Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure Your Site
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Matt Farina
October 12, 2013
Technology
2.5k
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Secure Your Site
An introduction to securing Drupal sites.
Matt Farina
October 12, 2013
More Decks by Matt Farina
See All by Matt Farina
Faster Mobile Sites
mattfarina
1
2.5k
Front End Performance Improvements
mattfarina
5
2.2k
Building Faster Websites
mattfarina
3
220
Faster Front End Performance
mattfarina
3
330
Other Decks in Technology
See All in Technology
AI 不只幫你寫 Code: 當專案從 300 暴增到 1500, 我們如何撐住 DevOps
appleboy
0
290
AIに障害切り分けを全部やってもらった。 。 。 。
estie
0
270
NDIAS CTF 2026 問題解説会資料
bata_24
0
100
5分でわかる Amazon Connect_20260608
hwangbyeonghun
0
140
フルAIで個人開発して学んだあれこれ / yuruai vol.1
isaoshimizu
0
160
“ID沼入口” - 基本とセキュリティから始める、考え続けるためのID管理技術勉強会 告知&イントロ
ritou
0
140
AI Agentをシステムに組み込む前にゆるく向き合ってみる
hayama17
0
170
そこにあるから地図ができる~位置を示す"モノ"を愉しむ~ - Interface 2026年6月号GPS特集オフ会 / interface_202606_GPS_offline
sakaik
1
130
When Platform Engineering Meets GenAI
sucitw
0
200
AIエージェントとPhysical AIが拓く製造業の変革(ハノーバーメッセリキャップ)
iotcomjpadmin
0
170
“詰む”前に仕組みを作れ 〜技術の波に溺れないためのキャッチアップ術〜
takasyou
7
4.4k
どうして今サーバーサイドKotlinを選択したのか
nealle
0
120
Featured
See All Featured
Designing for humans not robots
tammielis
254
26k
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs
inesmontani
PRO
3
3.5k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.8k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
141
35k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
9
1.4k
AI Search: Where Are We & What Can We Do About It?
aleyda
0
7.6k
4 Signs Your Business is Dying
shpigford
187
22k
jQuery: Nuts, Bolts and Bling
dougneiner
66
8.5k
The Organizational Zoo: Understanding Human Behavior Agility Through Metaphoric Constructive Conversations (based on the works of Arthur Shelley, Ph.D)
kimpetersen
PRO
0
370
Organizational Design Perspectives: An Ontology of Organizational Design Elements
kimpetersen
PRO
1
750
Digital Ethics as a Driver of Design Innovation
axbom
PRO
1
330
Noah Learner - AI + Me: how we built a GSC Bulk Export data pipeline
techseoconnect
PRO
0
210
Transcript
Secure Your Site Matt Farina Engineer at HP Cloud
http://bit.ly/SecureYourSite You can get the slides at...
• @mattfarina on twitter • Drupal.org UID 25701 (Over 8
Years) • Co-Author of Drupal 7 Module Development • A Lead Engineer at HP Cloud
http://techcrunch.com/2013/10/03/adobe-gets-hacked-product-source-code-and-data-for-2-9m-customers-likely-accessed/ Did you hear, Adobe was hacked
http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever A Picture Of The Internet
http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever 420,000 Hacked Linux Based Systems
http://www.forbes.com/sites/cherylsnappconner/2013/09/14/are-you-prepared-71-of-cyber-attacks-hit-small-business/ 71% attacked sites of orgs with less than 100
People
http://blog.erratasec.com/2013/09/we-scanned-internet-for-port-22.html Scan port 22 (ssh) for the Internet in a
day
I’ve Watched Attacks Happen
I’ve Found Hacked Servers
For the sake of your users, secure your site.
https://help.ubuntu.com/12.04/serverguide/security.html Harden Your Servers
https://help.ubuntu.com/community/AutoWeeklyUpdateHowTo Keep packages up to date for security releases
Lock Down Access Web Server DB Server
http://openvpn.net/ Use A VPN
http://stackoverflow.com/questions/2661799/removing-x-powered-by Removing X-Powered-By Header ; In your php.ini file set!
expose_php = off > curl -i -X HEAD https://drupal.org! ...! X-Powered-By: PHP/5.3.27! ...
