Cabral - Alerting With MySQL and Nagios
Nagios Conference 2013 - Sheeri Cabral - Alerting With MySQL and NagiosNagios Conference 2013 - Sheeri Cabral - Alerting With MySQL and Nagios
Nagios Conference 2013 - Sheeri Cabral - Alerting With MySQL and NagiosNagios
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
Defeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyDefeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyFrancois Marier
 
«Ruby integration testing tools»
«Ruby integration testing tools»«Ruby integration testing tools»
«Ruby integration testing tools»Olga Lavrentieva
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013Thor Kristiansen
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaWordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaDre Armeda
 
WordPress Need For Speed
WordPress Need For SpeedWordPress Need For Speed
WordPress Need For Speedpdeschen
 
XSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkearyXSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkearyEoin Keary
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security PolicyMarkus Wichmann
 
Progressive Downloads and Rendering
Progressive Downloads and RenderingProgressive Downloads and Rendering
Progressive Downloads and RenderingStoyan Stefanov
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeScott Helme
 
Stampede con 2014 cassandra in the real world
Stampede con 2014 cassandra in the real worldStampede con 2014 cassandra in the real world
Stampede con 2014 cassandra in the real worldzznate
 
Reversing & malware analysis training part 11 exploit development advanced
Reversing & malware analysis training part 11 exploit development advancedReversing & malware analysis training part 11 exploit development advanced
Reversing & malware analysis training part 11 exploit development advancedAbdulrahman Bassam
 

What's hot (20)

WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011
 
A Drush Primer - DrupalCamp Chattanooga 2013
A Drush Primer - DrupalCamp Chattanooga 2013A Drush Primer - DrupalCamp Chattanooga 2013
A Drush Primer - DrupalCamp Chattanooga 2013
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January Meetup
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
 
Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014
 
Nagios Conference 2013 - Sheeri Cabral - Alerting With MySQL and Nagios
Nagios Conference 2013 - Sheeri Cabral - Alerting With MySQL and NagiosNagios Conference 2013 - Sheeri Cabral - Alerting With MySQL and Nagios
Nagios Conference 2013 - Sheeri Cabral - Alerting With MySQL and Nagios
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit Creation
 
Defeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security PolicyDefeating Cross-Site Scripting with Content Security Policy
Defeating Cross-Site Scripting with Content Security Policy
 
«Ruby integration testing tools»
«Ruby integration testing tools»«Ruby integration testing tools»
«Ruby integration testing tools»
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaWordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
 
WordPress Need For Speed
WordPress Need For SpeedWordPress Need For Speed
WordPress Need For Speed
 
XSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkearyXSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkeary
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
 
Progressive Downloads and Rendering
Progressive Downloads and RenderingProgressive Downloads and Rendering
Progressive Downloads and Rendering
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army Knife
 
Stampede con 2014 cassandra in the real world
Stampede con 2014 cassandra in the real worldStampede con 2014 cassandra in the real world
Stampede con 2014 cassandra in the real world
 
All in one_seo_pack
All in one_seo_packAll in one_seo_pack
All in one_seo_pack
 
Reversing & malware analysis training part 11 exploit development advanced
Reversing & malware analysis training part 11 exploit development advancedReversing & malware analysis training part 11 exploit development advanced
Reversing & malware analysis training part 11 exploit development advanced
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 

Similar to Tips on Securing Drupal Sites

Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)cgmonroe
 
Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaGábor Hojtsy
 
Instrumenting plugins for Performance Schema
Instrumenting plugins for Performance SchemaInstrumenting plugins for Performance Schema
Instrumenting plugins for Performance SchemaMark Leith
 
Doing Drupal security right
Doing Drupal security rightDoing Drupal security right
Doing Drupal security rightGábor Hojtsy
 
TDC 2015 - POA - Trilha PHP - Shit Happens
TDC 2015 - POA - Trilha PHP - Shit HappensTDC 2015 - POA - Trilha PHP - Shit Happens
TDC 2015 - POA - Trilha PHP - Shit HappensJackson F. de A. Mafra
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentSteven Van den Hout
 
Coder Presentation Szeged
Coder Presentation SzegedCoder Presentation Szeged
Coder Presentation SzegedDoug Green
 
