SlideShare a Scribd company logo

Security panel-western-mass-drupal-camp

Download as PPTX, PDF
C
cwworks

The document summarizes discussions from a Drupal camp meeting. It introduces the panelists and their experiences. It then summarizes questions and responses about eliminating bot registrations, detecting and preventing form spam, determining if a site has been compromised, and securing Drupal sites. The panelists provided suggestions on modules, configuration, and best practices to address these issues.

1 of 15
Notes from Western Mass Drupal Camp January 19, 2013
 Seth Viebrock has worked on Justin Bieber's web site, led a team as CTO at a start-up company, traveled to Tokyo for data center security assessments, worked on world-class e-commerce software, provides Drupal expertise for Estee Lauder and their many international brands, been building web sites for clients since 1996, and started a few businesses, including Origin Eight.  Gary Parker is a Systems Administrator for the Office of Information Technology and is the primary administrator for Drupal sites hosted by OIT at the University of Massachusetts Amherst.  Rob Higgins is a Drupal Developer currently working with Origin Eight and MIT. He has been developing Drupal applications for 5 years and draws his experience from building a custom newspaper publication management system on top of Drupal as well as many smaller scale projects.  Cheryl Handsaker is a Technical Project Manager and Drupal Developer supporting the work of ALM Enterprises, Origin Eight and Charlemont Web Works. She has cajoled these smart people to serve as panelists.
I work on a site for a small non-profit that runs a yearly conference. Admission to the conference is free but an accurate head-count on registrations is helpful for planning. It is a goal of the organization that the barriers to registration are low. User registration requires a username and email address be provided. Mollom is enabled and completing a CAPTCHA is required for submission, a controversial decision given ease of use concerns. In addition the email address provided must be verified before the user can complete the remaining profile fields and be officially registered. Despite these precautions, we receive 5-6 bot registrations/ day. These have reasonable looking user names but are tied to unrelated nonsense emails, typically from the hotmail domain but we have also seen gmail and yahoo domains as well. How can I eliminate bot registrations without continuing to raise the barrier for registration from real humans?
 Disqus -- http://drupal.org/project/disqus -- If all you need is commenting, use Disqus and disallow user registration altogether. Or, if you need user registration, but the major problem is comment spam, use Disqus.  Captcha Riddler -- http://drupal.org/project/riddler -- Create your own Captcha riddles. In the case of a Drupal conference event, the question could be "What does that little blue drop stand for at the top of the page? Hint: It starts with a 'd'."  Help text: "If you reeeeally need help figuring out what the blue drop stands for, email help@conferencename.net"  Spambot -- http://drupal.org/project/spambot -- Spambot protects the user registration form from spammers and spambots by verifying registration attempts against the Stop Forum Spam (www.stopforumspam.com) online database.  Botcha -- http://drupal.org/project/botcha -- The approach of BOTCHA is to add various elements to forms that need protection from bots. These elements do not present new fields to users, so BOTCHA is completely transparent to humans. Both humans and bots submit those forms and BOTCHA performs heuristic analysis on each submitted form. Bots are usually programs/scripts that are relatively dumb, and most of the time they fail BOTCHA tests and human users don't. The more there are opportunities for the bot to slip and prove it is a bot, the better defense from spam we have. So we can combine multiple BOTCHA recipes as opposed to only one CAPTCHA per form. This gives huge advantage to BOTCHA. To prevent spam most effectively, you must combine and fine-tune several of the available "recipes.”
 Countryban and ip2country -- If your target audience is only one or a few countries, try http://drupal.org/project/ip2country for D6 (could be upgraded to D7), or write something around http://drupal.org/project/ip2country to either block or give a special registration form to users from a set of countries.  Mollom - http://drupal.org/project/mollom -- Provides a decent captcha, and helps analyze statistical data about the poster and the poster's content. I'd use reCaptcha (see below) for the captcha on user registration, and have Mollom deal with content analysis by already-registered users.  reCaptcha - Owned by Google. Very common captcha for user registration. http://drupal.org/project/recaptcha  Social network auth - i.e. http://drupal.org/project/fboauth, http://drupal.org/project/gigya -- use social login to help prevent spam.  Drupal core - Require users to validate their email address. In worst-cases, require admin approval of account.  Community moderation of users - Use something like http://drupal.org/project/rules_link or http://drupal.org/project/flag to block users after their content has been marked as "spam" by a certain threshold of community users. Put a flag right on the content and let your community participate in the work.
