Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure Your Site

Matt Farina
October 12, 2013
Technology
0
2.4k

Secure Your Site

An introduction to securing Drupal sites.

Matt Farina

October 12, 2013
Tweet

More Decks by Matt Farina

See All by Matt Farina
Faster Mobile Sites
mattfarina
1
2.3k
Front End Performance Improvements
mattfarina
5
2.1k
Building Faster Websites
mattfarina
3
210
Faster Front End Performance
mattfarina
3
310

Other Decks in Technology

See All in Technology
re:Invent Recap (January 2025)
scalefactory
0
340
GitLab SelfManagedをCodePipelineのソースに設定する/SetGitLabSelfManagedtoCodePipeline
norihiroishiyama
1
120
【Λ(らむだ)】アップデート機能振り返りΛ編 / PADjp20250127
lambda
0
120
エラーバジェット枯渇の原因 - 偽陽性との戦い -
phaya72
1
100
業務ツールをAIエージェントとつなぐ - Composio
knishioka
0
120
Redshiftを中心としたAWSでのデータ基盤
mashiike
0
100
ChatGPTを使ったブログ執筆と校正の実践テクニック/登壇資料(井田 献一朗)
hacobu
1
160
パフォーマンスとコスト改善のために法人データ分析基盤をBigQueryに移行した話
seiya303
1
100
Enhancing SRE Using AI
yoshiiryo1
1
280
Amazon Location Serviceを使ってラーメンマップを作る
ryder472
2
160
CNAPPから考えるAWSガバナンスの実践と最適化
yuobayashi
5
680
private spaceについてあれこれ調べてみた
operando
1
170

Featured

See All Featured
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Building Better People: How to give real-time feedback that sticks.
wjessup
366
19k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
VelocityConf: Rendering Performance Case Studies
addyosmani
327
24k
StorybookのUI Testing Handbookを読んだ
zakiyama
28
5.4k
How to train your dragon (web standard)
notwaldorf
89
5.8k
Statistics for Hackers
jakevdp
797
220k
Making Projects Easy
brettharned
116
6k
The Pragmatic Product Professional
lauravandoore
32
6.4k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
59k
Music & Morning Musume
bryan
46
6.3k

Transcript

  1. Secure Your Site Matt Farina Engineer at HP Cloud

  2. http://bit.ly/SecureYourSite You can get the slides at...

  3. • @mattfarina on twitter • Drupal.org UID 25701 (Over 8

    Years) • Co-Author of Drupal 7 Module Development • A Lead Engineer at HP Cloud

  4. http://techcrunch.com/2013/10/03/adobe-gets-hacked-product-source-code-and-data-for-2-9m-customers-likely-accessed/ Did you hear, Adobe was hacked

  5. http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever A Picture Of The Internet

  6. http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever 420,000 Hacked Linux Based Systems

  7. http://www.forbes.com/sites/cherylsnappconner/2013/09/14/are-you-prepared-71-of-cyber-attacks-hit-small-business/ 71% attacked sites of orgs with less than 100

    People

  8. http://blog.erratasec.com/2013/09/we-scanned-internet-for-port-22.html Scan port 22 (ssh) for the Internet in a

    day

  9. I’ve Watched Attacks Happen

  10. I’ve Found Hacked Servers

  11. For the sake of your users, secure your site.

  12. https://help.ubuntu.com/12.04/serverguide/security.html Harden Your Servers

  13. https://help.ubuntu.com/community/AutoWeeklyUpdateHowTo Keep packages up to date for security releases

  14. Lock Down Access Web Server DB Server

  15. http://openvpn.net/ Use A VPN

  16. http://stackoverflow.com/questions/2661799/removing-x-powered-by Removing X-Powered-By Header ; In your php.ini file set!

    expose_php = off > curl -i -X HEAD https://drupal.org! ...! X-Powered-By: PHP/5.3.27! ...

