The document discusses hardening a TYPO3 website to improve security. It recommends hardening each layer of a TYPO3 application including the operating system, web server, database, PHP, and extensions. Specific techniques mentioned include regularly updating software, enabling SSL, restricting backend access, separating code from public files, removing unneeded extensions, and automating deployment processes. The goal of hardening is to reduce the number of potential vulnerabilities by minimizing exposed services and code.

1. Hardening
TYPO3
Helmut Hummel <typo3@helhum.io>
Inspiring people to
shareHardening TYPO3

2. 2
@helhum

3. What is Hardening?
3

4. 4
“Hardening is the process of securing a system
by reducing its surface of vulnerability”
https://en.wikipedia.org/wiki/Hardening_(computing)

5. 5
“Hardening is the process of securing a system
by reducing its surface of vulnerability”
https://en.wikipedia.org/wiki/Hardening_(computing)

6. 6
“Hardening is the process of securing a system
by reducing its surface of vulnerability”
https://en.wikipedia.org/wiki/Hardening_(computing)

7. 7
Security

8. 8
Reduce Attack Surface

9. Layers of a TYPO3 application
OS
TYPO3
DBMS
Webserver
PHP
9
Extensions

10. Each layer can be attacked
OS
TYPO3
DBMS
Webserver
PHP
10
Extensions

11. An application is only as secure as its weakest link
11

12. Every layer needs attention
12

13. Here is what will be covered today
13

14. OS
TYPO3
DBMS
Webserver
PHP
14
Extensions
✅❌

15. OS
TYPO3
DBMS
Webserver
PHP
15
Extensions
✅❌

16. OS
TYPO3
DBMS
Webserver
PHP
16
Extensions
✅❌

17. OS
TYPO3
Webserver
PHP
17
Extensions
DBMS
✅❌

18. OS
TYPO3
Webserver
18
Extensions
DBMS
PHP
✅❌

19. OS
Webserver
19
Extensions
DBMS
PHP
TYPO3
✅❌

20. OS
TYPO3
DBMS
Webserver
PHP
20
Extensions
✅❌

21. OS
TYPO3
Webserver
21
✅

22. OS
22

23. Other services running on your OS
23

24. FTP
24

25. It's 2018
25

26. Disable FTP access!
26

27. Only jweiland knows
how many TYPO3 sites have been hacked
using a sniffed FTP password
27

28. Disable every service, not strictly required
28

29. Keep your OS up to date
29

30. …including your Docker containers
30

31. Hardening OS
Recap
• Remove FTP
• Disable every service you don't need (or don't even install it)
• Update regularly
• Containers need updates too
• (There is much more on OS hardening)
31

32. 32
Webserver

33. Update regularly
33

34. Remember?
34

35. It's 2018
35

36. Enable SSL
36

37. It's easy
37

38. It's free
38

39. It's secure
39

40. But what about TYPO3 rsaauth extension?
40

41. Isn't that secure enough?
41

42. Imagine a house
42

43. Imagine a yard around that house
43

44. Now imagine a door protecting access to the yard
44

45. 45

46. That's the protection you get from rsaauth
46

47. tl;dr
47

48. Enable SSL, disable rsaauth
48

49. Enforce SSL (HSTS)
49

50. Write protect every folder
50

51. Hardening Webserver
Folders that require write access
• fileadmin
• uploads
• typo3temp
51

52. But Extension Manager does not work any more
if typo3conf is read only
52

53. 🤷
53

54. Hardening ❤ Automation
54

55. Disable PHP execution in folders with write access
55

56. RemoveHandler .php
RemoveType .php
php_flag engine off
56

57. The only remaining place to add exploit code is
typo3temp/var/Cache/Code
57

58. Warm up code caches during deployment
58

59. (Still a bit challenging for Fluid caches)
59

60. Write protect cache folders, too
60

61. • Updates, update, updates
• SSL, SSL, SSL
• Write protect all the things all possible folders
• If possible also code cache folders
• Automated deployment helps you with that
• Disable PHP handler in writable folders
Hardening Webserver
Recap
61