I work on a website for a start-up company that uses forms to capture sales lead information. We allow anonymous users to submit inquiries on the site through these forms. The forms typically have 10-15 required fields, a mixture of free form text and select boxes. We use the free version of Mollom on the registration form and 12 general information forms on the site, which is working very well most of the time. However, on a good day we run into trouble. Free Mollom has a per day limit on the number of successful CAPTCHA completions per day. Occasionally, this limit is exceeded and we have chosen to accept further form submissions rather than rejecting because of the nature of the information collected resulting in spam being delivered to our sales force. Are there alternatives to the paid version of Mollom for detecting and preventing form spam that do not make it more difficult for our target customer to complete them?
 Many of the suggestions that Seth outlined for bot registrations are also effective at reducing form spam.  Use only plain text inputs for forms. Do not allow even filtered html. Insure that php form input is completely disabled.  Consider the business goal. Weigh the cost of lost sales due to increased barriers against the cost of reviewing and removing spam emails. Many companies underestimate the cost of handling spam.  If Mollom is working effectively for you, purchasing the paid service may be the most cost effective solution.
The patterns of usage on my educational website shift rather suddenly. In particular, comments are appearing on nodes that I didn't think had comments enabled and there is a lot of traffic to a file download that came over from an early site migration. I have taken a cursory look at the Drupal log but there are so many entries there that only the last few hours of activity are visible. What steps I can take to determine if my site has been compromised?
 Google your own site as an anonymous user. Often this is enough to replicate the behavior.  Check the site with Google Safe Browsing, i.e. http://www.google.com/safebrowsing/diagnosti c?site=drupal.org  Check authentication, especially for powerful users. Look for evidence of privilege escalation.  If you have access, review the system logs. All activity should be logged there.  Network utilization, unexpected spikes in memory or cpu usage.
 Check the file structure for new or modified files.  Use version control to compare to those deployed.  Review source code of any changed files looking for modifications, especially the introduction of iframes and metadata.
 Secure pages module http://drupal.org/project/securepages and secure pages hijack prevention (D6) http://drupal.org/project/securepages_prevent_hijac k modules. By default, Drupal doesn't force user authentication over SSL so user names and passwords could be sent in plain text.  LDAP integration  http://newrelic.com/  Use code repository for all site deployment  Nagios for Drupal http://drupal.org/project/nagios  Set password policies: http://drupal.org/project/password_policy
 Cloudflare: http://drupal.org/project/cloudflare reverse proxy, firewall and CDN  Securing your site: http://drupal.org/security/secure- configuration  Production Checklist: http://drupal.org/project/prod_check  Be sure to remove modules used in development on production (i.e. devel, backup & migrate, views UI).  Hacked module: http://drupal.org/project/hacked  Having site code owned by root is OK. If root is compromised your problems go beyond your website.  Code review modules ◦ Coder http://drupal.org/project/coder ◦ Secure code review: http://drupal.org/project/secure_code_review
 Vulnerability Scanning services (free & paid) ◦ Acquia Insight ◦ Droptor.com ◦ Hackertarget.com/drupal-security-scan/ ◦ http://drupalscout.com/ ◦ Your staff – ask them to try to hack into your site for a bonus and much internal glory.  Ben Jeavons from Acquia at NYC Camp 2012 : http://archive.org/details/HackIntoDrupalSitesorHowToSe cureYourDrupalSite  http://drupal.org/security-team  Captcha ideas ◦ MINTeye: Identified as not very strong captcha ◦ Use of Esperanto characters and works for catpcha  Books & Presentations ◦ http://crackingdrupal.com/
 Choosing secure Drupal modules ◦ Look at the issue queue – not too many open issues and no issues with any kind of unaddressed security vulnerability ◦ Lots of downloads – others are using it widely ◦ Scan the module code for undiscovered vulnerabilities ◦ Actively maintained ◦ Get involved – report issues you do uncover and work with developers to resolve these issues.
 Seth, Gary and Rob!!  Eric Peterson who volunteered to be empanelled at the last minute and supported the conversation with knowledge and good humor!  To the participants. Good suggestions, good questions, great conversation.  To the Drupal community for your work and wisdom and most especially for sharing both.