  17. On to Drupal

  18. Use HTTPS/SSL/TLS

  19. None

  20. You can redirect to https via .htaccess # Redirect when

    the request comes to http! RewriteCond %{HTTPS} off! RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

  21. https://drupal.org/project/securepages Secure Pages Module

  22. https://drupal.org/node/947312 Secure UID 1

  23. https://drupal.org/project/password If you’re on Drupal 6 use real password hashing

  24. http://php.net/password PHP Password API

  25. https://github.com/ircmaxell/password_compat PHP Password API Backward Compatability

  26. Change Admin passwords regularly and make them strong.

  27. Remove the clues it’s Drupal • Remove the text files

    (e.g., CHANGELOG.txt) • Remove install.php • web.config or .htaccess if not in use

  28. Remove Generator Meta Tag /**! * Implements hook_html_head_alter().! */! function

    custom_html_head_alter(&$head_elements) {! if (isset($head_elements['system_meta_generator'])) {! unset($head_elements['system_meta_generator']);! }! } <meta name="generator" content="Drupal 7 (http://drupal.org)" />

  29. Remove X-Generator Header // Override the header.! drupal_add_http_header(‘X-Generator’, ‘’) >

    curl -i -X HEAD https://2013.drupalcampmi.org! ...! X-Generator: Drupal 7 (http://drupal.org)! ... https://api.drupal.org/api/drupal/includes!bootstrap.inc/function/drupal_add_http_header/7

  30. Add X-Frame-Options Header drupal_add_http_header('X-Frame-Options', 'SAMEORIGIN'); > curl -i -X HEAD

    https://marketplace.hpcloud.com! ...! X-Frame-Options: SAMEORIGIN! ... https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options

  31. http://www.lullabot.com/blog/article/keeping-drupals-files-safe Secure The Filesystem

  32. Web server user should not have write permission to Drupal

  33. http://www.hpcloud.com/products-services/object-storage Backup to offsite location

  34. https://drupal.org/project/backup_migrate Backup and Migrate Module

  35. https://drupal.org/project/aes Encrypt Backups

  36. Backup Creds Not On Production Server Web Server DB Server

    Backup Server Storage

  37. I shouldn’t have to tell you but...

  38. https://drupal.org/project/usage/drupal Keep Drupal Up To Date

  39. https://drupal.org/documentation/modules/update Update Manager Module

  40. Sign-up For Security Announcements

  41. Encrypt Sensitive Information

  42. https://drupal.org/project/aes AES Encryption Module

  43. http://phpseclib.sourceforge.net/ PHP Secure Communications Library

  44. Encrypted Field Modules • Encrypted Settings Field
 https://drupal.org/project/encset • Field

    Encryption
 https://drupal.org/project/field_encrypt • Encrypted Text
 https://drupal.org/project/encrypted_text


  45. Or, Store Them In A Secure Service

  46. drupal_http_request() does not check SSL certificates.

  47. http://guzzlephp.org/ Guzzle

  48. Using Guzzle // A little more complicated! $client = new

    \Guzzle\Http\Client('http://guzzlephp.org');! $request = $client->get('/');! $response = $request->send(); // A simple example! Guzzle\Http\StaticClient::mount();! $response = Guzzle::get('http://guzzlephp.org');

  49. Inject Cert To drupal_http_request() $opts = array(! ‘ssl’ => array(!

    ‘CN_match’ => ‘example.com’,! ‘verify_peer’ => TRUE,! ‘allow_self_signed’ => FALSE,! ‘cafile’ => ‘path/to/cert.pem’,! ),! );! $context = stream_context_create($opts);! $ops = array(! ‘context’ => $context,! );! $res = drupal_http_request(‘http://example.com’, $ops);

  50. Review Your Logs Regularly

  51. http://logstash.net/ Logstash

  52. http://www.loggly.com/ Loggly

  53. http://www.loggly.com/docs/alerts-overview/ Automated Alerts

  54. This is just the beginning...

  55. Questions? Slides are at... http://bit.ly/SecureYourSite