Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Secure your site

4,441 views

Published on

An introduction to securing a Drupal site.

Published in: Technology
  • Be the first to comment

Secure your site

  1. 1. Secure Your Site Matt Farina Lead Engineer HP Cloud
  2. 2. You can get the slides at... http://bit.ly/SecureYourSite
  3. 3. • @mattfarina on twitter • Drupal.org UID 25701 (Over 8 Years) • Co-Author of Drupal 7 Module Development • Lead Engineer at HP Cloud
  4. 4. Did you hear, Adobe was hacked http://techcrunch.com/2013/10/03/adobe-gets-hacked-product-source-code-and-data-for-2-9m-customers-likely-accessed/
  5. 5. A Picture Of The Internet http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever
  6. 6. 420,000 Hacked Linux Based Systems http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever
  7. 7. 71% attacked sites of orgs with less than 100 People http://www.forbes.com/sites/cherylsnappconner/2013/09/14/are-you-prepared-71-of-cyber-attacks-hit-small-business/
  8. 8. Scan port 22 (ssh) for the Internet in a day http://blog.erratasec.com/2013/09/we-scanned-internet-for-port-22.html
  9. 9. I’ve Watched Attacks Happen
  10. 10. I’ve Found Hacked Servers
  11. 11. For the sake of your users, secure your site.
  12. 12. Harden Your Servers https://help.ubuntu.com/12.04/serverguide/security.html
  13. 13. Keep packages up to date for security releases https://help.ubuntu.com/community/AutoWeeklyUpdateHowTo
  14. 14. Lock Down Access Web Server DB Server
  15. 15. Use A VPN http://openvpn.net/
  16. 16. Removing X-Powered-By Header > curl -i -X HEAD https://drupal.org ... X-Powered-By: PHP/5.3.27 ... ; In your php.ini file set expose_php = off http://stackoverflow.com/questions/2661799/removing-x-powered-by
  17. 17. On to Drupal
  18. 18. Use HTTPS/SSL/TLS
  19. 19. You can redirect to https via .htaccess # Redirect when the request comes to http RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
  20. 20. Secure Pages Module https://drupal.org/project/securepages
  21. 21. Secure UID 1 https://drupal.org/node/947312
  22. 22. If you’re on Drupal 6 use real password hashing https://drupal.org/project/password
  23. 23. PHP Password API http://php.net/password
  24. 24. PHP Password API Backward Compatability https://github.com/ircmaxell/password_compat
  25. 25. Change Admin passwords regularly and make them strong.
  26. 26. Remove the clues it’s Drupal • Remove the text files (e.g., CHANGELOG.txt) • Remove install.php • web.config or .htaccess if not in use
  27. 27. Remove Generator Meta Tag <meta name="generator" content="Drupal 7 (http://drupal.org)" /> /** * Implements hook_html_head_alter(). */ function custom_html_head_alter(&$head_elements) { if (isset($head_elements['system_meta_generator'])) { unset($head_elements['system_meta_generator']); } }
  28. 28. Remove X-Generator Header > curl -i -X HEAD https://2013.drupalcampmi.org ... X-Generator: Drupal 7 (http://drupal.org) ... // Override the header. drupal_add_http_header(‘X-Generator’, ‘’) https://api.drupal.org/api/drupal/includes!bootstrap.inc/function/drupal_add_http_header/7
  29. 29. Add X-Frame-Options Header > curl -i -X HEAD https://marketplace.hpcloud.com ... X-Frame-Options: SAMEORIGIN ... drupal_add_http_header('X-Frame-Options', 'SAMEORIGIN'); https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
  30. 30. Secure The Filesystem http://www.lullabot.com/blog/article/keeping-drupals-files-safe
  31. 31. Web server user should not have write permission to Drupal
  32. 32. Backup to offsite location http://www.hpcloud.com/products-services/object-storage
  33. 33. Backup and Migrate Module https://drupal.org/project/backup_migrate
  34. 34. Encrypt Backups https://drupal.org/project/aes
  35. 35. Backup Creds Not On Production Server Web Server DB Server Backup Server Storage
  36. 36. I shouldn’t have to tell you but...
  37. 37. Keep Drupal Up To Date https://drupal.org/project/usage/drupal
  38. 38. Update Manager Module https://drupal.org/documentation/modules/update
  39. 39. Sign-up For Security Announcements
  40. 40. Encrypt Sensitive Information
  41. 41. AES Encryption Module https://drupal.org/project/aes
  42. 42. PHP Secure Communications Library http://phpseclib.sourceforge.net/
  43. 43. Encrypted Field Modules • Encrypted Settings Field https://drupal.org/project/encset • Field Encryption https://drupal.org/project/field_encrypt • Encrypted Text https://drupal.org/project/encrypted_text
  44. 44. Or, Store Them In A Secure Service
  45. 45. drupal_http_request() does not check SSL certificates.
  46. 46. Guzzle http://guzzlephp.org/
  47. 47. Using Guzzle // A simple example GuzzleHttpStaticClient::mount(); $response = Guzzle::get('http://guzzlephp.org'); // A little more complicated $client = new GuzzleHttpClient('http://guzzlephp.org'); $request = $client->get('/'); $response = $request->send();
  48. 48. Inject Cert To drupal_http_request() $opts = array( ‘ssl’ => array( ‘verify_host’ => TRUE, ‘verify_peer’ => TRUE, ‘allow_self_signed’ => FALSE, ‘cafile’ => ‘path/to/cert.pem’, ), ); $context = stream_create_context($opts); $ops = array( ‘context’ => $context, ); $res = drupal_http_request(‘http://example.com’, $ops);
  49. 49. Review Your Logs Regularly
  50. 50. Logstash http://logstash.net/
  51. 51. Loggly http://www.loggly.com/
  52. 52. Automated Alerts http://www.loggly.com/docs/alerts-overview/
  53. 53. This is just the beginning...
  54. 54. Questions? Slides are at... http://bit.ly/SecureYourSite

×