Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure Your Site

Avatar for Matt Farina Matt Farina
October 12, 2013
Technology
0
2.4k

Secure Your Site

An introduction to securing Drupal sites.

Avatar for Matt Farina

Matt Farina

October 12, 2013
Tweet

More Decks by Matt Farina

See All by Matt Farina
Faster Mobile Sites
Avatar for Matt Farina mattfarina
1
2.4k
Front End Performance Improvements
Avatar for Matt Farina mattfarina
5
2.2k
Building Faster Websites
Avatar for Matt Farina mattfarina
3
220
Faster Front End Performance
Avatar for Matt Farina mattfarina
3
310

Other Decks in Technology

See All in Technology
みんなのSRE 〜チーム全員でのSRE活動にするための4つの取り組み〜
Avatar for KAKEHASHI kakehashi
PRO
2
140
SRE新規立ち上げ! Hubbleインフラのこれまでと展望
Avatar for Katsuya Fujii katsuya0515
0
160
Kiroでインフラ要件定義~テスト
 を実施してみた
Avatar for nagisa_53 nagisa53
3
300
隙間時間で爆速開発! Claude Code × Vibe Coding で作るマニュアル自動生成サービス
Avatar for Akitomo Sato akitomonam
3
250
オブザーバビリティプラットフォーム開発におけるオブザーバビリティとの向き合い / Hatena Engineer Seminar #34 オブザーバビリティの実現と運用編
Avatar for Arthur arthur1
0
340
Unson OS|48時間で「売れるか」を判定する AI 市場検証プラットフォーム
Avatar for 佐藤圭吾 unson
0
170
✨敗北解法コレクション✨〜Expertだった頃に足りなかった知識と技術〜
Avatar for nanachi nanachi
1
370
Nx × AI によるモノレポ活用 〜コードジェネレーター編〜
Avatar for puku0x puku0x
0
330
2025新卒研修・HTML/CSS #弁護士ドットコム
Avatar for 弁護士ドットコム bengo4com
3
13k
【CEDEC2025】『ウマ娘 プリティーダービー』における映像制作のさらなる高品質化へ!~ 豊富な素材出力と制作フローの改善を実現するツールについて~
Avatar for Cygames cygames
PRO
0
230
ロールが細分化された組織でSREと協働するインフラエンジニアは何をするか? / SRE Lounge #18
Avatar for Hajime KOSHIRO kossykinto
0
110
【CEDEC2025】『Shadowverse: Worlds Beyond』二度目のDCG開発でゲームをリデザインする~遊びやすさと競技性の両立~
Avatar for Cygames cygames
PRO
1
290

Featured

See All Featured
Fireside Chat
Avatar for paigeccino paigeccino
37
3.6k
A better future with KSS
Avatar for Kyle Neath kneath
238
17k
Building Applications with DynamoDB
Avatar for Matt Wood mza
95
6.5k
Building Adaptive Systems
Avatar for Chris Keathley keathley
43
2.7k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
Avatar for Tammy Everts tammyeverts
8
420
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
Avatar for Vitaly Friedman smashingmag
251
21k
jQuery: Nuts, Bolts and Bling
Avatar for Doug Neiner dougneiner
63
7.8k
JavaScript: Past, Present, and Future - NDC Porto 2020
Avatar for David Neal reverentgeek
50
5.5k
RailsConf 2023
Avatar for Aaron Patterson tenderlove
30
1.2k
The Art of Delivering Value - GDevCon NA Keynote
Avatar for David Neal reverentgeek
15
1.6k
Designing for Performance
Avatar for Lara Hogan lara
610
69k
Gamification - CAS2011
Avatar for David Bonilla davidbonilla
81
5.4k

Transcript

  1. Secure Your Site Matt Farina Engineer at HP Cloud

  2. http://bit.ly/SecureYourSite You can get the slides at...

  3. • @mattfarina on twitter • Drupal.org UID 25701 (Over 8

    Years) • Co-Author of Drupal 7 Module Development • A Lead Engineer at HP Cloud

  4. http://techcrunch.com/2013/10/03/adobe-gets-hacked-product-source-code-and-data-for-2-9m-customers-likely-accessed/ Did you hear, Adobe was hacked

  5. http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever A Picture Of The Internet

  6. http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever 420,000 Hacked Linux Based Systems

  7. http://www.forbes.com/sites/cherylsnappconner/2013/09/14/are-you-prepared-71-of-cyber-attacks-hit-small-business/ 71% attacked sites of orgs with less than 100

    People

  8. http://blog.erratasec.com/2013/09/we-scanned-internet-for-port-22.html Scan port 22 (ssh) for the Internet in a

    day

  9. I’ve Watched Attacks Happen

  10. I’ve Found Hacked Servers

  11. For the sake of your users, secure your site.

  12. https://help.ubuntu.com/12.04/serverguide/security.html Harden Your Servers

  13. https://help.ubuntu.com/community/AutoWeeklyUpdateHowTo Keep packages up to date for security releases

  14. Lock Down Access Web Server DB Server

  15. http://openvpn.net/ Use A VPN

  16. http://stackoverflow.com/questions/2661799/removing-x-powered-by Removing X-Powered-By Header ; In your php.ini file set!

    expose_php = off > curl -i -X HEAD https://drupal.org! ...! X-Powered-By: PHP/5.3.27! ...

