Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure Your Site
Search
Matt Farina
October 12, 2013
Technology
0
2.4k
Secure Your Site
An introduction to securing Drupal sites.
Matt Farina
October 12, 2013
Tweet
Share
More Decks by Matt Farina
See All by Matt Farina
Faster Mobile Sites
mattfarina
1
2.4k
Front End Performance Improvements
mattfarina
5
2.2k
Building Faster Websites
mattfarina
3
220
Faster Front End Performance
mattfarina
3
310
Other Decks in Technology
See All in Technology
【5分でわかる】セーフィー エンジニア向け会社紹介
safie_recruit
0
27k
ビギナーであり続ける/beginning
ikuodanaka
3
760
赤煉瓦倉庫勉強会「Databricksを選んだ理由と、絶賛真っ只中のデータ基盤移行体験記」
ivry_presentationmaterials
2
360
Zero Data Loss Autonomous Recovery Service サービス概要
oracle4engineer
PRO
2
7.8k
DBのスキルで生き残る技術 - AI時代におけるテーブル設計の勘所
soudai
PRO
50
20k
american airlines®️ USA Contact Numbers: Complete 2025 Support Guide
supportflight
1
110
データグループにおけるフロントエンド開発
lycorptech_jp
PRO
1
100
MUITにおける開発プロセスモダナイズの取り組みと開発生産性可視化の取り組みについて / Modernize the Development Process and Visualize Development Productivity at MUIT
muit
1
16k
面倒な作業はAIにおまかせ。Flutter開発をスマートに効率化
ruideengineer
0
260
Backlog ユーザー棚卸しRTA、多分これが一番早いと思います
__allllllllez__
1
150
KubeCon + CloudNativeCon Japan 2025 Recap
ren510dev
1
380
生成AI活用の組織格差を解消する 〜ビジネス職のCursor導入が開発効率に与えた好循環〜 / Closing the Organizational Gap in AI Adoption
upamune
7
5.3k
Featured
See All Featured
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
1.8k
Unsuck your backbone
ammeep
671
58k
Code Reviewing Like a Champion
maltzj
524
40k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.4k
Statistics for Hackers
jakevdp
799
220k
Scaling GitHub
holman
460
140k
Embracing the Ebb and Flow
colly
86
4.7k
Side Projects
sachag
455
42k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
233
17k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
[RailsConf 2023] Rails as a piece of cake
palkan
55
5.7k
Transcript
Secure Your Site Matt Farina Engineer at HP Cloud
http://bit.ly/SecureYourSite You can get the slides at...
• @mattfarina on twitter • Drupal.org UID 25701 (Over 8
Years) • Co-Author of Drupal 7 Module Development • A Lead Engineer at HP Cloud
http://techcrunch.com/2013/10/03/adobe-gets-hacked-product-source-code-and-data-for-2-9m-customers-likely-accessed/ Did you hear, Adobe was hacked
http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever A Picture Of The Internet
http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever 420,000 Hacked Linux Based Systems
http://www.forbes.com/sites/cherylsnappconner/2013/09/14/are-you-prepared-71-of-cyber-attacks-hit-small-business/ 71% attacked sites of orgs with less than 100
People
http://blog.erratasec.com/2013/09/we-scanned-internet-for-port-22.html Scan port 22 (ssh) for the Internet in a
day
I’ve Watched Attacks Happen
I’ve Found Hacked Servers
For the sake of your users, secure your site.
https://help.ubuntu.com/12.04/serverguide/security.html Harden Your Servers
https://help.ubuntu.com/community/AutoWeeklyUpdateHowTo Keep packages up to date for security releases
Lock Down Access Web Server DB Server
http://openvpn.net/ Use A VPN
http://stackoverflow.com/questions/2661799/removing-x-powered-by Removing X-Powered-By Header ; In your php.ini file set!
expose_php = off > curl -i -X HEAD https://drupal.org! ...! X-Powered-By: PHP/5.3.27! ...
On to Drupal
Use HTTPS/SSL/TLS
None
You can redirect to https via .htaccess # Redirect when
the request comes to http! RewriteCond %{HTTPS} off! RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
https://drupal.org/project/securepages Secure Pages Module
https://drupal.org/node/947312 Secure UID 1
https://drupal.org/project/password If you’re on Drupal 6 use real password hashing
http://php.net/password PHP Password API
https://github.com/ircmaxell/password_compat PHP Password API Backward Compatability
Change Admin passwords regularly and make them strong.
Remove the clues it’s Drupal • Remove the text files
(e.g., CHANGELOG.txt) • Remove install.php • web.config or .htaccess if not in use
Remove Generator Meta Tag /**! * Implements hook_html_head_alter().! */! function
custom_html_head_alter(&$head_elements) {! if (isset($head_elements['system_meta_generator'])) {! unset($head_elements['system_meta_generator']);! }! } <meta name="generator" content="Drupal 7 (http://drupal.org)" />
Remove X-Generator Header // Override the header.! drupal_add_http_header(‘X-Generator’, ‘’) >
curl -i -X HEAD https://2013.drupalcampmi.org! ...! X-Generator: Drupal 7 (http://drupal.org)! ... https://api.drupal.org/api/drupal/includes!bootstrap.inc/function/drupal_add_http_header/7
Add X-Frame-Options Header drupal_add_http_header('X-Frame-Options', 'SAMEORIGIN'); > curl -i -X HEAD
https://marketplace.hpcloud.com! ...! X-Frame-Options: SAMEORIGIN! ... https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
http://www.lullabot.com/blog/article/keeping-drupals-files-safe Secure The Filesystem
Web server user should not have write permission to Drupal
http://www.hpcloud.com/products-services/object-storage Backup to offsite location
https://drupal.org/project/backup_migrate Backup and Migrate Module
https://drupal.org/project/aes Encrypt Backups
Backup Creds Not On Production Server Web Server DB Server
Backup Server Storage
I shouldn’t have to tell you but...
https://drupal.org/project/usage/drupal Keep Drupal Up To Date
https://drupal.org/documentation/modules/update Update Manager Module
Sign-up For Security Announcements
Encrypt Sensitive Information
https://drupal.org/project/aes AES Encryption Module
http://phpseclib.sourceforge.net/ PHP Secure Communications Library
Encrypted Field Modules • Encrypted Settings Field https://drupal.org/project/encset • Field
Encryption https://drupal.org/project/field_encrypt • Encrypted Text https://drupal.org/project/encrypted_text
Or, Store Them In A Secure Service
drupal_http_request() does not check SSL certificates.
http://guzzlephp.org/ Guzzle
Using Guzzle // A little more complicated! $client = new
\Guzzle\Http\Client('http://guzzlephp.org');! $request = $client->get('/');! $response = $request->send(); // A simple example! Guzzle\Http\StaticClient::mount();! $response = Guzzle::get('http://guzzlephp.org');
Inject Cert To drupal_http_request() $opts = array(! ‘ssl’ => array(!
‘CN_match’ => ‘example.com’,! ‘verify_peer’ => TRUE,! ‘allow_self_signed’ => FALSE,! ‘cafile’ => ‘path/to/cert.pem’,! ),! );! $context = stream_context_create($opts);! $ops = array(! ‘context’ => $context,! );! $res = drupal_http_request(‘http://example.com’, $ops);
Review Your Logs Regularly
http://logstash.net/ Logstash
http://www.loggly.com/ Loggly
http://www.loggly.com/docs/alerts-overview/ Automated Alerts
This is just the beginning...
Questions? Slides are at... http://bit.ly/SecureYourSite