Recommended

courts circuits : l'innovation dans le luxe 'mon idendité de luxe" (partie 3)
courts circuits : l'innovation dans le luxe 'mon idendité de luxe" (partie 3)courts circuits : l'innovation dans le luxe 'mon idendité de luxe" (partie 3)
courts circuits : l'innovation dans le luxe 'mon idendité de luxe" (partie 3)
nous sommes vivants
 
10 Things Webdesigners tend to do Wrong in SEO - SMX 2014
10 Things Webdesigners tend to do Wrong in SEO - SMX 201410 Things Webdesigners tend to do Wrong in SEO - SMX 2014
10 Things Webdesigners tend to do Wrong in SEO - SMX 2014
Timon Hartung
 
10 Things Web Designers tend to forget when doing SEO
10 Things Web Designers tend to forget when doing SEO10 Things Web Designers tend to forget when doing SEO
10 Things Web Designers tend to forget when doing SEO
Timon Hartung
 
How do I Even Web App
How do I Even Web AppHow do I Even Web App
How do I Even Web App
Lydia Guarino
 
Seven Reasons for Code Bloat
Seven Reasons for Code BloatSeven Reasons for Code Bloat
Seven Reasons for Code Bloat
Christian Heilmann
 
Foundations of programming
Foundations of programmingFoundations of programming
Foundations of programming
pivotaltest
 
Ness2011 daniela patti paper
Ness2011 daniela patti paperNess2011 daniela patti paper
Ness2011 daniela patti paper
Daniela Patti
 
Presentation III: Comparisons
Presentation III: ComparisonsPresentation III: Comparisons
Presentation III: Comparisons
dtorres687
 

Recommended

courts circuits : l'innovation dans le luxe 'mon idendité de luxe" (partie 3)
courts circuits : l'innovation dans le luxe 'mon idendité de luxe" (partie 3)courts circuits : l'innovation dans le luxe 'mon idendité de luxe" (partie 3)
courts circuits : l'innovation dans le luxe 'mon idendité de luxe" (partie 3)
nous sommes vivants
 
10 Things Webdesigners tend to do Wrong in SEO - SMX 2014
10 Things Webdesigners tend to do Wrong in SEO - SMX 201410 Things Webdesigners tend to do Wrong in SEO - SMX 2014
10 Things Webdesigners tend to do Wrong in SEO - SMX 2014
Timon Hartung
 
10 Things Web Designers tend to forget when doing SEO
10 Things Web Designers tend to forget when doing SEO10 Things Web Designers tend to forget when doing SEO
10 Things Web Designers tend to forget when doing SEO
Timon Hartung
 
How do I Even Web App
How do I Even Web AppHow do I Even Web App
How do I Even Web App
Lydia Guarino
 
Seven Reasons for Code Bloat
Seven Reasons for Code BloatSeven Reasons for Code Bloat
Seven Reasons for Code Bloat
Christian Heilmann
 
Foundations of programming
Foundations of programmingFoundations of programming
Foundations of programming
pivotaltest
 
Ness2011 daniela patti paper
Ness2011 daniela patti paperNess2011 daniela patti paper
Ness2011 daniela patti paper
Daniela Patti
 
Presentation III: Comparisons
Presentation III: ComparisonsPresentation III: Comparisons
Presentation III: Comparisons
dtorres687
 
Randy Roberson in Payson
Randy Roberson in PaysonRandy Roberson in Payson
Randy Roberson in Payson
Disaster Logistics Relief
 
Wonderland Magazine Activate & Involve
Wonderland Magazine Activate & InvolveWonderland Magazine Activate & Involve
Wonderland Magazine Activate & Involve
Daniela Patti
 
Utility emerg2013
Utility emerg2013Utility emerg2013
Utility emerg2013
John Reardon
 
Ffred scba training
Ffred scba trainingFfred scba training
Ffred scba training
John Reardon
 
Mers procedure
Mers procedureMers procedure
Mers procedure
John Reardon
 
Radio instruction
Radio instructionRadio instruction
Radio instruction
John Reardon
 
Hazardous Materials 2013
Hazardous Materials 2013Hazardous Materials 2013
Hazardous Materials 2013
John Reardon
 
Agile / Scrum
Agile / ScrumAgile / Scrum
Agile / Scrum
Yiwei Chen
 
Annual self contained breathing apparatus refresher training
Annual self contained breathing apparatus refresher trainingAnnual self contained breathing apparatus refresher training
Annual self contained breathing apparatus refresher training
John Reardon
 
