Hardening TYPO3

Hardening
TYPO3
Helmut Hummel
Inspiring people to
share
Hardening TYPO3

View Slide

2
@helhum

View Slide

What is Hardening?
3

View Slide

4
“Hardening is the process of securing a system
by reducing its surface of vulnerability”
https://en.wikipedia.org/wiki/Hardening_(computing)

View Slide

5

View Slide

6

View Slide

7
Security

View Slide

8
Reduce Attack Surface

View Slide

Layers of a TYPO3 application
OS
TYPO3
DBMS
Webserver
PHP
9
Extensions

View Slide

Each layer can be attacked
OS
TYPO3
DBMS
Webserver
PHP
10
Extensions

View Slide

An application is only as secure as its weakest link
11

View Slide

Every layer needs attention
12

View Slide

Here is what will be covered today
13

View Slide

OS
TYPO3
DBMS
Webserver
PHP
14
Extensions
✅
❌

View Slide

OS
TYPO3
DBMS
Webserver
PHP
15
Extensions
✅
❌

View Slide

OS
TYPO3
DBMS
Webserver
PHP
16
Extensions
✅
❌

View Slide

OS
TYPO3
Webserver
PHP
17
Extensions
DBMS
✅
❌

View Slide

OS
TYPO3
Webserver
18
Extensions
DBMS
PHP
✅
❌

View Slide

OS
Webserver
19
Extensions
DBMS
PHP
TYPO3
✅
❌

View Slide

OS
TYPO3
DBMS
Webserver
PHP
20
Extensions
✅
❌

View Slide

OS
TYPO3
Webserver
21
✅

View Slide

OS
22

View Slide

Other services running on your OS
23

View Slide

FTP
24

View Slide

It's 2018
25

View Slide

Disable FTP access!
26

View Slide

Only jweiland knows 
how many TYPO3 sites have been hacked
using a sniffed FTP password
27

View Slide

Disable every service, not strictly required
28

View Slide

Keep your OS up to date
29

View Slide

…including your Docker containers
30

View Slide

Hardening OS
Recap
• Remove FTP
• Disable every service you don't need (or don't even install it)
• Update regularly
• Containers need updates too
• (There is much more on OS hardening)
31

View Slide

32
Webserver

View Slide

Update regularly
33

View Slide

Remember?
34

View Slide

It's 2018
35

View Slide

Enable SSL
36

View Slide

It's easy
37

View Slide

It's free
38

View Slide

It's secure
39

View Slide

But what about TYPO3 rsaauth extension?
40

View Slide

Isn't that secure enough?
41

View Slide

Imagine a house
42

View Slide

Imagine a yard around that house
43

View Slide

Now imagine a door protecting access to the yard
44

View Slide

45

View Slide

That's the protection you get from rsaauth
46

View Slide

tl;dr
47

View Slide

Enable SSL, disable rsaauth
48

View Slide

Enforce SSL (HSTS)
49

View Slide

Write protect every folder
50

View Slide

Hardening Webserver
Folders that require write access
• ﬁleadmin
• uploads
• typo3temp
51

View Slide

But Extension Manager does not work any more
if typo3conf is read only
52

View Slide

53

View Slide

Hardening ❤ Automation
54

View Slide

Disable PHP execution in folders with write access
55

View Slide

RemoveHandler .php
RemoveType .php
php_flag engine off
56

View Slide

The only remaining place to add exploit code is
typo3temp/var/Cache/Code
57

View Slide

Warm up code caches during deployment
58

View Slide

(Still a bit challenging for Fluid caches)
59

View Slide

Write protect cache folders, too
60

View Slide

• Updates, update, updates
• SSL, SSL, SSL
• Write protect all the things all possible folders
• If possible also code cache folders
• Automated deployment helps you with that
• Disable PHP handler in writable folders
Hardening Webserver
Recap
61

