Hardening TYPO3

Hardening TYPO3

Some tipps to increase the security of your TYPO3 installation by reducing attack surface, you probably were not yet aware of.

6c980f722cf236da20f1bb9e9efeb731?s=128

Helmut Hummel

July 13, 2018
Tweet

Transcript

  1. Hardening TYPO3 Helmut Hummel <typo3@helhum.io> Inspiring people to share Hardening

    TYPO3
  2. 2 @helhum

  3. What is Hardening? 3

  4. 4 “Hardening is the process of securing a system by

    reducing its surface of vulnerability” https://en.wikipedia.org/wiki/Hardening_(computing)
  5. 5 “Hardening is the process of securing a system by

    reducing its surface of vulnerability” https://en.wikipedia.org/wiki/Hardening_(computing)
  6. 6 “Hardening is the process of securing a system by

    reducing its surface of vulnerability” https://en.wikipedia.org/wiki/Hardening_(computing)
  7. 7 Security

  8. 8 Reduce Attack Surface

  9. Layers of a TYPO3 application OS TYPO3 DBMS Webserver PHP

    9 Extensions
  10. Each layer can be attacked OS TYPO3 DBMS Webserver PHP

    10 Extensions
  11. An application is only as secure as its weakest link

    11
  12. Every layer needs attention 12

  13. Here is what will be covered today 13

  14. OS TYPO3 DBMS Webserver PHP 14 Extensions ✅ ❌

  15. OS TYPO3 DBMS Webserver PHP 15 Extensions ✅ ❌

  16. OS TYPO3 DBMS Webserver PHP 16 Extensions ✅ ❌

  17. OS TYPO3 Webserver PHP 17 Extensions DBMS ✅ ❌

  18. OS TYPO3 Webserver 18 Extensions DBMS PHP ✅ ❌

  19. OS Webserver 19 Extensions DBMS PHP TYPO3 ✅ ❌

  20. OS TYPO3 DBMS Webserver PHP 20 Extensions ✅ ❌

  21. OS TYPO3 Webserver 21 ✅

  22. OS 22

  23. Other services running on your OS 23

  24. FTP 24

  25. It's 2018 25

  26. Disable FTP access! 26

  27. Only jweiland knows
 how many TYPO3 sites have been hacked

    using a sniffed FTP password 27
  28. Disable every service, not strictly required 28

  29. Keep your OS up to date 29

  30. …including your Docker containers 30

  31. Hardening OS Recap • Remove FTP • Disable every service

    you don't need (or don't even install it) • Update regularly • Containers need updates too • (There is much more on OS hardening) 31
  32. 32 Webserver

  33. Update regularly 33

  34. Remember? 34

  35. It's 2018 35

  36. Enable SSL 36

  37. It's easy 37

  38. It's free 38

  39. It's secure 39

  40. But what about TYPO3 rsaauth extension? 40

  41. Isn't that secure enough? 41

  42. Imagine a house 42

  43. Imagine a yard around that house 43

  44. Now imagine a door protecting access to the yard 44

  45. 45

  46. That's the protection you get from rsaauth 46

  47. tl;dr 47

  48. Enable SSL, disable rsaauth 48

  49. Enforce SSL (HSTS) 49

  50. Write protect every folder 50

  51. Hardening Webserver Folders that require write access • fileadmin •

    uploads • typo3temp 51
  52. But Extension Manager does not work any more if typo3conf

    is read only 52
  53. 53

  54. Hardening ❤ Automation 54

  55. Disable PHP execution in folders with write access 55

  56. RemoveHandler .php RemoveType .php php_flag engine off 56

  57. The only remaining place to add exploit code is typo3temp/var/Cache/Code

    57
  58. Warm up code caches during deployment 58

  59. (Still a bit challenging for Fluid caches) 59

  60. Write protect cache folders, too 60

  61. • Updates, update, updates • SSL, SSL, SSL • Write

    protect all the things all possible folders • If possible also code cache folders • Automated deployment helps you with that • Disable PHP handler in writable folders Hardening Webserver Recap 61
  62. 62 TYPO3