The 6k startup - How to Launch a Startup on a Budget
The 6k startup - How to Launch a Startup on a BudgetThe 6k startup - How to Launch a Startup on a Budget
The 6k startup - How to Launch a Startup on a Budget
Crystal Taggart
 
Stop Your Website Sending Your Customers to Your Competition and Move Your Bu...
Stop Your Website Sending Your Customers to Your Competition and Move Your Bu...Stop Your Website Sending Your Customers to Your Competition and Move Your Bu...
Stop Your Website Sending Your Customers to Your Competition and Move Your Bu...
Tim Miller
 
Word press bg 16x9 draft 16
Word press bg 16x9 draft 16Word press bg 16x9 draft 16
Word press bg 16x9 draft 16
msz
 
Web Publishing & WordPress Introduction 16x9 draft 17
Web Publishing & WordPress Introduction 16x9 draft 17Web Publishing & WordPress Introduction 16x9 draft 17
Web Publishing & WordPress Introduction 16x9 draft 17
msz
 
Resisting The Feature Creature
Resisting The Feature CreatureResisting The Feature Creature
Resisting The Feature Creature
Christian Heilmann
 
From Drupal 7 to Drupal 8 - Drupal Intensive Course Overview
From Drupal 7 to Drupal 8 - Drupal Intensive Course OverviewFrom Drupal 7 to Drupal 8 - Drupal Intensive Course Overview
From Drupal 7 to Drupal 8 - Drupal Intensive Course Overview
Italo Mairo
 
Scalable talk notes
Scalable talk notesScalable talk notes
Scalable talk notes
Perrin Harkins
 
What is web scraping?
What is web scraping?What is web scraping?
What is web scraping?
Brijesh Prajapati
 
Leveraging start up technology for your library and the power of the slack ap...
Leveraging start up technology for your library and the power of the slack ap...Leveraging start up technology for your library and the power of the slack ap...
Leveraging start up technology for your library and the power of the slack ap...
Brian Pichman
 
Open source and You. DrupalForum ZP.
Open source and You. DrupalForum ZP.Open source and You. DrupalForum ZP.
Open source and You. DrupalForum ZP.
Ovadiah Myrgorod
 
The Open Commerce Conference - Premature Optimisation: The Root of All Evil
The Open Commerce Conference - Premature Optimisation: The Root of All EvilThe Open Commerce Conference - Premature Optimisation: The Root of All Evil
The Open Commerce Conference - Premature Optimisation: The Root of All Evil
Fabio Akita
 
Building a social network website from scratch
Building a social network website from scratchBuilding a social network website from scratch
Building a social network website from scratch
Elinext
 
Meetup which approach to choose?
Meetup which approach to choose?Meetup which approach to choose?
Meetup which approach to choose?
Joe Mbaya
 

More Related Content

Viewers also liked

Randy Roberson in Payson
Randy Roberson in PaysonRandy Roberson in Payson
Randy Roberson in Payson
Disaster Logistics Relief
 
Wonderland Magazine Activate & Involve
Wonderland Magazine Activate & InvolveWonderland Magazine Activate & Involve
Wonderland Magazine Activate & Involve
Daniela Patti
 
Utility emerg2013
Utility emerg2013Utility emerg2013
Utility emerg2013
John Reardon
 
Ffred scba training
Ffred scba trainingFfred scba training
Ffred scba training
John Reardon
 
Mers procedure
Mers procedureMers procedure
Mers procedure
John Reardon
 
Radio instruction
Radio instructionRadio instruction
Radio instruction
John Reardon
 
Hazardous Materials 2013
Hazardous Materials 2013Hazardous Materials 2013
Hazardous Materials 2013
John Reardon
 
Agile / Scrum
Agile / ScrumAgile / Scrum
Agile / Scrum
Yiwei Chen
 
Annual self contained breathing apparatus refresher training
Annual self contained breathing apparatus refresher trainingAnnual self contained breathing apparatus refresher training
Annual self contained breathing apparatus refresher training
John Reardon
 

Viewers also liked (9)

Randy Roberson in Payson
Randy Roberson in PaysonRandy Roberson in Payson
Randy Roberson in Payson
 