Honeynet Project Workshop 2014 - Thug: a low-interaction honeyclient
Honeynet Project Workshop 2014 - Thug: a low-interaction honeyclientHoneynet Project Workshop 2014 - Thug: a low-interaction honeyclient
Honeynet Project Workshop 2014 - Thug: a low-interaction honeyclientAngelo Dell'Aera
 
Doing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon LondonDoing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon LondonGábor Hojtsy
 
TangoWithDjango - ch8
TangoWithDjango - ch8TangoWithDjango - ch8
TangoWithDjango - ch8Asika Kuo
 
How to? Drupal developer toolkit. Dennis Povshedny.
How to? Drupal developer toolkit. Dennis Povshedny.How to? Drupal developer toolkit. Dennis Povshedny.
How to? Drupal developer toolkit. Dennis Povshedny.DrupalCampDN
 
Developing Drizzle Replication Plugins
Developing Drizzle Replication PluginsDeveloping Drizzle Replication Plugins
Developing Drizzle Replication PluginsPadraig O'Sullivan
 
Spstc2011 managed metadata real world
Spstc2011 managed metadata real worldSpstc2011 managed metadata real world
Spstc2011 managed metadata real worldAtul Chhoda
 
Spstc2011 managed metadata real world
Spstc2011 managed metadata real worldSpstc2011 managed metadata real world
Spstc2011 managed metadata real worldAtul Chhoda
 

Similar to Tips on Securing Drupal Sites (20)

Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
 
Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp Bratislava
 
Instrumenting plugins for Performance Schema
Instrumenting plugins for Performance SchemaInstrumenting plugins for Performance Schema
Instrumenting plugins for Performance Schema
 
dJango
dJangodJango
dJango
 
Doing Drupal security right
Doing Drupal security rightDoing Drupal security right
Doing Drupal security right
 
TDC 2015 - POA - Trilha PHP - Shit Happens
TDC 2015 - POA - Trilha PHP - Shit HappensTDC 2015 - POA - Trilha PHP - Shit Happens
TDC 2015 - POA - Trilha PHP - Shit Happens
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal Development
 
Coder Presentation Szeged
Coder Presentation SzegedCoder Presentation Szeged
Coder Presentation Szeged
 
Honeynet Project Workshop 2014 - Thug: a low-interaction honeyclient
Honeynet Project Workshop 2014 - Thug: a low-interaction honeyclientHoneynet Project Workshop 2014 - Thug: a low-interaction honeyclient
Honeynet Project Workshop 2014 - Thug: a low-interaction honeyclient
 
Doing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon LondonDoing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon London
 
TangoWithDjango - ch8
TangoWithDjango - ch8TangoWithDjango - ch8
TangoWithDjango - ch8
 
More about PHP
More about PHPMore about PHP
More about PHP
 
How to? Drupal developer toolkit. Dennis Povshedny.
How to? Drupal developer toolkit. Dennis Povshedny.How to? Drupal developer toolkit. Dennis Povshedny.
How to? Drupal developer toolkit. Dennis Povshedny.
 
Developing Drizzle Replication Plugins
Developing Drizzle Replication PluginsDeveloping Drizzle Replication Plugins
Developing Drizzle Replication Plugins
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
 
Secure wordpress
Secure wordpressSecure wordpress
Secure wordpress
 
Spstc2011 managed metadata real world
Spstc2011 managed metadata real worldSpstc2011 managed metadata real world
Spstc2011 managed metadata real world
 
Spstc2011 managed metadata real world
Spstc2011 managed metadata real worldSpstc2011 managed metadata real world
Spstc2011 managed metadata real world
 
Drupal development
Drupal development Drupal development
Drupal development
 

More from cgmonroe

Structured SEO Data Overview and How To
Structured SEO Data Overview and How ToStructured SEO Data Overview and How To
Structured SEO Data Overview and How Tocgmonroe
 
Structured SEO Data: An overview and how to for Drupal
Structured SEO Data: An overview and how to for DrupalStructured SEO Data: An overview and how to for Drupal
Structured SEO Data: An overview and how to for Drupalcgmonroe
 
Becoming "Facet"-nated with Search API
Becoming "Facet"-nated with Search APIBecoming "Facet"-nated with Search API
Becoming "Facet"-nated with Search APIcgmonroe
 
