Secure Your Site

Transcript

1. Secure Your Site Matt Farina Engineer at HP Cloud

2. http://bit.ly/SecureYourSite You can get the slides at...

3. • @mattfarina on twitter • Drupal.org UID 25701 (Over 8

   Years) • Co-Author of Drupal 7 Module Development • A Lead Engineer at HP Cloud

4. http://techcrunch.com/2013/10/03/adobe-gets-hacked-product-source-code-and-data-for-2-9m-customers-likely-accessed/ Did you hear, Adobe was hacked

5. http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever A Picture Of The Internet

6. http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever 420,000 Hacked Linux Based Systems

7. http://www.forbes.com/sites/cherylsnappconner/2013/09/14/are-you-prepared-71-of-cyber-attacks-hit-small-business/ 71% attacked sites of orgs with less than 100

   People

8. http://blog.erratasec.com/2013/09/we-scanned-internet-for-port-22.html Scan port 22 (ssh) for the Internet in a

   day

9. I’ve Watched Attacks Happen

10. I’ve Found Hacked Servers

11. For the sake of your users, secure your site.

12. https://help.ubuntu.com/12.04/serverguide/security.html Harden Your Servers

13. https://help.ubuntu.com/community/AutoWeeklyUpdateHowTo Keep packages up to date for security releases

14. Lock Down Access Web Server DB Server

15. http://openvpn.net/ Use A VPN

16. http://stackoverflow.com/questions/2661799/removing-x-powered-by Removing X-Powered-By Header ; In your php.ini file set!

    expose_php = off > curl -i -X HEAD https://drupal.org! ...! X-Powered-By: PHP/5.3.27! ...

17. On to Drupal

18. Use HTTPS/SSL/TLS

19. None

20. You can redirect to https via .htaccess # Redirect when

    the request comes to http! RewriteCond %{HTTPS} off! RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

21. https://drupal.org/project/securepages Secure Pages Module

22. https://drupal.org/node/947312 Secure UID 1

23. https://drupal.org/project/password If you’re on Drupal 6 use real password hashing

24. http://php.net/password PHP Password API

25. https://github.com/ircmaxell/password_compat PHP Password API Backward Compatability

26. Change Admin passwords regularly and make them strong.

27. Remove the clues it’s Drupal • Remove the text files

    (e.g., CHANGELOG.txt) • Remove install.php • web.config or .htaccess if not in use

28. Remove Generator Meta Tag /**! * Implements hook_html_head_alter().! */! function

    custom_html_head_alter(&$head_elements) {! if (isset($head_elements['system_meta_generator'])) {! unset($head_elements['system_meta_generator']);! }! } <meta name="generator" content="Drupal 7 (http://drupal.org)" />

29. Remove X-Generator Header // Override the header.! drupal_add_http_header(‘X-Generator’, ‘’) >

    curl -i -X HEAD https://2013.drupalcampmi.org! ...! X-Generator: Drupal 7 (http://drupal.org)! ... https://api.drupal.org/api/drupal/includes!bootstrap.inc/function/drupal_add_http_header/7

30. Add X-Frame-Options Header drupal_add_http_header('X-Frame-Options', 'SAMEORIGIN'); > curl -i -X HEAD

    https://marketplace.hpcloud.com! ...! X-Frame-Options: SAMEORIGIN! ... https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options

31. http://www.lullabot.com/blog/article/keeping-drupals-files-safe Secure The Filesystem

32. Web server user should not have write permission to Drupal

33. http://www.hpcloud.com/products-services/object-storage Backup to offsite location

34. https://drupal.org/project/backup_migrate Backup and Migrate Module

35. https://drupal.org/project/aes Encrypt Backups

36. Backup Creds Not On Production Server Web Server DB Server

    Backup Server Storage

37. I shouldn’t have to tell you but...

38. https://drupal.org/project/usage/drupal Keep Drupal Up To Date

39. https://drupal.org/documentation/modules/update Update Manager Module

40. Sign-up For Security Announcements

41. Encrypt Sensitive Information

42. https://drupal.org/project/aes AES Encryption Module

43. http://phpseclib.sourceforge.net/ PHP Secure Communications Library

44. Encrypted Field Modules • Encrypted Settings Field
 https://drupal.org/project/encset • Field

    Encryption
 https://drupal.org/project/field_encrypt • Encrypted Text
 https://drupal.org/project/encrypted_text


45. Or, Store Them In A Secure Service

46. drupal_http_request() does not check SSL certificates.

47. http://guzzlephp.org/ Guzzle

48. Using Guzzle // A little more complicated! $client = new

    \Guzzle\Http\Client('http://guzzlephp.org');! $request = $client->get('/');! $response = $request->send(); // A simple example! Guzzle\Http\StaticClient::mount();! $response = Guzzle::get('http://guzzlephp.org');

49. Inject Cert To drupal_http_request() $opts = array(! ‘ssl’ => array(!

    ‘CN_match’ => ‘example.com’,! ‘verify_peer’ => TRUE,! ‘allow_self_signed’ => FALSE,! ‘cafile’ => ‘path/to/cert.pem’,! ),! );! $context = stream_context_create($opts);! $ops = array(! ‘context’ => $context,! );! $res = drupal_http_request(‘http://example.com’, $ops);

50. Review Your Logs Regularly

51. http://logstash.net/ Logstash

52. http://www.loggly.com/ Loggly

53. http://www.loggly.com/docs/alerts-overview/ Automated Alerts

54. This is just the beginning...

55. Questions? Slides are at... http://bit.ly/SecureYourSite