1. Secure Your Site
Matt Farina
Lead Engineer
HP Cloud

2. You can get the slides at...
http://bit.ly/SecureYourSite

3. • @mattfarina on twitter
• Drupal.org UID 25701 (Over 8 Years)
• Co-Author of Drupal 7 Module Development
• Lead Engineer at HP Cloud

4. Did you hear, Adobe was hacked
http://techcrunch.com/2013/10/03/adobe-gets-hacked-product-source-code-and-data-for-2-9m-customers-likely-accessed/

5. A Picture Of The Internet
http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever

6. 420,000 Hacked Linux Based Systems
http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever

7. 71% attacked sites of orgs with less than 100 People
http://www.forbes.com/sites/cherylsnappconner/2013/09/14/are-you-prepared-71-of-cyber-attacks-hit-small-business/

8. Scan port 22 (ssh) for the Internet in a day
http://blog.erratasec.com/2013/09/we-scanned-internet-for-port-22.html

9. I’ve Watched Attacks Happen

10. I’ve Found Hacked Servers

11. For the sake of your
users, secure your site.

12. Harden Your Servers
https://help.ubuntu.com/12.04/serverguide/security.html

13. Keep packages up to date for security releases
https://help.ubuntu.com/community/AutoWeeklyUpdateHowTo

14. Lock Down Access
Web Server
DB Server

15. Use A VPN
http://openvpn.net/

16. Removing X-Powered-By Header
> curl -i -X HEAD https://drupal.org
...
X-Powered-By: PHP/5.3.27
...
; In your php.ini file set
expose_php = off
http://stackoverflow.com/questions/2661799/removing-x-powered-by

17. On to Drupal

18. Use HTTPS/SSL/TLS

20. You can redirect to https via .htaccess
# Redirect when the request comes to http
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

21. Secure Pages Module
https://drupal.org/project/securepages

22. Secure UID 1
https://drupal.org/node/947312

23. If you’re on Drupal 6 use real password hashing
https://drupal.org/project/password

24. PHP Password API
http://php.net/password

25. PHP Password API Backward Compatability
https://github.com/ircmaxell/password_compat

26. Change Admin
passwords regularly and
make them strong.

27. Remove the clues it’s Drupal
• Remove the text files (e.g., CHANGELOG.txt)
• Remove install.php
• web.config or .htaccess if not in use

28. Remove Generator Meta Tag
<meta name="generator" content="Drupal 7 (http://drupal.org)" />
/**
* Implements hook_html_head_alter().
*/
function custom_html_head_alter(&$head_elements) {
if (isset($head_elements['system_meta_generator'])) {
unset($head_elements['system_meta_generator']);
}
}

29. Remove X-Generator Header
> curl -i -X HEAD https://2013.drupalcampmi.org
...
X-Generator: Drupal 7 (http://drupal.org)
...
// Override the header.
drupal_add_http_header(‘X-Generator’, ‘’)
https://api.drupal.org/api/drupal/includes!bootstrap.inc/function/drupal_add_http_header/7

30. Add X-Frame-Options Header
> curl -i -X HEAD https://marketplace.hpcloud.com
...
X-Frame-Options: SAMEORIGIN
...
drupal_add_http_header('X-Frame-Options', 'SAMEORIGIN');
https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options

31. Secure The Filesystem
http://www.lullabot.com/blog/article/keeping-drupals-files-safe

32. Web server user
should not have write
permission to Drupal

33. Backup to offsite location
http://www.hpcloud.com/products-services/object-storage

34. Backup and Migrate Module
https://drupal.org/project/backup_migrate

35. Encrypt Backups
https://drupal.org/project/aes

36. Backup Creds Not On Production Server
Web Server
DB Server
Backup Server
Storage

37. I shouldn’t have to tell
you but...

38. Keep Drupal Up To Date
https://drupal.org/project/usage/drupal

39. Update Manager Module
https://drupal.org/documentation/modules/update

40. Sign-up For Security Announcements

41. Encrypt Sensitive
Information

42. AES Encryption Module
https://drupal.org/project/aes

43. PHP Secure Communications Library
http://phpseclib.sourceforge.net/

44. Encrypted Field Modules
• Encrypted Settings Field
https://drupal.org/project/encset
• Field Encryption
https://drupal.org/project/field_encrypt
• Encrypted Text
https://drupal.org/project/encrypted_text

45. Or, Store Them In A Secure Service

46. drupal_http_request()
does not check SSL
certificates.

47. Guzzle
http://guzzlephp.org/

48. Using Guzzle
// A simple example
GuzzleHttpStaticClient::mount();
$response = Guzzle::get('http://guzzlephp.org');
// A little more complicated
$client = new GuzzleHttpClient('http://guzzlephp.org');
$request = $client->get('/');
$response = $request->send();

49. Inject Cert To drupal_http_request()
$opts = array(
‘ssl’ => array(
‘verify_host’ => TRUE,
‘verify_peer’ => TRUE,
‘allow_self_signed’ => FALSE,
‘cafile’ => ‘path/to/cert.pem’,
),
);
$context = stream_create_context($opts);
$ops = array(
‘context’ => $context,
);
$res = drupal_http_request(‘http://example.com’, $ops);

50. Review Your Logs
Regularly

51. Logstash
http://logstash.net/

52. Loggly
http://www.loggly.com/

53. Automated Alerts
http://www.loggly.com/docs/alerts-overview/

54. This is just the
beginning...

55. Questions?
Slides are at...
http://bit.ly/SecureYourSite