Intro to drupal module internals asheville
Intro to drupal module internals ashevilleIntro to drupal module internals asheville
Intro to drupal module internals ashevillecgmonroe
 
Using Content Delivery Networks with Drupal
Using Content Delivery Networks with DrupalUsing Content Delivery Networks with Drupal
Using Content Delivery Networks with Drupalcgmonroe
 
Solr facets and custom indices
Solr facets and custom indicesSolr facets and custom indices
Solr facets and custom indicescgmonroe
 
HTML Purifier, WYSIWYG, and TinyMCE
HTML Purifier, WYSIWYG, and TinyMCEHTML Purifier, WYSIWYG, and TinyMCE
HTML Purifier, WYSIWYG, and TinyMCEcgmonroe
 
Using the Features API
Using the Features APIUsing the Features API
Using the Features APIcgmonroe
 
The Drupal Strongarm Module - Tips and Tricks.
The Drupal Strongarm Module - Tips and Tricks.The Drupal Strongarm Module - Tips and Tricks.
The Drupal Strongarm Module - Tips and Tricks.cgmonroe
 
Intro to CSS Selectors in Drupal
Intro to CSS Selectors in DrupalIntro to CSS Selectors in Drupal
Intro to CSS Selectors in Drupalcgmonroe
 
Drupal Workflow Concepts
Drupal Workflow ConceptsDrupal Workflow Concepts
Drupal Workflow Conceptscgmonroe
 
TriDUG WebFM Presentation
TriDUG WebFM PresentationTriDUG WebFM Presentation
TriDUG WebFM Presentationcgmonroe
 

More from cgmonroe (12)

Structured SEO Data Overview and How To
Structured SEO Data Overview and How ToStructured SEO Data Overview and How To
Structured SEO Data Overview and How To
 
Structured SEO Data: An overview and how to for Drupal
Structured SEO Data: An overview and how to for DrupalStructured SEO Data: An overview and how to for Drupal
Structured SEO Data: An overview and how to for Drupal
 
Becoming "Facet"-nated with Search API
Becoming "Facet"-nated with Search APIBecoming "Facet"-nated with Search API
Becoming "Facet"-nated with Search API
 
Intro to drupal module internals asheville
Intro to drupal module internals ashevilleIntro to drupal module internals asheville
Intro to drupal module internals asheville
 
Using Content Delivery Networks with Drupal
Using Content Delivery Networks with DrupalUsing Content Delivery Networks with Drupal
Using Content Delivery Networks with Drupal
 
Solr facets and custom indices
Solr facets and custom indicesSolr facets and custom indices
Solr facets and custom indices
 
HTML Purifier, WYSIWYG, and TinyMCE
HTML Purifier, WYSIWYG, and TinyMCEHTML Purifier, WYSIWYG, and TinyMCE
HTML Purifier, WYSIWYG, and TinyMCE
 
Using the Features API
Using the Features APIUsing the Features API
Using the Features API
 
The Drupal Strongarm Module - Tips and Tricks.
The Drupal Strongarm Module - Tips and Tricks.The Drupal Strongarm Module - Tips and Tricks.
The Drupal Strongarm Module - Tips and Tricks.
 
Intro to CSS Selectors in Drupal
Intro to CSS Selectors in DrupalIntro to CSS Selectors in Drupal
Intro to CSS Selectors in Drupal
 
Drupal Workflow Concepts
Drupal Workflow ConceptsDrupal Workflow Concepts
Drupal Workflow Concepts
 
TriDUG WebFM Presentation
TriDUG WebFM PresentationTriDUG WebFM Presentation
TriDUG WebFM Presentation
 

Recently uploaded

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 

Recently uploaded (20)