Wonderland Magazine Activate & Involve
Wonderland Magazine Activate & InvolveWonderland Magazine Activate & Involve
Wonderland Magazine Activate & Involve
 
Utility emerg2013
Utility emerg2013Utility emerg2013
Utility emerg2013
 
Ffred scba training
Ffred scba trainingFfred scba training
Ffred scba training
 
Mers procedure
Mers procedureMers procedure
Mers procedure
 
Radio instruction
Radio instructionRadio instruction
Radio instruction
 
Hazardous Materials 2013
Hazardous Materials 2013Hazardous Materials 2013
Hazardous Materials 2013
 
Agile / Scrum
Agile / ScrumAgile / Scrum
Agile / Scrum
 
Annual self contained breathing apparatus refresher training
Annual self contained breathing apparatus refresher trainingAnnual self contained breathing apparatus refresher training
Annual self contained breathing apparatus refresher training
 

Similar to Security panel-western-mass-drupal-camp

The 6k startup - How to Launch a Startup on a Budget
The 6k startup - How to Launch a Startup on a BudgetThe 6k startup - How to Launch a Startup on a Budget
The 6k startup - How to Launch a Startup on a Budget
Crystal Taggart
 
Stop Your Website Sending Your Customers to Your Competition and Move Your Bu...
Stop Your Website Sending Your Customers to Your Competition and Move Your Bu...Stop Your Website Sending Your Customers to Your Competition and Move Your Bu...
Stop Your Website Sending Your Customers to Your Competition and Move Your Bu...
Tim Miller
 
Word press bg 16x9 draft 16
Word press bg 16x9 draft 16Word press bg 16x9 draft 16
Word press bg 16x9 draft 16
msz
 
Web Publishing & WordPress Introduction 16x9 draft 17
Web Publishing & WordPress Introduction 16x9 draft 17Web Publishing & WordPress Introduction 16x9 draft 17
Web Publishing & WordPress Introduction 16x9 draft 17
msz
 
Resisting The Feature Creature
Resisting The Feature CreatureResisting The Feature Creature
Resisting The Feature Creature
Christian Heilmann
 
From Drupal 7 to Drupal 8 - Drupal Intensive Course Overview
From Drupal 7 to Drupal 8 - Drupal Intensive Course OverviewFrom Drupal 7 to Drupal 8 - Drupal Intensive Course Overview
From Drupal 7 to Drupal 8 - Drupal Intensive Course Overview
Italo Mairo
 
Scalable talk notes
Scalable talk notesScalable talk notes
Scalable talk notes
Perrin Harkins
 
What is web scraping?
What is web scraping?What is web scraping?
What is web scraping?
Brijesh Prajapati
 
Leveraging start up technology for your library and the power of the slack ap...
Leveraging start up technology for your library and the power of the slack ap...Leveraging start up technology for your library and the power of the slack ap...
Leveraging start up technology for your library and the power of the slack ap...
Brian Pichman
 
Open source and You. DrupalForum ZP.
Open source and You. DrupalForum ZP.Open source and You. DrupalForum ZP.
Open source and You. DrupalForum ZP.
Ovadiah Myrgorod
 
The Open Commerce Conference - Premature Optimisation: The Root of All Evil
The Open Commerce Conference - Premature Optimisation: The Root of All EvilThe Open Commerce Conference - Premature Optimisation: The Root of All Evil
The Open Commerce Conference - Premature Optimisation: The Root of All Evil
Fabio Akita
 
Building a social network website from scratch
Building a social network website from scratchBuilding a social network website from scratch
Building a social network website from scratch
Elinext
 
Meetup which approach to choose?
Meetup which approach to choose?Meetup which approach to choose?
Meetup which approach to choose?
Joe Mbaya
 
On-page SEO for Drupal
On-page SEO for DrupalOn-page SEO for Drupal
On-page SEO for Drupal
Svilen Sabev
 
061203_futurewebapps_tempo
061203_futurewebapps_tempo061203_futurewebapps_tempo
061203_futurewebapps_tempo
cjin cheng
 
Drupal: My Search for a CMS
Drupal: My Search for a CMSDrupal: My Search for a CMS
Drupal: My Search for a CMS
Jim Heil
 
What's in my SEO Toolbox: Linkbuilding Edition - SMX Milan 2014
What's in my SEO Toolbox: Linkbuilding Edition - SMX Milan 2014What's in my SEO Toolbox: Linkbuilding Edition - SMX Milan 2014
What's in my SEO Toolbox: Linkbuilding Edition - SMX Milan 2014
Bastian Grimm
 