View Slide

62
TYPO3

View Slide

Update regularly
63

View Slide

Tell TYPO3 you are serious about SSL
64

View Slide

$GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'] = true;
65

View Slide

$GLOBALS['TYPO3_CONF_VARS']['SYS']['cookieSecure'] = 1;
66

View Slide

Disable debug settings
67

View Slide

$GLOBALS['TYPO3_CONF_VARS']['BE']['debug'] = false;
$GLOBALS['TYPO3_CONF_VARS']['FE']['debug'] = false;
$GLOBALS['TYPO3_CONF_VARS']['SYS']['devIPmask'] = '';
$GLOBALS['TYPO3_CONF_VARS']['SYS']['displayErrors'] = 0;
$GLOBALS['TYPO3_CONF_VARS']['SYS']['enableDeprecationLog'] = '';
$GLOBALS['TYPO3_CONF_VARS']['SYS']['sqlDebug'] = 0;
68

View Slide

Log errors and warnings
69

View Slide

Monitor logs!
70

View Slide

Disable install tool
71

View Slide

$GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword'] = '';
72

View Slide

Or delete install.php on deploy
73

View Slide

Use TYPO3 Console for emergency maintenance
74

View Slide

Restrict backend access to internal domain
75

View Slide

Only ship code that is required
76

View Slide

Why to avoid installing code you don't need?
77

View Slide

Every security ﬂaw is a bug in code
78

View Slide

Every code has bugs
79

View Slide

Every code potentially has security ﬂaws
80

View Slide

100% secure code is NO code
81

View Slide

TYPO3 comes as one package with a lot of code
82

View Slide

All system extensions are present, albeit deactivated
83

View Slide

… and you never need all of them
84

View Slide

But there is a solution
85

View Slide

TYPO3 Subtree Split
86

View Slide

Security
TYPO3 Subtree split
• Every core extension is available as individual composer package
• typo3/cms-core, typo3/cms-backend, …
• All TYPO3 versions starting from 8.7.9 are available
• MANDATORY since TYPO3 9.0 (you cannot require typo3/cms ^9.0)
• If you have composer based TYPO3 8.7 projects, use it NOW
87

View Slide

But I don't use Composer
88

View Slide

89

View Slide

Hardening ❤ Automation
90

View Slide

Automation ❤ Composer
91

View Slide

But there is more …
92

View Slide

Attack Surface
93

View Slide

Information Disclosure
94

View Slide

Every additional ﬁle in your document root increases
the attack surface and is potentially leaking private
information
95

View Slide

How does a possible TYPO3 document root look like?
96

View Slide

97
$ ll
total 208
drwxr-xr-x 11 helmut staff 374 Jun 20 22:10 .
drwxr-xr-x 5 helmut staff 170 Jun 20 14:54 ..
drwxr-xr-x 15 helmut staff 510 Jun 20 22:10 .git
-rw-r--r-- 1 helmut staff 66 Jun 20 22:08 .gitignore
-rw-r--r-- 1 helmut staff 227 Jun 20 22:08 composer.json
-rw-r--r-- 1 helmut staff 94010 Jun 20 22:08 composer.lock
-rw-r--r-- 1 helmut staff 800 Jun 20 22:10 index.php
drwxr-xr-x 5 helmut staff 170 Jun 20 22:10 typo3
drwxrwsr-x 3 helmut staff 102 Jun 20 22:10 typo3conf
drwxrwsr-x 3 helmut staff 102 Jun 20 22:10 typo3temp
drwxr-xr-x 15 helmut staff 510 Jun 20 22:10 vendor

View Slide

How to ﬁx that?
98

View Slide

Security
Step 1
99
"extra": {
"typo3/cms": {
"web-dir": "public"
}
}

View Slide

Security
Step 2
100
"extra": {
"typo3/cms": {
"root-dir": "private",
"web-dir": "public"
}
}

View Slide

Security
Step 3
101
composer require helhum/typo3-secure-web

View Slide

Hardening TYPO3
Recap
• Updates, Updates, Updates
• No debug settings
• Log errors and monitor logs
• Disable install tool
• Restrict backend access
• Only install code that you need
• Only expose public resources and deﬁned entry points
102

View Slide

Thanks!
103

View Slide

https://speakerdeck.com/helhum/hardening-typo3
104

View Slide

Hardening TYPO3
References
• https://docs.typo3.org/typo3cms/SecurityGuide/
• Images
• http://emmayajewel.com/
• https://pixabay.com/en/child-protection-umbrella-rain-2956973/
• http://formidableengineeringconsultants.com/
105

View Slide

Hardening TYPO3

Hardening TYPO3

Helmut Hummel

More Decks by Helmut Hummel

Other Decks in Programming

Featured

Transcript