On to Drupal
Use HTTPS/SSL/TLS
None
You can redirect to https via .htaccess # Redirect when
the request comes to http! RewriteCond %{HTTPS} off! RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
https://drupal.org/project/securepages Secure Pages Module
https://drupal.org/node/947312 Secure UID 1
https://drupal.org/project/password If you’re on Drupal 6 use real password hashing
http://php.net/password PHP Password API
https://github.com/ircmaxell/password_compat PHP Password API Backward Compatability
Change Admin passwords regularly and make them strong.
Remove the clues it’s Drupal • Remove the text files
(e.g., CHANGELOG.txt) • Remove install.php • web.config or .htaccess if not in use
Remove Generator Meta Tag /**! * Implements hook_html_head_alter().! */! function
custom_html_head_alter(&$head_elements) {! if (isset($head_elements['system_meta_generator'])) {! unset($head_elements['system_meta_generator']);! }! } <meta name="generator" content="Drupal 7 (http://drupal.org)" />
Remove X-Generator Header // Override the header.! drupal_add_http_header(‘X-Generator’, ‘’) >
curl -i -X HEAD https://2013.drupalcampmi.org! ...! X-Generator: Drupal 7 (http://drupal.org)! ... https://api.drupal.org/api/drupal/includes!bootstrap.inc/function/drupal_add_http_header/7
Add X-Frame-Options Header drupal_add_http_header('X-Frame-Options', 'SAMEORIGIN'); > curl -i -X HEAD
https://marketplace.hpcloud.com! ...! X-Frame-Options: SAMEORIGIN! ... https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
http://www.lullabot.com/blog/article/keeping-drupals-files-safe Secure The Filesystem
Web server user should not have write permission to Drupal
http://www.hpcloud.com/products-services/object-storage Backup to offsite location
https://drupal.org/project/backup_migrate Backup and Migrate Module
https://drupal.org/project/aes Encrypt Backups
Backup Creds Not On Production Server Web Server DB Server
Backup Server Storage
I shouldn’t have to tell you but...
https://drupal.org/project/usage/drupal Keep Drupal Up To Date
https://drupal.org/documentation/modules/update Update Manager Module
Sign-up For Security Announcements
Encrypt Sensitive Information
https://drupal.org/project/aes AES Encryption Module
http://phpseclib.sourceforge.net/ PHP Secure Communications Library
Encrypted Field Modules • Encrypted Settings Field https://drupal.org/project/encset • Field
Encryption https://drupal.org/project/field_encrypt • Encrypted Text https://drupal.org/project/encrypted_text
Or, Store Them In A Secure Service
drupal_http_request() does not check SSL certificates.
http://guzzlephp.org/ Guzzle
Using Guzzle // A little more complicated! $client = new
\Guzzle\Http\Client('http://guzzlephp.org');! $request = $client->get('/');! $response = $request->send(); // A simple example! Guzzle\Http\StaticClient::mount();! $response = Guzzle::get('http://guzzlephp.org');
Inject Cert To drupal_http_request() $opts = array(! ‘ssl’ => array(!
‘CN_match’ => ‘example.com’,! ‘verify_peer’ => TRUE,! ‘allow_self_signed’ => FALSE,! ‘cafile’ => ‘path/to/cert.pem’,! ),! );! $context = stream_context_create($opts);! $ops = array(! ‘context’ => $context,! );! $res = drupal_http_request(‘http://example.com’, $ops);
Review Your Logs Regularly
http://logstash.net/ Logstash
http://www.loggly.com/ Loggly
http://www.loggly.com/docs/alerts-overview/ Automated Alerts
This is just the beginning...
Questions? Slides are at... http://bit.ly/SecureYourSite