Hardening Drupal setup

2,136 views

Published on

DrupalCamp Helsinki 27.9.2011

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,136
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Hardening Drupal setup

    1. 1. Hardening Drupal setup DrupalCamp Helsinki 27.9.2011 Tero Alén
    2. 2. BackgroundsCTO at Zeeland Group which is 5th biggest marketing company in FinlandFocus on Symfony and DrupalZeeland Group has team of 10 developers who has backgrounds in ITUsed Drupal from version 4
    3. 3. AgendaWhy should I care?Know your enemiesPrinciples of securityHardening your serverHardening you Drupal
    4. 4. Why should I careWe don’t process money so we are not interesting target for crackersSome possible uses for random websites Defacing Spreading malware for your visitors Using your box for spam delivery
    5. 5. Why should I careWe don’t process money so we are not interesting target for crackersSome possible uses for random websites Defacing Spreading malware for your visitors Using your box for spam delivery
    6. 6. Why should I careWe don’t process money so we are not interesting target for crackersSome possible uses for random websites
    7. 7. Why should I careWe don’t process money so we are not interesting target for crackersSome possible uses for random websites Defacing
    8. 8. Why should I careWe don’t process money so we are not interesting target for crackersSome possible uses for random websites Defacing Spreading malware for your visitors
    9. 9. Why should I careWe don’t process money so we are not interesting target for crackersSome possible uses for random websites Defacing Spreading malware for your visitors Using your box for spam delivery
    10. 10. How they do it?Common vulnerabilities: XSS, SQL injection, remote file inclusion, etc See more from OWASP - Open Web Application Security ProjectInclude (malware) code to page via XSS or SQL injectionUpload PHP shell via remote file inclusion or insecure file uploadUpload spam script via remote file inclusion or insecure file uploadLot of other ways which you have hard to even imagine
    11. 11. Basics first
    12. 12. Keep it simple
    13. 13. Run only services which you really need Keep it simple
    14. 14. Run only services which you really need Enable only modules/extension you need (from Apache, PHP and Drupal) Keep it simple
    15. 15. Run only services which you really need Enable only modules/extension you need (from Apache, PHP and Drupal) Keep it simple Every new application in stack is new possibility for exploitation
    16. 16. Using phpMyAdmin?/PMA2005/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.0‐rc3/scripts/setup.php:
1
Time(s) /phpmy‐admin/scripts/setup.php:
2
Time(s)/admin/phpmyadmin/scripts/setup.php:
1
Time(s) /phpMyAdmin‐2.6.1‐pl1/scripts/setup.php:
2
Time(s) /phpmyadmin/scripts/setup.php:
2
Time(s)/admin/pma/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.1‐pl2/scripts/setup.php:
2
Time(s) /phpmyadmin1/scripts/setup.php:
2
Time(s)/admin/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.1‐pl3/scripts/setup.php:
1
Time(s) /phpmyadmin2/scripts/setup.php:
2
Time(s)/admm/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.1‐rc1/scripts/setup.php:
1
Time(s) /pma/scripts/setup.php:
1
Time(s)/admn/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.1/scripts/setup.php:
2
Time(s) /pma2005/scripts/setup.php:
2
Time(s)/databaseadmin/scripts/setup.php:
1
Time(s) /phpMyAdmin‐2.6.2‐beta1/scripts/setup.php:
1
Time(s) /scripts/setup.php:
2
Time(s)/db/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.2‐pl1/scripts/setup.php:
2
Time(s) /sqlmanager/scripts/setup.php:
2
Time(s)/dbadmin/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.2‐rc1/scripts/setup.php:
1
Time(s) /sqlweb/scripts/setup.php:
2
Time(s)/myadmin/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.2/scripts/setup.php:
1
Time(s) /typo3/phpmyadmin/scripts/setup.php:
1
Time(s)/mysql‐admin/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.3‐pl1/scripts/setup.php:
1
Time(s) /web/scripts/setup.php:
1
Time(s)/mysql/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.3‐rc1/scripts/setup.php:
2
Time(s) /webadmin/scripts/setup.php:
2
Time(s)/mysqladmin/scripts/setup.php:
4
Time(s) /phpMyAdmin‐2.6.3/scripts/setup.php:
3
Time(s) /webdb/scripts/setup.php:
1
Time(s)/mysqlmanager/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.4‐pl1/scripts/setup.php:
2
Time(s) /websql/scripts/setup.php:
4
Time(s)/p/m/a/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.4‐pl2/scripts/setup.php:
1
Time(s) /xampp/phpmyadmin/scripts/setup.php:
2
Time(s)/php‐my‐admin/scripts/setup.php:
4
Time(s) /phpMyAdmin‐2.6.4‐pl3/scripts/setup.php:
1
Time(s)/php‐myadmin/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.4‐pl4/scripts/setup.php:
2
Time(s)/phpMyAdmin‐2.2.3/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.4‐rc1/scripts/setup.php:
2
Time(s)/phpMyAdmin‐2.2.6/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.6.4/scripts/setup.php:
2
Time(s)/phpMyAdmin‐2.5.1/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.7.0‐beta1/scripts/setup.php:
1
Time(s)/phpMyAdmin‐2.5.4/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.7.0‐pl1/scripts/setup.php:
2