  63. Update regularly 63

  64. Tell TYPO3 you are serious about SSL 64

  65. $GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'] = true; 65

  66. $GLOBALS['TYPO3_CONF_VARS']['SYS']['cookieSecure'] = 1; 66

  67. Disable debug settings 67

  68. $GLOBALS['TYPO3_CONF_VARS']['BE']['debug'] = false; $GLOBALS['TYPO3_CONF_VARS']['FE']['debug'] = false; $GLOBALS['TYPO3_CONF_VARS']['SYS']['devIPmask'] = ''; $GLOBALS['TYPO3_CONF_VARS']['SYS']['displayErrors']

    = 0; $GLOBALS['TYPO3_CONF_VARS']['SYS']['enableDeprecationLog'] = ''; $GLOBALS['TYPO3_CONF_VARS']['SYS']['sqlDebug'] = 0; 68
  69. Log errors and warnings 69

  70. Monitor logs! 70

  71. Disable install tool 71

  72. $GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword'] = ''; 72

  73. Or delete install.php on deploy 73

  74. Use TYPO3 Console for emergency maintenance 74

  75. Restrict backend access to internal domain 75

  76. Only ship code that is required 76

  77. Why to avoid installing code you don't need? 77

  78. Every security flaw is a bug in code 78

  79. Every code has bugs 79

  80. Every code potentially has security flaws 80

  81. 100% secure code is NO code 81

  82. TYPO3 comes as one package with a lot of code

    82
  83. All system extensions are present, albeit deactivated 83

  84. … and you never need all of them 84

  85. But there is a solution 85

  86. TYPO3 Subtree Split 86

  87. Security TYPO3 Subtree split • Every core extension is available

    as individual composer package • typo3/cms-core, typo3/cms-backend, … • All TYPO3 versions starting from 8.7.9 are available • MANDATORY since TYPO3 9.0 (you cannot require typo3/cms ^9.0) • If you have composer based TYPO3 8.7 projects, use it NOW 87
  88. But I don't use Composer 88

  89. 89

  90. Hardening ❤ Automation 90

  91. Automation ❤ Composer 91

  92. But there is more … 92

  93. Attack Surface 93

  94. Information Disclosure 94

  95. Every additional file in your document root increases the attack

    surface and is potentially leaking private information 95
  96. How does a possible TYPO3 document root look like? 96

  97. 97 $ ll total 208 drwxr-xr-x 11 helmut staff 374

    Jun 20 22:10 . drwxr-xr-x 5 helmut staff 170 Jun 20 14:54 .. drwxr-xr-x 15 helmut staff 510 Jun 20 22:10 .git -rw-r--r-- 1 helmut staff 66 Jun 20 22:08 .gitignore -rw-r--r-- 1 helmut staff 227 Jun 20 22:08 composer.json -rw-r--r-- 1 helmut staff 94010 Jun 20 22:08 composer.lock -rw-r--r-- 1 helmut staff 800 Jun 20 22:10 index.php drwxr-xr-x 5 helmut staff 170 Jun 20 22:10 typo3 drwxrwsr-x 3 helmut staff 102 Jun 20 22:10 typo3conf drwxrwsr-x 3 helmut staff 102 Jun 20 22:10 typo3temp drwxr-xr-x 15 helmut staff 510 Jun 20 22:10 vendor
  98. How to fix that? 98

  99. Security Step 1 99 "extra": { "typo3/cms": { "web-dir": "public"

    } }
  100. Security Step 2 100 "extra": { "typo3/cms": { "root-dir": "private",

    "web-dir": "public" } }
  101. Security Step 3 101 composer require helhum/typo3-secure-web

  102. Hardening TYPO3 Recap • Updates, Updates, Updates • No debug

    settings • Log errors and monitor logs • Disable install tool • Restrict backend access • Only install code that you need • Only expose public resources and defined entry points 102
  103. Thanks! 103

  104. https://speakerdeck.com/helhum/hardening-typo3 104

  105. Hardening TYPO3 References • https://docs.typo3.org/typo3cms/SecurityGuide/ • Images • http://emmayajewel.com/ •

    https://pixabay.com/en/child-protection-umbrella-rain-2956973/ • http://formidableengineeringconsultants.com/ 105