Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hardening TYPO3

Hardening TYPO3

Some tipps to increase the security of your TYPO3 installation by reducing attack surface, you probably were not yet aware of.

Helmut Hummel

July 13, 2018
Tweet

More Decks by Helmut Hummel

Other Decks in Programming

Transcript

  1. Hardening
    TYPO3
    Helmut Hummel
    Inspiring people to
    share
    Hardening TYPO3

    View Slide

  2. 2
    @helhum

    View Slide

  3. What is Hardening?
    3

    View Slide

  4. 4
    “Hardening is the process of securing a system
    by reducing its surface of vulnerability”
    https://en.wikipedia.org/wiki/Hardening_(computing)

    View Slide

  5. 5
    “Hardening is the process of securing a system
    by reducing its surface of vulnerability”
    https://en.wikipedia.org/wiki/Hardening_(computing)

    View Slide

  6. 6
    “Hardening is the process of securing a system
    by reducing its surface of vulnerability”
    https://en.wikipedia.org/wiki/Hardening_(computing)

    View Slide

  7. 7
    Security

    View Slide

  8. 8
    Reduce Attack Surface

    View Slide

  9. Layers of a TYPO3 application
    OS
    TYPO3
    DBMS
    Webserver
    PHP
    9
    Extensions

    View Slide

  10. Each layer can be attacked
    OS
    TYPO3
    DBMS
    Webserver
    PHP
    10
    Extensions

    View Slide

  11. An application is only as secure as its weakest link
    11

    View Slide

  12. Every layer needs attention
    12

    View Slide

  13. Here is what will be covered today
    13

    View Slide

  14. OS
    TYPO3
    DBMS
    Webserver
    PHP
    14
    Extensions


    View Slide

  15. OS
    TYPO3
    DBMS
    Webserver
    PHP
    15
    Extensions


    View Slide

  16. OS
    TYPO3
    DBMS
    Webserver
    PHP
    16
    Extensions


    View Slide

  17. OS
    TYPO3
    Webserver
    PHP
    17
    Extensions
    DBMS


    View Slide

  18. OS
    TYPO3
    Webserver
    18
    Extensions
    DBMS
    PHP


    View Slide

  19. OS
    Webserver
    19
    Extensions
    DBMS
    PHP
    TYPO3


    View Slide

  20. OS
    TYPO3
    DBMS
    Webserver
    PHP
    20
    Extensions


    View Slide

  21. OS
    TYPO3
    Webserver
    21

    View Slide

  22. OS
    22

    View Slide

  23. Other services running on your OS
    23

    View Slide

  24. FTP
    24

    View Slide

  25. It's 2018
    25

    View Slide

  26. Disable FTP access!
    26

    View Slide

  27. Only jweiland knows

    how many TYPO3 sites have been hacked
    using a sniffed FTP password
    27

    View Slide

  28. Disable every service, not strictly required
    28

    View Slide

  29. Keep your OS up to date
    29

    View Slide

  30. …including your Docker containers
    30

    View Slide

  31. Hardening OS
    Recap
    • Remove FTP
    • Disable every service you don't need (or don't even install it)
    • Update regularly
    • Containers need updates too
    • (There is much more on OS hardening)
    31

    View Slide

  32. 32
    Webserver

    View Slide

  33. Update regularly
    33

    View Slide

  34. Remember?
    34

    View Slide

  35. It's 2018
    35

    View Slide

  36. Enable SSL
    36

    View Slide

  37. It's easy
    37

    View Slide

  38. It's free
    38

    View Slide

  39. It's secure
    39

    View Slide

  40. But what about TYPO3 rsaauth extension?
    40

    View Slide

  41. Isn't that secure enough?
    41

    View Slide

  42. Imagine a house
    42

    View Slide

  43. Imagine a yard around that house
    43

    View Slide

  44. Now imagine a door protecting access to the yard
    44

    View Slide

  45. 45

    View Slide

  46. That's the protection you get from rsaauth
    46

    View Slide

  47. tl;dr
    47

    View Slide

  48. Enable SSL, disable rsaauth
    48

    View Slide

  49. Enforce SSL (HSTS)
    49

    View Slide

  50. Write protect every folder
    50

    View Slide

  51. Hardening Webserver
    Folders that require write access
    • fileadmin
    • uploads
    • typo3temp
    51

    View Slide

  52. But Extension Manager does not work any more
    if typo3conf is read only
    52

    View Slide


  53. 53

    View Slide

  54. Hardening ❤ Automation
    54

    View Slide

  55. Disable PHP execution in folders with write access
    55

    View Slide

  56. RemoveHandler .php
    RemoveType .php
    php_flag engine off
    56

    View Slide

  57. The only remaining place to add exploit code is
    typo3temp/var/Cache/Code
    57

    View Slide

  58. Warm up code caches during deployment
    58

    View Slide

  59. (Still a bit challenging for Fluid caches)
    59

    View Slide

  60. Write protect cache folders, too
    60

    View Slide

  61. • Updates, update, updates
    • SSL, SSL, SSL
    • Write protect all the things all possible folders
    • If possible also code cache folders
    • Automated deployment helps you with that
    • Disable PHP handler in writable folders
    Hardening Webserver
    Recap
    61