Improving Drupal Performances
Improving Drupal PerformancesImproving Drupal Performances
Improving Drupal Performances
Vladimir Ilic
 
Word press bg 16x9 draft 16
Word press bg 16x9 draft 16Word press bg 16x9 draft 16
Word press bg 16x9 draft 16
msz
 
Crisis Times. Turn Joomla into a job opportunity.
Crisis Times. Turn Joomla into a job opportunity. Crisis Times. Turn Joomla into a job opportunity.
Crisis Times. Turn Joomla into a job opportunity.
Pedro Francisco Vidal López
 

Similar to Security panel-western-mass-drupal-camp (20)

The 6k startup - How to Launch a Startup on a Budget
The 6k startup - How to Launch a Startup on a BudgetThe 6k startup - How to Launch a Startup on a Budget
The 6k startup - How to Launch a Startup on a Budget
 
Stop Your Website Sending Your Customers to Your Competition and Move Your Bu...
Stop Your Website Sending Your Customers to Your Competition and Move Your Bu...Stop Your Website Sending Your Customers to Your Competition and Move Your Bu...
Stop Your Website Sending Your Customers to Your Competition and Move Your Bu...
 
Word press bg 16x9 draft 16
Word press bg 16x9 draft 16Word press bg 16x9 draft 16
Word press bg 16x9 draft 16
 
Web Publishing & WordPress Introduction 16x9 draft 17
Web Publishing & WordPress Introduction 16x9 draft 17Web Publishing & WordPress Introduction 16x9 draft 17
Web Publishing & WordPress Introduction 16x9 draft 17
 
Resisting The Feature Creature
Resisting The Feature CreatureResisting The Feature Creature
Resisting The Feature Creature
 
From Drupal 7 to Drupal 8 - Drupal Intensive Course Overview
From Drupal 7 to Drupal 8 - Drupal Intensive Course OverviewFrom Drupal 7 to Drupal 8 - Drupal Intensive Course Overview
From Drupal 7 to Drupal 8 - Drupal Intensive Course Overview
 
Scalable talk notes
Scalable talk notesScalable talk notes
Scalable talk notes
 
What is web scraping?
What is web scraping?What is web scraping?
What is web scraping?
 
Leveraging start up technology for your library and the power of the slack ap...
Leveraging start up technology for your library and the power of the slack ap...Leveraging start up technology for your library and the power of the slack ap...
Leveraging start up technology for your library and the power of the slack ap...
 
Open source and You. DrupalForum ZP.
Open source and You. DrupalForum ZP.Open source and You. DrupalForum ZP.
Open source and You. DrupalForum ZP.
 
The Open Commerce Conference - Premature Optimisation: The Root of All Evil
The Open Commerce Conference - Premature Optimisation: The Root of All EvilThe Open Commerce Conference - Premature Optimisation: The Root of All Evil
The Open Commerce Conference - Premature Optimisation: The Root of All Evil
 
Building a social network website from scratch
Building a social network website from scratchBuilding a social network website from scratch
Building a social network website from scratch
 
Meetup which approach to choose?
Meetup which approach to choose?Meetup which approach to choose?
Meetup which approach to choose?
 
On-page SEO for Drupal
On-page SEO for DrupalOn-page SEO for Drupal
On-page SEO for Drupal
 
061203_futurewebapps_tempo
061203_futurewebapps_tempo061203_futurewebapps_tempo
061203_futurewebapps_tempo
 
Drupal: My Search for a CMS
Drupal: My Search for a CMSDrupal: My Search for a CMS
Drupal: My Search for a CMS
 
What's in my SEO Toolbox: Linkbuilding Edition - SMX Milan 2014
What's in my SEO Toolbox: Linkbuilding Edition - SMX Milan 2014What's in my SEO Toolbox: Linkbuilding Edition - SMX Milan 2014
What's in my SEO Toolbox: Linkbuilding Edition - SMX Milan 2014
 
Improving Drupal Performances
Improving Drupal PerformancesImproving Drupal Performances
Improving Drupal Performances
 
Word press bg 16x9 draft 16
Word press bg 16x9 draft 16Word press bg 16x9 draft 16
Word press bg 16x9 draft 16
 
Crisis Times. Turn Joomla into a job opportunity.
Crisis Times. Turn Joomla into a job opportunity. Crisis Times. Turn Joomla into a job opportunity.
Crisis Times. Turn Joomla into a job opportunity.
 

