Hardening TYPO3

Transcript

1. Hardening TYPO3 Helmut Hummel <[email protected]> Inspiring people to share Hardening

   TYPO3

2. 2 @helhum

3. What is Hardening? 3

4. 4 “Hardening is the process of securing a system by

   reducing its surface of vulnerability” https://en.wikipedia.org/wiki/Hardening_(computing)

5. 5 “Hardening is the process of securing a system by

   reducing its surface of vulnerability” https://en.wikipedia.org/wiki/Hardening_(computing)

6. 6 “Hardening is the process of securing a system by

   reducing its surface of vulnerability” https://en.wikipedia.org/wiki/Hardening_(computing)

7. 7 Security

8. 8 Reduce Attack Surface

9. Layers of a TYPO3 application OS TYPO3 DBMS Webserver PHP

   9 Extensions

10. Each layer can be attacked OS TYPO3 DBMS Webserver PHP

    10 Extensions

11. An application is only as secure as its weakest link

    11

12. Every layer needs attention 12

13. Here is what will be covered today 13

14. OS TYPO3 DBMS Webserver PHP 14 Extensions ✅ ❌

15. OS TYPO3 DBMS Webserver PHP 15 Extensions ✅ ❌

16. OS TYPO3 DBMS Webserver PHP 16 Extensions ✅ ❌

17. OS TYPO3 Webserver PHP 17 Extensions DBMS ✅ ❌

18. OS TYPO3 Webserver 18 Extensions DBMS PHP ✅ ❌

19. OS Webserver 19 Extensions DBMS PHP TYPO3 ✅ ❌

20. OS TYPO3 DBMS Webserver PHP 20 Extensions ✅ ❌

21. OS TYPO3 Webserver 21 ✅

22. OS 22

23. Other services running on your OS 23

24. FTP 24

25. It's 2018 25

26. Disable FTP access! 26

27. Only jweiland knows
 how many TYPO3 sites have been hacked

    using a sniffed FTP password 27

28. Disable every service, not strictly required 28

29. Keep your OS up to date 29

30. …including your Docker containers 30

31. Hardening OS Recap • Remove FTP • Disable every service

    you don't need (or don't even install it) • Update regularly • Containers need updates too • (There is much more on OS hardening) 31

32. 32 Webserver

33. Update regularly 33

34. Remember? 34

35. It's 2018 35

36. Enable SSL 36

37. It's easy 37

38. It's free 38

39. It's secure 39

40. But what about TYPO3 rsaauth extension? 40

41. Isn't that secure enough? 41

42. Imagine a house 42

43. Imagine a yard around that house 43

44. Now imagine a door protecting access to the yard 44

45. 45

46. That's the protection you get from rsaauth 46

47. tl;dr 47

48. Enable SSL, disable rsaauth 48

49. Enforce SSL (HSTS) 49

50. Write protect every folder 50

51. Hardening Webserver Folders that require write access • fileadmin •

    uploads • typo3temp 51

52. But Extension Manager does not work any more if typo3conf

    is read only 52

53. 53

54. Hardening ❤ Automation 54

55. Disable PHP execution in folders with write access 55

56. RemoveHandler .php RemoveType .php php_flag engine off 56

57. The only remaining place to add exploit code is typo3temp/var/Cache/Code

    57

58. Warm up code caches during deployment 58

59. (Still a bit challenging for Fluid caches) 59

60. Write protect cache folders, too 60

61. • Updates, update, updates • SSL, SSL, SSL • Write

    protect all the things all possible folders • If possible also code cache folders • Automated deployment helps you with that • Disable PHP handler in writable folders Hardening Webserver Recap 61

