Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure Your Site
Search
Matt Farina
October 12, 2013
Technology
0
2.3k
Secure Your Site
An introduction to securing Drupal sites.
Matt Farina
October 12, 2013
Tweet
Share
More Decks by Matt Farina
See All by Matt Farina
Faster Mobile Sites
mattfarina
1
2.3k
Front End Performance Improvements
mattfarina
5
2.1k
Building Faster Websites
mattfarina
3
210
Faster Front End Performance
mattfarina
3
300
Other Decks in Technology
See All in Technology
Cypress or Playwright?
rainerhahnekamp
0
170
Grafana x PagerDuty Better Together
jacopen
1
250
Além do else! Categorizando Pokemóns com Pattern Matching no JavaScript
wmsbill
0
700
R3のコードから見る実践LINQ実装最適化・コンカレントプログラミング実例
neuecc
3
2.1k
AWS学習者向けにAzureの解説スライドを作成した話
handy
3
190
JAWS-UG Bedrock Claude Night
yamahiro
3
690
LayerXにおけるLLMプロダクト開発の今までとこれから
layerx
PRO
3
600
Gradle Build Scanを使ってビルドのことを知ろう potatotips #87
tomorrowkey
2
150
AWSに詳しくない人でも始められるコスト最適化ガイド
yuhta28
2
280
【SORACOM UG 東海】あらゆるモノがつながる社会へ、IoT と SORACOM
soracom
PRO
1
140
今年のRubyKaigiはProfiler Year🤘
osyoyu
0
330
リテール金融(キャッシュレス・ネット銀行・ネット証券)の競争環境と経済圏
8maki
0
1.5k
Featured
See All Featured
Art, The Web, and Tiny UX
lynnandtonic
290
19k
Navigating Team Friction
lara
179
13k
Embracing the Ebb and Flow
colly
80
4.2k
The Mythical Team-Month
searls
216
42k
Designing on Purpose - Digital PM Summit 2013
jponch
111
6.5k
WebSockets: Embracing the real-time Web
robhawkes
59
7k
Building Effective Engineering Teams - LeadDev
addyosmani
32
1.9k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
19
6.9k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
Thoughts on Productivity
jonyablonski
59
3.9k
Being A Developer After 40
akosma
66
580k
Designing for humans not robots
tammielis
248
25k
Transcript
Secure Your Site Matt Farina Engineer at HP Cloud
http://bit.ly/SecureYourSite You can get the slides at...
• @mattfarina on twitter • Drupal.org UID 25701 (Over 8
Years) • Co-Author of Drupal 7 Module Development • A Lead Engineer at HP Cloud
http://techcrunch.com/2013/10/03/adobe-gets-hacked-product-source-code-and-data-for-2-9m-customers-likely-accessed/ Did you hear, Adobe was hacked
http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever A Picture Of The Internet
http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever 420,000 Hacked Linux Based Systems
http://www.forbes.com/sites/cherylsnappconner/2013/09/14/are-you-prepared-71-of-cyber-attacks-hit-small-business/ 71% attacked sites of orgs with less than 100
People
http://blog.erratasec.com/2013/09/we-scanned-internet-for-port-22.html Scan port 22 (ssh) for the Internet in a
day
I’ve Watched Attacks Happen
I’ve Found Hacked Servers
For the sake of your users, secure your site.
https://help.ubuntu.com/12.04/serverguide/security.html Harden Your Servers
https://help.ubuntu.com/community/AutoWeeklyUpdateHowTo Keep packages up to date for security releases
Lock Down Access Web Server DB Server
http://openvpn.net/ Use A VPN
http://stackoverflow.com/questions/2661799/removing-x-powered-by Removing X-Powered-By Header ; In your php.ini file set!
expose_php = off > curl -i -X HEAD https://drupal.org! ...! X-Powered-By: PHP/5.3.27! ...
On to Drupal
Use HTTPS/SSL/TLS
None
You can redirect to https via .htaccess # Redirect when
the request comes to http! RewriteCond %{HTTPS} off! RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
https://drupal.org/project/securepages Secure Pages Module
https://drupal.org/node/947312 Secure UID 1
https://drupal.org/project/password If you’re on Drupal 6 use real password hashing
http://php.net/password PHP Password API
https://github.com/ircmaxell/password_compat PHP Password API Backward Compatability
Change Admin passwords regularly and make them strong.
Remove the clues it’s Drupal • Remove the text files
(e.g., CHANGELOG.txt) • Remove install.php • web.config or .htaccess if not in use
Remove Generator Meta Tag /**! * Implements hook_html_head_alter().! */! function
custom_html_head_alter(&$head_elements) {! if (isset($head_elements['system_meta_generator'])) {! unset($head_elements['system_meta_generator']);! }! } <meta name="generator" content="Drupal 7 (http://drupal.org)" />
Remove X-Generator Header // Override the header.! drupal_add_http_header(‘X-Generator’, ‘’) >
curl -i -X HEAD https://2013.drupalcampmi.org! ...! X-Generator: Drupal 7 (http://drupal.org)! ... https://api.drupal.org/api/drupal/includes!bootstrap.inc/function/drupal_add_http_header/7
Add X-Frame-Options Header drupal_add_http_header('X-Frame-Options', 'SAMEORIGIN'); > curl -i -X HEAD
https://marketplace.hpcloud.com! ...! X-Frame-Options: SAMEORIGIN! ... https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
http://www.lullabot.com/blog/article/keeping-drupals-files-safe Secure The Filesystem
Web server user should not have write permission to Drupal
http://www.hpcloud.com/products-services/object-storage Backup to offsite location
https://drupal.org/project/backup_migrate Backup and Migrate Module
https://drupal.org/project/aes Encrypt Backups
Backup Creds Not On Production Server Web Server DB Server
Backup Server Storage
I shouldn’t have to tell you but...
https://drupal.org/project/usage/drupal Keep Drupal Up To Date
https://drupal.org/documentation/modules/update Update Manager Module
Sign-up For Security Announcements
Encrypt Sensitive Information
https://drupal.org/project/aes AES Encryption Module
http://phpseclib.sourceforge.net/ PHP Secure Communications Library
Encrypted Field Modules • Encrypted Settings Field https://drupal.org/project/encset • Field
Encryption https://drupal.org/project/field_encrypt • Encrypted Text https://drupal.org/project/encrypted_text
Or, Store Them In A Secure Service
drupal_http_request() does not check SSL certificates.
http://guzzlephp.org/ Guzzle
Using Guzzle // A little more complicated! $client = new
\Guzzle\Http\Client('http://guzzlephp.org');! $request = $client->get('/');! $response = $request->send(); // A simple example! Guzzle\Http\StaticClient::mount();! $response = Guzzle::get('http://guzzlephp.org');
Inject Cert To drupal_http_request() $opts = array(! ‘ssl’ => array(!
‘CN_match’ => ‘example.com’,! ‘verify_peer’ => TRUE,! ‘allow_self_signed’ => FALSE,! ‘cafile’ => ‘path/to/cert.pem’,! ),! );! $context = stream_context_create($opts);! $ops = array(! ‘context’ => $context,! );! $res = drupal_http_request(‘http://example.com’, $ops);
Review Your Logs Regularly
http://logstash.net/ Logstash
http://www.loggly.com/ Loggly
http://www.loggly.com/docs/alerts-overview/ Automated Alerts
This is just the beginning...
Questions? Slides are at... http://bit.ly/SecureYourSite