Secure your site

4,290 views

Published on

An introduction to securing a Drupal site.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,290
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
20
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Secure your site

  1. 1. Secure Your Site Matt Farina Lead Engineer HP Cloud
  2. 2. You can get the slides at... http://bit.ly/SecureYourSite
  3. 3. • @mattfarina on twitter • Drupal.org UID 25701 (Over 8 Years) • Co-Author of Drupal 7 Module Development • Lead Engineer at HP Cloud
  4. 4. Did you hear, Adobe was hacked http://techcrunch.com/2013/10/03/adobe-gets-hacked-product-source-code-and-data-for-2-9m-customers-likely-accessed/
  5. 5. A Picture Of The Internet http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever
  6. 6. 420,000 Hacked Linux Based Systems http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever
  7. 7. 71% attacked sites of orgs with less than 100 People http://www.forbes.com/sites/cherylsnappconner/2013/09/14/are-you-prepared-71-of-cyber-attacks-hit-small-business/
  8. 8. Scan port 22 (ssh) for the Internet in a day http://blog.erratasec.com/2013/09/we-scanned-internet-for-port-22.html
  9. 9. I’ve Watched Attacks Happen
  10. 10. I’ve Found Hacked Servers
  11. 11. For the sake of your users, secure your site.
  12. 12. Harden Your Servers https://help.ubuntu.com/12.04/serverguide/security.html
  13. 13. Keep packages up to date for security releases https://help.ubuntu.com/community/AutoWeeklyUpdateHowTo
  14. 14. Lock Down Access Web Server DB Server
  15. 15. Use A VPN http://openvpn.net/
  16. 16. Removing X-Powered-By Header > curl -i -X HEAD https://drupal.org ... X-Powered-By: PHP/5.3.27 ... ; In your php.ini file set expose_php = off http://stackoverflow.com/questions/2661799/removing-x-powered-by
  17. 17. On to Drupal
  18. 18. Use HTTPS/SSL/TLS
  19. 19. You can redirect to https via .htaccess # Redirect when the request comes to http RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
  20. 20. Secure Pages Module https://drupal.org/project/securepages
  21. 21. Secure UID 1 https://drupal.org/node/947312
  22. 22. If you’re on Drupal 6 use real password hashing https://drupal.org/project/password
  23. 23. PHP Password API http://php.net/password
  24. 24. PHP Password API Backward Compatability https://github.com/ircmaxell/password_compat
  25. 25. Change Admin passwords regularly and make them strong.
  26. 26. Remove the clues it’s Drupal • Remove the text files (e.g., CHANGELOG.txt) • Remove install.php • web.config or .htaccess if not in use
  27. 27. Remove Generator Meta Tag <meta name="generator" content="Drupal 7 (http://drupal.org)" /> /** * Implements hook_html_head_alter(). */ function custom_html_head_alter(&$head_elements) { if (isset($head_elements['system_meta_generator'])) { unset($head_elements['system_meta_generator']); } }
  28. 28. Remove X-Generator Header > curl -i -X HEAD https://2013.drupalcampmi.org ... X-Generator: Drupal 7 (http://drupal.org) ... // Override the header. drupal_add_http_header(‘X-Generator’, ‘’) https://api.drupal.org/api/drupal/includes!bootstrap.inc/function/drupal_add_http_header/7
  29. 29. Add X-Frame-Options Header > curl -i -X HEAD https://marketplace.hpcloud.com ... X-Frame-Options: SAMEORIGIN ... drupal_add_http_header('X-Frame-Options', 'SAMEORIGIN'); https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
  30. 30. Secure The Filesystem http://www.lullabot.com/blog/article/keeping-drupals-files-safe
  31. 31. Web server user should not have write permission to Drupal
  32. 32. Backup to offsite location http://www.hpcloud.com/products-services/object-storage
  33. 33. Backup and Migrate Module https://drupal.org/project/backup_migrate
  34. 34. Encrypt Backups https://drupal.org/project/aes
  35. 35. Backup Creds Not On Production Server Web Server DB Server Backup Server Storage
  36. 36. I shouldn’t have to tell you but...
  37. 37. Keep Drupal Up To Date https://drupal.org/project/usage/drupal
  38. 38. Update Manager Module https://drupal.org/documentation/modules/update
  39. 39. Sign-up For Security Announcements
  40. 40. Encrypt Sensitive Information
  41. 41. AES Encryption Module https://drupal.org/project/aes
  42. 42. PHP Secure Communications Library http://phpseclib.sourceforge.net/
  43. 43. Encrypted Field Modules • Encrypted Settings Field https://drupal.org/project/encset • Field Encryption https://drupal.org/project/field_encrypt • Encrypted Text https://drupal.org/project/encrypted_text
  44. 44. Or, Store Them In A Secure Service
  45. 45. drupal_http_request() does not check SSL certificates.
  46. 46. Guzzle http://guzzlephp.org/
  47. 47. Using Guzzle // A simple example GuzzleHttpStaticClient::mount(); $response = Guzzle::get('http://guzzlephp.org'); // A little more complicated $client = new GuzzleHttpClient('http://guzzlephp.org'); $request = $client->get('/'); $response = $request->send();
  48. 48. Inject Cert To drupal_http_request() $opts = array( ‘ssl’ => array( ‘verify_host’ => TRUE, ‘verify_peer’ => TRUE, ‘allow_self_signed’ => FALSE, ‘cafile’ => ‘path/to/cert.pem’, ), ); $context = stream_create_context($opts); $ops = array( ‘context’ => $context, ); $res = drupal_http_request(‘http://example.com’, $ops);
  49. 49. Review Your Logs Regularly
  50. 50. Logstash http://logstash.net/
  51. 51. Loggly http://www.loggly.com/
  52. 52. Automated Alerts http://www.loggly.com/docs/alerts-overview/
  53. 53. This is just the beginning...
  54. 54. Questions? Slides are at... http://bit.ly/SecureYourSite

×