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 

Tips on Securing Drupal Sites

  • 1. Tips on Securing Drupal Sites Greg Monroe SolarWind MSP Drupal Camp Ashville 2018 The information here is my own and not the views of my employer
  • 2. Drupal Camp Ashville 2018 Security… the Final Frontier This is a semi-case study based on my experiences Not a Deep Dive Will be trying to walk the line between DevOps and Site Admin / Builders Pick the tips that can help you
  • 3. Drupal Camp Ashville 2018 Why you should care
  • 4. Drupal Camp Ashville 2018 Some Common Threat Vectors Server Attacks, e.g. DDoS, SSL attacks, nuisance probes Code Attacks, e.g. DrupalGeddon#, Contrib bugs, non-Drupal code, Server bugs User access attacks, e.g. Brute force, Social Eng., Phishing "Internal" attacks, e.g. Valid users, Shared Resource Attacks
  • 5. Drupal Camp Ashville 2018 Server Attack Tips Trip wires and Problem id tools Layered Defenses Use a CDN Varnish or Nginx proxy Htaccess rules Drupal Secure HTTP Headers Golden Rule: Keep attackers from using precious Drupal resources.
  • 6. Drupal Camp Ashville 2018 Trip Wires and Problem ID Uptime Monitoring (Pingdom and the like/ use Post requests) Disclaimer Pingdom is owned by SolarWinds Disk Usage Monitoring (logs, site, and SQL database) CPU Monitoring 404 / 403 Errors Log Analysis Tools ( GoAccess.io ) Grep and Pipes, e.g. grep “14/Jul” access.log | grep -v <office ip> https://www.abuseipdb.com/
  • 7. Drupal Camp Ashville 2018 Cloudflare Layered Defense In Minutes Low cost / high value Free SSL CDN lite with world wide proxy servers. World class protection against common hacks DDoS built in Page rules Requires control of your domain Another layer of cache to clear
  • 8. Drupal Camp Ashville 2018 Traditional Alternatives CDN like AWS Cloudfront or Verizon Edgecast Varnish or Nginx caching front end .htaccess rules Deny unwanted crawlers Block DdoS or nuisance URL requests Drupal Configure cache properly Use Fast 404
  • 9. Drupal Camp Ashville 2018 Some Sample .htaccess rules # Stop some bad web crawlers RewriteCond %{HTTP_USER_AGENT} AhrefsBot [NC,OR] RewriteCond %{HTTP_USER_AGENT} spbot [NC,OR] RewriteCond %{HTTP_USER_AGENT} DigExt [NC,OR] RewriteCond %{HTTP_USER_AGENT} Sogou [NC,OR] RewriteCond %{HTTP_USER_AGENT} MJ12 [NC,OR] RewriteCond %{HTTP_USER_AGENT} majestic12 [NC,OR] RewriteCond %{HTTP_USER_AGENT} 80legs [NC,OR] RewriteCond %{HTTP_USER_AGENT} SISTRIX [NC,OR] RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR] RewriteCond %{HTTP_USER_AGENT} Semrush [NC,OR] RewriteCond %{HTTP_USER_AGENT} Ezooms [NC,OR] RewriteCond %{HTTP_USER_AGENT} CCBot [NC,OR] RewriteCond %{HTTP_USER_AGENT} TalkTalk [NC,OR] RewriteCond %{HTTP_USER_AGENT} Ahrefs [NC] RewriteRule !^robots.txt$ - [F,L] # Stop problem URLs from flooding Drupal Log. RewriteRule ^/?autodiscover/autodiscover.xml$ - [R=404,L,NC] RewriteRule ^/?wp-login.php - [R=404,L,NC] RewriteCond %{REQUEST_METHOD} POST RewriteRule (^|/)events/ - [F,L] # Deny post to site index. RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} ^/$ RewriteRule ^ - [F,L]
  • 10. Drupal Camp Ashville 2018 SSL Tools Test your SSL Strength https://www.ssllabs.com/ssltest/ Free SSL Certificates https://letsencrypt.org/ SSL Server Config https://mozilla.github.io/server-side- tls/ssl-config-generator/?hsts=no
  • 11. Drupal Camp Ashville 2018 Secure HTTP Headers Do Your Research on These Security Kit Module (seckit) Content-Security-Policy https://wiki.mozilla.org/Security/CSP X-XSS-Protection X-Content-Type-Options X-Frame-Options Strict-Transport-Security Referrer-Policy https://securityheaders.com/
  • 12. Drupal Camp Ashville 2018 Code Attack Tips Main Points Get Security updates and determine if they are Critical or not. Commit to Updating Critical Releases the same day they are released and non-Critical within a few days. Schedule reviews of the Update Report and related release notes. Update modules regularly. Keep the rest of the ‘stack’ updated
  • 13. Drupal Camp Ashville 2018 Code Attack Tips Drupal Core Keep your code updated Subscribe to Drupal Security Alerts Subscribe to the RSS Feed @ https://www.drupal.org/project/webma sters/issues/2965777 Follow Tweets by @drupalsecurity handle all security announcements are posted to an email list. To subscribe to email: log in, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab. Contrib Modules Use the core Update Reports module Read the release note / test before going to production Follow issues of any patches you use Check the status of any Dev releases you use If you use modules not covered by the security team, look closely at what they do.