62. 62
TYPO3

63. Update regularly
63

64. Tell TYPO3 you are serious about SSL
64

65. $GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'] = true;
65

66. $GLOBALS['TYPO3_CONF_VARS']['SYS']['cookieSecure'] = 1;
66

67. Disable debug settings
67

68. $GLOBALS['TYPO3_CONF_VARS']['BE']['debug'] = false;
$GLOBALS['TYPO3_CONF_VARS']['FE']['debug'] = false;
$GLOBALS['TYPO3_CONF_VARS']['SYS']['devIPmask'] = '';
$GLOBALS['TYPO3_CONF_VARS']['SYS']['displayErrors'] = 0;
$GLOBALS['TYPO3_CONF_VARS']['SYS']['enableDeprecationLog'] = '';
$GLOBALS['TYPO3_CONF_VARS']['SYS']['sqlDebug'] = 0;
68

69. Log errors and warnings
69

70. Monitor logs!
70

71. Disable install tool
71

72. $GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword'] = '';
72

73. Or delete install.php on deploy
73

74. Use TYPO3 Console for emergency maintenance
74

75. Restrict backend access to internal domain
75

76. Only ship code that is required
76

77. Why to avoid installing code you don't need?
77

78. Every security flaw is a bug in code
78

79. Every code has bugs
79

80. Every code potentially has security flaws
80

81. 100% secure code is NO code
81

82. TYPO3 comes as one package with a lot of code
82

83. All system extensions are present, albeit deactivated
83

84. … and you never need all of them
84

85. But there is a solution
85

86. TYPO3 Subtree Split
86

87. Security
TYPO3 Subtree split
• Every core extension is available as individual composer package
• typo3/cms-core, typo3/cms-backend, …
• All TYPO3 versions starting from 8.7.9 are available
• MANDATORY since TYPO3 9.0 (you cannot require typo3/cms ^9.0)
• If you have composer based TYPO3 8.7 projects, use it NOW
87

88. But I don't use Composer
88

89. 🤷
89

90. Hardening ❤ Automation
90

91. Automation ❤ Composer
91

92. But there is more …
92

93. Attack Surface
93

94. Information Disclosure
94

95. Every additional file in your document root increases
the attack surface and is potentially leaking private
information
95

96. How does a possible TYPO3 document root look like?
96

97. 97
$ ll
total 208
drwxr-xr-x 11 helmut staff 374 Jun 20 22:10 .
drwxr-xr-x 5 helmut staff 170 Jun 20 14:54 ..
drwxr-xr-x 15 helmut staff 510 Jun 20 22:10 .git
-rw-r--r-- 1 helmut staff 66 Jun 20 22:08 .gitignore
-rw-r--r-- 1 helmut staff 227 Jun 20 22:08 composer.json
-rw-r--r-- 1 helmut staff 94010 Jun 20 22:08 composer.lock
-rw-r--r-- 1 helmut staff 800 Jun 20 22:10 index.php
drwxr-xr-x 5 helmut staff 170 Jun 20 22:10 typo3
drwxrwsr-x 3 helmut staff 102 Jun 20 22:10 typo3conf
drwxrwsr-x 3 helmut staff 102 Jun 20 22:10 typo3temp
drwxr-xr-x 15 helmut staff 510 Jun 20 22:10 vendor

98. How to fix that?
98

99. Security
Step 1
99
"extra": {
"typo3/cms": {
"web-dir": "public"
}
}

100. Security
Step 2
100
"extra": {
"typo3/cms": {
"root-dir": "private",
"web-dir": "public"
}
}

101. Security
Step 3
101
composer require helhum/typo3-secure-web

102. Hardening TYPO3
Recap
• Updates, Updates, Updates
• No debug settings
• Log errors and monitor logs
• Disable install tool
• Restrict backend access
• Only install code that you need
• Only expose public resources and defined entry points
102

103. Thanks!
103

104. https://speakerdeck.com/helhum/hardening-typo3
104

105. Hardening TYPO3
References
• https://docs.typo3.org/typo3cms/SecurityGuide/
• Images
• http://emmayajewel.com/
• https://pixabay.com/en/child-protection-umbrella-rain-2956973/
• http://formidableengineeringconsultants.com/
105