Time(s)/phpMyAdmin‐2.5.5‐pl1/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.7.0‐pl2/scripts/setup.php:
1
Time(s)/phpMyAdmin‐2.5.5‐rc1/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.7.0‐rc1/scripts/setup.php:
1
Time(s)/phpMyAdmin‐2.5.5‐rc2/scripts/setup.php:
1
Time(s) /phpMyAdmin‐2.7.0/scripts/setup.php:
2
Time(s)/phpMyAdmin‐2.5.5/scripts/setup.php:
1
Time(s) /phpMyAdmin‐2.8.0‐beta1/scripts/setup.php:
2
Time(s)/phpMyAdmin‐2.5.6‐rc1/scripts/setup.php:
1
Time(s) /phpMyAdmin‐2.8.0‐rc1/scripts/setup.php:
1
Time(s)/phpMyAdmin‐2.5.6‐rc2/scripts/setup.php:
1
Time(s) /phpMyAdmin‐2.8.0‐rc2/scripts/setup.php:
1
Time(s)/phpMyAdmin‐2.5.6/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.8.0.1/scripts/setup.php:
2
Time(s)/phpMyAdmin‐2.5.7‐pl1/scripts/setup.php:
1
Time(s) /phpMyAdmin‐2.8.0.2/scripts/setup.php:
2
Time(s)/phpMyAdmin‐2.5.7/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.8.0.3/scripts/setup.php:
1
Time(s)/phpMyAdmin‐2.6.0‐alpha/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.8.0.4/scripts/setup.php:
2
Time(s)/phpMyAdmin‐2.6.0‐alpha2/scripts/setup.php:
1
Time(s) /phpMyAdmin‐2.8.0/scripts/setup.php:
1
Time(s)/phpMyAdmin‐2.6.0‐beta1/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.8.1‐rc1/scripts/setup.php:
2
Time(s)/phpMyAdmin‐2.6.0‐beta2/scripts/setup.php:
1
Time(s) /phpMyAdmin‐2.8.1/scripts/setup.php:
1
Time(s)/phpMyAdmin‐2.6.0‐pl2/scripts/setup.php:
2
Time(s) /phpMyAdmin‐2.8.2/scripts/setup.php:
2
Time(s)/phpMyAdmin‐2.6.0‐pl3/scripts/setup.php:
1
Time(s) /phpMyAdmin‐2/scripts/setup.php:
2
Time(s)/phpMyAdmin‐2.6.0‐rc1/scripts/setup.php:
1
Time(s) /phpMyAdmin/scripts/setup.php:
3
Time(s)/phpMyAdmin‐2.6.0‐rc2/scripts/setup.php:
2
Time(s) /phpadmin/scripts/setup.php:
2
Time(s) /phpmanager/scripts/setup.php:
2
Time(s)
    17. 17. Use checklists
    18. 18. Hardening Apache
    19. 19. Restrict information leakage
    20. 20. Restrict information leakage ServerTokens Prod ServerSignature Off
    21. 21. Load only modules really needed
    22. 22. Load only modules really needed#LoadModule ldap_module modules/mod_ldap.so#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so#LoadModule include_module modules/mod_include.so#LoadModule dav_module modules/mod_dav.so#LoadModule dav_fs_module modules/mod_dav_fs.so
    23. 23. Start by restrictive rules
    24. 24. Start by restrictive rules <Directory / > Options None AllowOverride None Order allow,deny </Directory>
    25. 25. Hardening PHP
    26. 26. Use Suhosin(both patch and extension)
    27. 27. Disable url_fopen
    28. 28. Don’t expose PHP
    29. 29. Don’t expose PHP expose_php = Off
    30. 30. Enable open_basedir
    31. 31. Do NOT display errors in any circumstances on production
    32. 32. Disable ‘dangerous’ functions
    33. 33. fpassthru Disable ‘dangerous’ functions
    34. 34. crack_*fpassthru Disable ‘dangerous’ functions
    35. 35. crack_*fpassthru psock-functions Disable ‘dangerous’ functions
    36. 36. crack_*fpassthru psock-functions ini-functions Disable ‘dangerous’ functions
    37. 37. crack_*fpassthru psock-functions ini-functions Disable ‘dangerous’ functions shell_exec, exec, passthru, system
    38. 38. crack_*fpassthru psock-functions ini-functions Disable ‘dangerous’ functions shell_exec, exec, passthru, system chown,hell-exec,dl
    39. 39. crack_* fpassthru psock-functions ini-functions Disable ‘dangerous’ functionspopen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status,proc_close shell_exec, exec, passthru, system chown,hell-exec,dl
    40. 40. crack_* fpassthru psock-functions posix_* ini-functions Disable ‘dangerous’ functionspopen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status,proc_close shell_exec, exec, passthru, system chown,hell-exec,dl
    41. 41. Hardening Drupal
    42. 42. Enable update module!
    43. 43. Make Drupal’s fingerprint less visible by removing files not needed
    44. 44. Make Drupal’s fingerprint less visible by removing files not needed *.txt install.php
    45. 45. Make Drupal’s fingerprint less visible by removing files not needed *.txt CHANGELOG.txt will tell if you lack by updates install.php
    46. 46. Allow web server user to write only sites/[default]/files
    47. 47. Allow web server user to write only sites/[default]/filesDisable PHP interpreter if you haven’t enable .htaccess (as reccomened for Apache hardening)
    48. 48. Allow web server user to write only sites/[default]/filesDisable PHP interpreter if you haven’t enable .htaccess (as reccomened for Apache hardening)SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006Options NoneOptions +FollowSymLinks
    49. 49. Some security modulesSecure Pages redirect important pages to SSL versionSecurity Review one kind of checklistLogin Security or Flood Control login attempt limiterPassword Policy password constraintsSalt (for Drupal 6) salt password hashes
    50. 50. Some paranoia is good when selecting modules. Use only well known modules.
    51. 51. Some further readingNational Security Agency Hardening Guideshttp://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtmlOWASP - Open Web Application Security Projecthttps://www.owasp.org/index.php/Main_PageDrupal Security Advisorieshttp://drupal.org/security
    52. 52. Thank you Tero Alén tero.alen@zeeland.fi twitter.com/teroalen

    ×