Security panel-western-mass-drupal-camp

  • 1. Notes from Western Mass Drupal Camp January 19, 2013
  • 2.  Seth Viebrock has worked on Justin Bieber's web site, led a team as CTO at a start-up company, traveled to Tokyo for data center security assessments, worked on world-class e-commerce software, provides Drupal expertise for Estee Lauder and their many international brands, been building web sites for clients since 1996, and started a few businesses, including Origin Eight.  Gary Parker is a Systems Administrator for the Office of Information Technology and is the primary administrator for Drupal sites hosted by OIT at the University of Massachusetts Amherst.  Rob Higgins is a Drupal Developer currently working with Origin Eight and MIT. He has been developing Drupal applications for 5 years and draws his experience from building a custom newspaper publication management system on top of Drupal as well as many smaller scale projects.  Cheryl Handsaker is a Technical Project Manager and Drupal Developer supporting the work of ALM Enterprises, Origin Eight and Charlemont Web Works. She has cajoled these smart people to serve as panelists.
  • 3. I work on a site for a small non-profit that runs a yearly conference. Admission to the conference is free but an accurate head-count on registrations is helpful for planning. It is a goal of the organization that the barriers to registration are low. User registration requires a username and email address be provided. Mollom is enabled and completing a CAPTCHA is required for submission, a controversial decision given ease of use concerns. In addition the email address provided must be verified before the user can complete the remaining profile fields and be officially registered. Despite these precautions, we receive 5-6 bot registrations/ day. These have reasonable looking user names but are tied to unrelated nonsense emails, typically from the hotmail domain but we have also seen gmail and yahoo domains as well. How can I eliminate bot registrations without continuing to raise the barrier for registration from real humans?
  • 4.  Disqus -- http://drupal.org/project/disqus -- If all you need is commenting, use Disqus and disallow user registration altogether. Or, if you need user registration, but the major problem is comment spam, use Disqus.  Captcha Riddler -- http://drupal.org/project/riddler -- Create your own Captcha riddles. In the case of a Drupal conference event, the question could be "What does that little blue drop stand for at the top of the page? Hint: It starts with a 'd'."  Help text: "If you reeeeally need help figuring out what the blue drop stands for, email help@conferencename.net"  Spambot -- http://drupal.org/project/spambot -- Spambot protects the user registration form from spammers and spambots by verifying registration attempts against the Stop Forum Spam (www.stopforumspam.com) online database.  Botcha -- http://drupal.org/project/botcha -- The approach of BOTCHA is to add various elements to forms that need protection from bots. These elements do not present new fields to users, so BOTCHA is completely transparent to humans. Both humans and bots submit those forms and BOTCHA performs heuristic analysis on each submitted form. Bots are usually programs/scripts that are relatively dumb, and most of the time they fail BOTCHA tests and human users don't. The more there are opportunities for the bot to slip and prove it is a bot, the better defense from spam we have. So we can combine multiple BOTCHA recipes as opposed to only one CAPTCHA per form. This gives huge advantage to BOTCHA. To prevent spam most effectively, you must combine and fine-tune several of the available "recipes.”
  • 5.  Countryban and ip2country -- If your target audience is only one or a few countries, try http://drupal.org/project/ip2country for D6 (could be upgraded to D7), or write something around http://drupal.org/project/ip2country to either block or give a special registration form to users from a set of countries.  Mollom - http://drupal.org/project/mollom -- Provides a decent captcha, and helps analyze statistical data about the poster and the poster's content. I'd use reCaptcha (see below) for the captcha on user registration, and have Mollom deal with content analysis by already-registered users.  reCaptcha - Owned by Google. Very common captcha for user registration. http://drupal.org/project/recaptcha  Social network auth - i.e. http://drupal.org/project/fboauth, http://drupal.org/project/gigya -- use social login to help prevent spam.  Drupal core - Require users to validate their email address. In worst-cases, require admin approval of account.  Community moderation of users - Use something like http://drupal.org/project/rules_link or http://drupal.org/project/flag to block users after their content has been marked as "spam" by a certain threshold of community users. Put a flag right on the content and let your community participate in the work.
