Hardening TYPO3

Hardening TYPO3 Helmut Hummel <[email protected]> Inspiring people to share Hardening
TYPO3

2 @helhum

What is Hardening? 3

4 “Hardening is the process of securing a system by
reducing its surface of vulnerability” https://en.wikipedia.org/wiki/Hardening_(computing)

7 Security

8 Reduce Attack Surface

Layers of a TYPO3 application OS TYPO3 DBMS Webserver PHP
9 Extensions

Each layer can be attacked OS TYPO3 DBMS Webserver PHP
10 Extensions

An application is only as secure as its weakest link
11

Every layer needs attention 12

Here is what will be covered today 13

OS TYPO3 DBMS Webserver PHP 14 Extensions ✅ ❌

OS TYPO3 Webserver PHP 17 Extensions DBMS ✅ ❌

OS TYPO3 Webserver 18 Extensions DBMS PHP ✅ ❌

OS Webserver 19 Extensions DBMS PHP TYPO3 ✅ ❌

OS TYPO3 Webserver 21 ✅

Other services running on your OS 23

FTP 24

It's 2018 25

Disable FTP access! 26

Only jweiland knows  how many TYPO3 sites have been hacked
using a sniffed FTP password 27

Disable every service, not strictly required 28

Keep your OS up to date 29

…including your Docker containers 30

Hardening OS Recap • Remove FTP • Disable every service
you don't need (or don't even install it) • Update regularly • Containers need updates too • (There is much more on OS hardening) 31

32 Webserver

Update regularly 33

Remember? 34

It's 2018 35

Enable SSL 36

It's easy 37

It's free 38

It's secure 39

But what about TYPO3 rsaauth extension? 40

Isn't that secure enough? 41

Imagine a house 42

Imagine a yard around that house 43

Now imagine a door protecting access to the yard 44

That's the protection you get from rsaauth 46

tl;dr 47

Enable SSL, disable rsaauth 48

Enforce SSL (HSTS) 49

Write protect every folder 50

Hardening Webserver Folders that require write access • ﬁleadmin •
uploads • typo3temp 51

But Extension Manager does not work any more if typo3conf
is read only 52

Hardening ❤ Automation 54

Disable PHP execution in folders with write access 55

RemoveHandler .php RemoveType .php php_flag engine off 56

The only remaining place to add exploit code is typo3temp/var/Cache/Code
57

Warm up code caches during deployment 58

(Still a bit challenging for Fluid caches) 59

Write protect cache folders, too 60

• Updates, update, updates • SSL, SSL, SSL • Write
protect all the things all possible folders • If possible also code cache folders • Automated deployment helps you with that • Disable PHP handler in writable folders Hardening Webserver Recap 61

62 TYPO3

Update regularly 63

Tell TYPO3 you are serious about SSL 64

$GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'] = true; 65

$GLOBALS['TYPO3_CONF_VARS']['SYS']['cookieSecure'] = 1; 66

Disable debug settings 67

$GLOBALS['TYPO3_CONF_VARS']['BE']['debug'] = false; $GLOBALS['TYPO3_CONF_VARS']['FE']['debug'] = false; $GLOBALS['TYPO3_CONF_VARS']['SYS']['devIPmask'] = ''; $GLOBALS['TYPO3_CONF_VARS']['SYS']['displayErrors']
= 0; $GLOBALS['TYPO3_CONF_VARS']['SYS']['enableDeprecationLog'] = ''; $GLOBALS['TYPO3_CONF_VARS']['SYS']['sqlDebug'] = 0; 68

Log errors and warnings 69

Monitor logs! 70

Disable install tool 71

$GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword'] = ''; 72

Or delete install.php on deploy 73

Use TYPO3 Console for emergency maintenance 74

Restrict backend access to internal domain 75

Only ship code that is required 76

Why to avoid installing code you don't need? 77

Every security ﬂaw is a bug in code 78

Every code has bugs 79

Every code potentially has security ﬂaws 80

100% secure code is NO code 81

TYPO3 comes as one package with a lot of code
82

All system extensions are present, albeit deactivated 83

… and you never need all of them 84

But there is a solution 85

TYPO3 Subtree Split 86

Security TYPO3 Subtree split • Every core extension is available
as individual composer package • typo3/cms-core, typo3/cms-backend, … • All TYPO3 versions starting from 8.7.9 are available • MANDATORY since TYPO3 9.0 (you cannot require typo3/cms ^9.0) • If you have composer based TYPO3 8.7 projects, use it NOW 87

But I don't use Composer 88

Hardening ❤ Automation 90

Automation ❤ Composer 91

But there is more … 92

Attack Surface 93

Information Disclosure 94

Every additional ﬁle in your document root increases the attack
surface and is potentially leaking private information 95

How does a possible TYPO3 document root look like? 96

97 $ ll total 208 drwxr-xr-x 11 helmut staff 374
Jun 20 22:10 . drwxr-xr-x 5 helmut staff 170 Jun 20 14:54 .. drwxr-xr-x 15 helmut staff 510 Jun 20 22:10 .git -rw-r--r-- 1 helmut staff 66 Jun 20 22:08 .gitignore -rw-r--r-- 1 helmut staff 227 Jun 20 22:08 composer.json -rw-r--r-- 1 helmut staff 94010 Jun 20 22:08 composer.lock -rw-r--r-- 1 helmut staff 800 Jun 20 22:10 index.php drwxr-xr-x 5 helmut staff 170 Jun 20 22:10 typo3 drwxrwsr-x 3 helmut staff 102 Jun 20 22:10 typo3conf drwxrwsr-x 3 helmut staff 102 Jun 20 22:10 typo3temp drwxr-xr-x 15 helmut staff 510 Jun 20 22:10 vendor

How to ﬁx that? 98

Security Step 1 99 "extra": { "typo3/cms": { "web-dir": "public"
} }

Security Step 2 100 "extra": { "typo3/cms": { "root-dir": "private",
"web-dir": "public" } }

Security Step 3 101 composer require helhum/typo3-secure-web

Hardening TYPO3 Recap • Updates, Updates, Updates • No debug
settings • Log errors and monitor logs • Disable install tool • Restrict backend access • Only install code that you need • Only expose public resources and deﬁned entry points 102

Thanks! 103

https://speakerdeck.com/helhum/hardening-typo3 104

Hardening TYPO3 References • https://docs.typo3.org/typo3cms/SecurityGuide/ • Images • http://emmayajewel.com/ •
https://pixabay.com/en/child-protection-umbrella-rain-2956973/ • http://formidableengineeringconsultants.com/ 105

Hardening TYPO3

Hardening TYPO3

More Decks by Helmut Hummel

Other Decks in Programming

Featured

Transcript