    View Slide

  62. 62
    TYPO3

    View Slide

  63. Update regularly
    63

    View Slide

  64. Tell TYPO3 you are serious about SSL
    64

    View Slide

  65. $GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'] = true;
    65

    View Slide

  66. $GLOBALS['TYPO3_CONF_VARS']['SYS']['cookieSecure'] = 1;
    66

    View Slide

  67. Disable debug settings
    67

    View Slide

  68. $GLOBALS['TYPO3_CONF_VARS']['BE']['debug'] = false;
    $GLOBALS['TYPO3_CONF_VARS']['FE']['debug'] = false;
    $GLOBALS['TYPO3_CONF_VARS']['SYS']['devIPmask'] = '';
    $GLOBALS['TYPO3_CONF_VARS']['SYS']['displayErrors'] = 0;
    $GLOBALS['TYPO3_CONF_VARS']['SYS']['enableDeprecationLog'] = '';
    $GLOBALS['TYPO3_CONF_VARS']['SYS']['sqlDebug'] = 0;
    68

    View Slide

  69. Log errors and warnings
    69

    View Slide

  70. Monitor logs!
    70

    View Slide

  71. Disable install tool
    71

    View Slide

  72. $GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword'] = '';
    72

    View Slide

  73. Or delete install.php on deploy
    73

    View Slide

  74. Use TYPO3 Console for emergency maintenance
    74

    View Slide

  75. Restrict backend access to internal domain
    75

    View Slide

  76. Only ship code that is required
    76

    View Slide

  77. Why to avoid installing code you don't need?
    77

    View Slide

  78. Every security flaw is a bug in code
    78

    View Slide

  79. Every code has bugs
    79

    View Slide

  80. Every code potentially has security flaws
    80

    View Slide

  81. 100% secure code is NO code
    81

    View Slide

  82. TYPO3 comes as one package with a lot of code
    82

    View Slide

  83. All system extensions are present, albeit deactivated
    83

    View Slide

  84. … and you never need all of them
    84

    View Slide

  85. But there is a solution
    85

    View Slide

  86. TYPO3 Subtree Split
    86

    View Slide

  87. Security
    TYPO3 Subtree split
    • Every core extension is available as individual composer package
    • typo3/cms-core, typo3/cms-backend, …
    • All TYPO3 versions starting from 8.7.9 are available
    • MANDATORY since TYPO3 9.0 (you cannot require typo3/cms ^9.0)
    • If you have composer based TYPO3 8.7 projects, use it NOW
    87

    View Slide

  88. But I don't use Composer
    88

    View Slide


  89. 89

    View Slide

  90. Hardening ❤ Automation
    90

    View Slide

  91. Automation ❤ Composer
    91

    View Slide

  92. But there is more …
    92

    View Slide

  93. Attack Surface
    93

    View Slide

  94. Information Disclosure
    94

    View Slide

  95. Every additional file in your document root increases
    the attack surface and is potentially leaking private
    information
    95

    View Slide

  96. How does a possible TYPO3 document root look like?
    96

    View Slide

  97. 97
    $ ll
    total 208
    drwxr-xr-x 11 helmut staff 374 Jun 20 22:10 .
    drwxr-xr-x 5 helmut staff 170 Jun 20 14:54 ..
    drwxr-xr-x 15 helmut staff 510 Jun 20 22:10 .git
    -rw-r--r-- 1 helmut staff 66 Jun 20 22:08 .gitignore
    -rw-r--r-- 1 helmut staff 227 Jun 20 22:08 composer.json
    -rw-r--r-- 1 helmut staff 94010 Jun 20 22:08 composer.lock
    -rw-r--r-- 1 helmut staff 800 Jun 20 22:10 index.php
    drwxr-xr-x 5 helmut staff 170 Jun 20 22:10 typo3
    drwxrwsr-x 3 helmut staff 102 Jun 20 22:10 typo3conf
    drwxrwsr-x 3 helmut staff 102 Jun 20 22:10 typo3temp
    drwxr-xr-x 15 helmut staff 510 Jun 20 22:10 vendor

    View Slide

  98. How to fix that?
    98

    View Slide

  99. Security
    Step 1
    99
    "extra": {
    "typo3/cms": {
    "web-dir": "public"
    }
    }

    View Slide

  100. Security
    Step 2
    100
    "extra": {
    "typo3/cms": {
    "root-dir": "private",
    "web-dir": "public"
    }
    }

    View Slide

  101. Security
    Step 3
    101
    composer require helhum/typo3-secure-web

    View Slide

  102. Hardening TYPO3
    Recap
    • Updates, Updates, Updates
    • No debug settings
    • Log errors and monitor logs
    • Disable install tool
    • Restrict backend access
    • Only install code that you need
    • Only expose public resources and defined entry points
    102

    View Slide

  103. Thanks!
    103

    View Slide

  104. https://speakerdeck.com/helhum/hardening-typo3
    104

    View Slide

  105. Hardening TYPO3
    References
    • https://docs.typo3.org/typo3cms/SecurityGuide/
    • Images
    • http://emmayajewel.com/
    • https://pixabay.com/en/child-protection-umbrella-rain-2956973/
    • http://formidableengineeringconsultants.com/
    105

    View Slide