  • 14. Drupal Camp Ashville 2018 Code Attack Tips (cont.) Server Software Keep the OS and tools up to date Keep PhP up to date Keep Apache (or Nginx) up to date Keep your SQL software up to date If you control it, keep it updated. If you don’t make sure the people who do also keep it updated.
  • 15. Drupal Camp Ashville 2018 User Attack Tips Main Points Use Two Factor Authentication Everywhere You Can Protect Your Site Login Capability Implement Good User Management Practices Enforce Strong Password Practices
  • 16. Drupal Camp Ashville 2018 User Attack Tips TFA Quick Install Install and enable the modules: real_aes, key, encrypt, ga_login & tfa Create a random key in a file outside your web root with: dd if=/dev/urandom bs=32 count=1 | base64 -i - > path/to/my/encrypt.key Visit the Keys module's configuration page and "Add Key" Name your Key Key type: "Encryption" Provider: "File" File location: `path/to/my/encrypt.key` as generated above.
  • 17. Drupal Camp Ashville 2018 User Attack Tips TFA(cont.) Visit the Encrypt module's configuration page and "Add Encryption Profile" Label your Encryption Profile Encryption method: "Authenticated AES (Real AES)" Encryption Key: Select the Key you created in the previous step. Visit the TFA module's configuration page. Enable TFA Select your desired Validation Plugin(s). Encryption Profile: Select the Encryption Profile you created in the previous step. Adjust other settings as desired. Grant "Set up TFA for account" to "Authenticated user" Consider granting "Require TFA process" for some roles
  • 18. Drupal Camp Ashville 2018 User Attack Tips TFA(cont.) User Setup Need either Google Authenticator or Authy Login to the site Go to your user profile Select the Security Tab Follow the instructions there
  • 19. Drupal Camp Ashville 2018 User Attack Tips Protected Logins Server Firewall Host Name IP .htaccess Module Login Login
  • 20. Drupal Camp Ashville 2018 User Attack Tips Protected Logins Set up an 'edit' host name that with the same IP as your site, e.g. secret.example.com => www.example.com. Allow this host name access to the site (settings.php trusted host patterns) Modify the .htaccess rules to only allow access to /user, /admin, /devel, and node/*/* URLs from the edit host Require login to edit site using require_login and require_login_by_site See http://drupal.org/project/require_login_by_site for details
  • 21. Drupal Camp Ashville 2018 User Attack Tips Login Management GUARDR Distro (www.drupal.org/project/guardr) Monitor Login Access (login_report) Block account after 5 invalid attempts ( login_security ) Login Screen should have an authorized only notice (modal block) Limit number of concurrent sessions ( session_limit ) Automatically log users out after a period of inactivity (autologout)
  • 22. Drupal Camp Ashville 2018 User Attack Tips Strong Passwords Define strong Rules and enforce them with the password_policy module (use Dev version) Passwords must be at least 8 characters in length. Passwords must contain characters from three of the following four categories: English uppercase characters (A through Z). English lowercase characters (a through z). Base 10 digits (0 through 9). Non-alphabetic characters (for example, !, $, #, %). Password history: users should not be able to re-use the last five (5) passwords Password age: Passwords must be changed every 90 days.
  • 23. Drupal Camp Ashville 2018 Internal Attacks Limit Permissions Peer Review Disable users who have not accessed site for 30 days (user_expire) Don’t use shared accounts Protect your data, limit access to any bulk download tools. Monitor logs for unusual activity
  • 24. Drupal Camp Ashville 2018 Security Plans Overview This is not a set it up and forget it process... security takes vigilance. Basic Rules Define area’s of responsibility Define who is responsible for these Define an audit plan for the area Define response plans for the areas Where needed, defined who audits that the area’s plan is being done
  • 25. Drupal Camp Ashville 2018 Questions? ?And Thank You Google: Slideshare CGMonroe Security Tips Drupal.org/u/cgmonroe