62. 62 TYPO3

63. Update regularly 63

64. Tell TYPO3 you are serious about SSL 64

65. $GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'] = true; 65

66. $GLOBALS['TYPO3_CONF_VARS']['SYS']['cookieSecure'] = 1; 66

67. Disable debug settings 67

68. $GLOBALS['TYPO3_CONF_VARS']['BE']['debug'] = false; $GLOBALS['TYPO3_CONF_VARS']['FE']['debug'] = false; $GLOBALS['TYPO3_CONF_VARS']['SYS']['devIPmask'] = ''; $GLOBALS['TYPO3_CONF_VARS']['SYS']['displayErrors']

    = 0; $GLOBALS['TYPO3_CONF_VARS']['SYS']['enableDeprecationLog'] = ''; $GLOBALS['TYPO3_CONF_VARS']['SYS']['sqlDebug'] = 0; 68

69. Log errors and warnings 69

70. Monitor logs! 70

71. Disable install tool 71

72. $GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword'] = ''; 72

73. Or delete install.php on deploy 73

74. Use TYPO3 Console for emergency maintenance 74

75. Restrict backend access to internal domain 75

76. Only ship code that is required 76

77. Why to avoid installing code you don't need? 77

78. Every security flaw is a bug in code 78

79. Every code has bugs 79

80. Every code potentially has security flaws 80

81. 100% secure code is NO code 81

82. TYPO3 comes as one package with a lot of code

    82

83. All system extensions are present, albeit deactivated 83

84. … and you never need all of them 84

85. But there is a solution 85

86. TYPO3 Subtree Split 86

87. Security TYPO3 Subtree split • Every core extension is available

    as individual composer package • typo3/cms-core, typo3/cms-backend, … • All TYPO3 versions starting from 8.7.9 are available • MANDATORY since TYPO3 9.0 (you cannot require typo3/cms ^9.0) • If you have composer based TYPO3 8.7 projects, use it NOW 87

88. But I don't use Composer 88

89. 89

90. Hardening ❤ Automation 90

91. Automation ❤ Composer 91

92. But there is more … 92

93. Attack Surface 93

94. Information Disclosure 94

95. Every additional file in your document root increases the attack

    surface and is potentially leaking private information 95

96. How does a possible TYPO3 document root look like? 96

97. 97 $ ll total 208 drwxr-xr-x 11 helmut staff 374

    Jun 20 22:10 . drwxr-xr-x 5 helmut staff 170 Jun 20 14:54 .. drwxr-xr-x 15 helmut staff 510 Jun 20 22:10 .git -rw-r--r-- 1 helmut staff 66 Jun 20 22:08 .gitignore -rw-r--r-- 1 helmut staff 227 Jun 20 22:08 composer.json -rw-r--r-- 1 helmut staff 94010 Jun 20 22:08 composer.lock -rw-r--r-- 1 helmut staff 800 Jun 20 22:10 index.php drwxr-xr-x 5 helmut staff 170 Jun 20 22:10 typo3 drwxrwsr-x 3 helmut staff 102 Jun 20 22:10 typo3conf drwxrwsr-x 3 helmut staff 102 Jun 20 22:10 typo3temp drwxr-xr-x 15 helmut staff 510 Jun 20 22:10 vendor

98. How to fix that? 98

99. Security Step 1 99 "extra": { "typo3/cms": { "web-dir": "public"

    } }

100. Security Step 2 100 "extra": { "typo3/cms": { "root-dir": "private",

     "web-dir": "public" } }

101. Security Step 3 101 composer require helhum/typo3-secure-web

102. Hardening TYPO3 Recap • Updates, Updates, Updates • No debug

     settings • Log errors and monitor logs • Disable install tool • Restrict backend access • Only install code that you need • Only expose public resources and defined entry points 102

103. Thanks! 103

104. https://speakerdeck.com/helhum/hardening-typo3 104

105. Hardening TYPO3 References • https://docs.typo3.org/typo3cms/SecurityGuide/ • Images • http://emmayajewel.com/ •

     https://pixabay.com/en/child-protection-umbrella-rain-2956973/ • http://formidableengineeringconsultants.com/ 105