  17. On to Drupal

  18. Use HTTPS/SSL/TLS

  19. None

  20. You can redirect to https via .htaccess # Redirect when

    the request comes to http! RewriteCond %{HTTPS} off! RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

  21. https://drupal.org/project/securepages Secure Pages Module

  22. https://drupal.org/node/947312 Secure UID 1

  23. https://drupal.org/project/password If you’re on Drupal 6 use real password hashing

  24. http://php.net/password PHP Password API

  25. https://github.com/ircmaxell/password_compat PHP Password API Backward Compatability

  26. Change Admin passwords regularly and make them strong.

  27. Remove the clues it’s Drupal • Remove the text files

    (e.g., CHANGELOG.txt) • Remove install.php • web.config or .htaccess if not in use

  28. Remove Generator Meta Tag /**! * Implements hook_html_head_alter().! */! function

    custom_html_head_alter(&$head_elements) {! if (isset($head_elements['system_meta_generator'])) {! unset($head_elements['system_meta_generator']);! }! } <meta name="generator" content="Drupal 7 (http://drupal.org)" />

  29. Remove X-Generator Header // Override the header.! drupal_add_http_header(‘X-Generator’, ‘’) >

    curl -i -X HEAD https://2013.drupalcampmi.org! ...! X-Generator: Drupal 7 (http://drupal.org)! ... https://api.drupal.org/api/drupal/includes!bootstrap.inc/function/drupal_add_http_header/7

  30. Add X-Frame-Options Header drupal_add_http_header('X-Frame-Options', 'SAMEORIGIN'); > curl -i -X HEAD

    https://marketplace.hpcloud.com! ...! X-Frame-Options: SAMEORIGIN! ... https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options

  31. http://www.lullabot.com/blog/article/keeping-drupals-files-safe Secure The Filesystem

  32. Web server user should not have write permission to Drupal

  33. http://www.hpcloud.com/products-services/object-storage Backup to offsite location

  34. https://drupal.org/project/backup_migrate Backup and Migrate Module

  35. https://drupal.org/project/aes Encrypt Backups

  36. Backup Creds Not On Production Server Web Server DB Server

    Backup Server Storage

  37. I shouldn’t have to tell you but...

  38. https://drupal.org/project/usage/drupal Keep Drupal Up To Date

  39. https://drupal.org/documentation/modules/update Update Manager Module

  40. Sign-up For Security Announcements

  41. Encrypt Sensitive Information

  42. https://drupal.org/project/aes AES Encryption Module

  43. http://phpseclib.sourceforge.net/ PHP Secure Communications Library

  44. Encrypted Field Modules • Encrypted Settings Field
 https://drupal.org/project/encset • Field

    Encryption
 https://drupal.org/project/field_encrypt • Encrypted Text
 https://drupal.org/project/encrypted_text


  45. Or, Store Them In A Secure Service

  46. drupal_http_request() does not check SSL certificates.

  47. http://guzzlephp.org/ Guzzle

  48. Using Guzzle // A little more complicated! $client = new

    \Guzzle\Http\Client('http://guzzlephp.org');! $request = $client->get('/');! $response = $request->send(); // A simple example! Guzzle\Http\StaticClient::mount();! $response = Guzzle::get('http://guzzlephp.org');

  49. Inject Cert To drupal_http_request() $opts = array(! ‘ssl’ => array(!

    ‘CN_match’ => ‘example.com’,! ‘verify_peer’ => TRUE,! ‘allow_self_signed’ => FALSE,! ‘cafile’ => ‘path/to/cert.pem’,! ),! );! $context = stream_context_create($opts);! $ops = array(! ‘context’ => $context,! );! $res = drupal_http_request(‘http://example.com’, $ops);

  50. Review Your Logs Regularly

  51. http://logstash.net/ Logstash

  52. http://www.loggly.com/ Loggly

  53. http://www.loggly.com/docs/alerts-overview/ Automated Alerts

  54. This is just the beginning...

  55. Questions? Slides are at... http://bit.ly/SecureYourSite