  • 6. I work on a website for a start-up company that uses forms to capture sales lead information. We allow anonymous users to submit inquiries on the site through these forms. The forms typically have 10-15 required fields, a mixture of free form text and select boxes. We use the free version of Mollom on the registration form and 12 general information forms on the site, which is working very well most of the time. However, on a good day we run into trouble. Free Mollom has a per day limit on the number of successful CAPTCHA completions per day. Occasionally, this limit is exceeded and we have chosen to accept further form submissions rather than rejecting because of the nature of the information collected resulting in spam being delivered to our sales force. Are there alternatives to the paid version of Mollom for detecting and preventing form spam that do not make it more difficult for our target customer to complete them?
  • 7.  Many of the suggestions that Seth outlined for bot registrations are also effective at reducing form spam.  Use only plain text inputs for forms. Do not allow even filtered html. Insure that php form input is completely disabled.  Consider the business goal. Weigh the cost of lost sales due to increased barriers against the cost of reviewing and removing spam emails. Many companies underestimate the cost of handling spam.  If Mollom is working effectively for you, purchasing the paid service may be the most cost effective solution.
  • 8. The patterns of usage on my educational website shift rather suddenly. In particular, comments are appearing on nodes that I didn't think had comments enabled and there is a lot of traffic to a file download that came over from an early site migration. I have taken a cursory look at the Drupal log but there are so many entries there that only the last few hours of activity are visible. What steps I can take to determine if my site has been compromised?
  • 9.  Google your own site as an anonymous user. Often this is enough to replicate the behavior.  Check the site with Google Safe Browsing, i.e. http://www.google.com/safebrowsing/diagnosti c?site=drupal.org  Check authentication, especially for powerful users. Look for evidence of privilege escalation.  If you have access, review the system logs. All activity should be logged there.  Network utilization, unexpected spikes in memory or cpu usage.
  • 10.  Check the file structure for new or modified files.  Use version control to compare to those deployed.  Review source code of any changed files looking for modifications, especially the introduction of iframes and metadata.
  • 11.  Secure pages module http://drupal.org/project/securepages and secure pages hijack prevention (D6) http://drupal.org/project/securepages_prevent_hijac k modules. By default, Drupal doesn't force user authentication over SSL so user names and passwords could be sent in plain text.  LDAP integration  http://newrelic.com/  Use code repository for all site deployment  Nagios for Drupal http://drupal.org/project/nagios  Set password policies: http://drupal.org/project/password_policy
  • 12.  Cloudflare: http://drupal.org/project/cloudflare reverse proxy, firewall and CDN  Securing your site: http://drupal.org/security/secure- configuration  Production Checklist: http://drupal.org/project/prod_check  Be sure to remove modules used in development on production (i.e. devel, backup & migrate, views UI).  Hacked module: http://drupal.org/project/hacked  Having site code owned by root is OK. If root is compromised your problems go beyond your website.  Code review modules ◦ Coder http://drupal.org/project/coder ◦ Secure code review: http://drupal.org/project/secure_code_review
  • 13.  Vulnerability Scanning services (free & paid) ◦ Acquia Insight ◦ Droptor.com ◦ Hackertarget.com/drupal-security-scan/ ◦ http://drupalscout.com/ ◦ Your staff – ask them to try to hack into your site for a bonus and much internal glory.  Ben Jeavons from Acquia at NYC Camp 2012 : http://archive.org/details/HackIntoDrupalSitesorHowToSe cureYourDrupalSite  http://drupal.org/security-team  Captcha ideas ◦ MINTeye: Identified as not very strong captcha ◦ Use of Esperanto characters and works for catpcha  Books & Presentations ◦ http://crackingdrupal.com/
  • 14.  Choosing secure Drupal modules ◦ Look at the issue queue – not too many open issues and no issues with any kind of unaddressed security vulnerability ◦ Lots of downloads – others are using it widely ◦ Scan the module code for undiscovered vulnerabilities ◦ Actively maintained ◦ Get involved – report issues you do uncover and work with developers to resolve these issues.
  • 15.  Seth, Gary and Rob!!  Eric Peterson who volunteered to be empanelled at the last minute and supported the conversation with knowledge and good humor!  To the participants. Good suggestions, good questions, great conversation.  To the Drupal community for your work and wisdom and most especially for sharing both.