Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure Your Site
Search
Matt Farina
October 12, 2013
Technology
0
2.4k
Secure Your Site
An introduction to securing Drupal sites.
Matt Farina
October 12, 2013
Tweet
Share
More Decks by Matt Farina
See All by Matt Farina
Faster Mobile Sites
mattfarina
1
2.4k
Front End Performance Improvements
mattfarina
5
2.2k
Building Faster Websites
mattfarina
3
220
Faster Front End Performance
mattfarina
3
310
Other Decks in Technology
See All in Technology
みんなのSRE 〜チーム全員でのSRE活動にするための4つの取り組み〜
kakehashi
PRO
2
140
SRE新規立ち上げ! Hubbleインフラのこれまでと展望
katsuya0515
0
160
Kiroでインフラ要件定義~テスト を実施してみた
nagisa53
3
300
隙間時間で爆速開発! Claude Code × Vibe Coding で作るマニュアル自動生成サービス
akitomonam
3
250
オブザーバビリティプラットフォーム開発におけるオブザーバビリティとの向き合い / Hatena Engineer Seminar #34 オブザーバビリティの実現と運用編
arthur1
0
340
Unson OS|48時間で「売れるか」を判定する AI 市場検証プラットフォーム
unson
0
170
✨敗北解法コレクション✨〜Expertだった頃に足りなかった知識と技術〜
nanachi
1
370
Nx × AI によるモノレポ活用 〜コードジェネレーター編〜
puku0x
0
330
2025新卒研修・HTML/CSS #弁護士ドットコム
bengo4com
3
13k
【CEDEC2025】『ウマ娘 プリティーダービー』における映像制作のさらなる高品質化へ!~ 豊富な素材出力と制作フローの改善を実現するツールについて~
cygames
PRO
0
230
ロールが細分化された組織でSREと協働するインフラエンジニアは何をするか? / SRE Lounge #18
kossykinto
0
110
【CEDEC2025】『Shadowverse: Worlds Beyond』二度目のDCG開発でゲームをリデザインする~遊びやすさと競技性の両立~
cygames
PRO
1
290
Featured
See All Featured
Fireside Chat
paigeccino
37
3.6k
A better future with KSS
kneath
238
17k
Building Applications with DynamoDB
mza
95
6.5k
Building Adaptive Systems
keathley
43
2.7k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
8
420
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k
jQuery: Nuts, Bolts and Bling
dougneiner
63
7.8k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
50
5.5k
RailsConf 2023
tenderlove
30
1.2k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
15
1.6k
Designing for Performance
lara
610
69k
Gamification - CAS2011
davidbonilla
81
5.4k
Transcript
Secure Your Site Matt Farina Engineer at HP Cloud
http://bit.ly/SecureYourSite You can get the slides at...
• @mattfarina on twitter • Drupal.org UID 25701 (Over 8
Years) • Co-Author of Drupal 7 Module Development • A Lead Engineer at HP Cloud
http://techcrunch.com/2013/10/03/adobe-gets-hacked-product-source-code-and-data-for-2-9m-customers-likely-accessed/ Did you hear, Adobe was hacked
http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever A Picture Of The Internet
http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever 420,000 Hacked Linux Based Systems
http://www.forbes.com/sites/cherylsnappconner/2013/09/14/are-you-prepared-71-of-cyber-attacks-hit-small-business/ 71% attacked sites of orgs with less than 100
People
http://blog.erratasec.com/2013/09/we-scanned-internet-for-port-22.html Scan port 22 (ssh) for the Internet in a
day
I’ve Watched Attacks Happen
I’ve Found Hacked Servers
For the sake of your users, secure your site.
https://help.ubuntu.com/12.04/serverguide/security.html Harden Your Servers
https://help.ubuntu.com/community/AutoWeeklyUpdateHowTo Keep packages up to date for security releases
Lock Down Access Web Server DB Server
http://openvpn.net/ Use A VPN
http://stackoverflow.com/questions/2661799/removing-x-powered-by Removing X-Powered-By Header ; In your php.ini file set!
expose_php = off > curl -i -X HEAD https://drupal.org! ...! X-Powered-By: PHP/5.3.27! ...
On to Drupal
Use HTTPS/SSL/TLS
None
You can redirect to https via .htaccess # Redirect when
the request comes to http! RewriteCond %{HTTPS} off! RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
https://drupal.org/project/securepages Secure Pages Module
https://drupal.org/node/947312 Secure UID 1
https://drupal.org/project/password If you’re on Drupal 6 use real password hashing
http://php.net/password PHP Password API
https://github.com/ircmaxell/password_compat PHP Password API Backward Compatability
Change Admin passwords regularly and make them strong.
Remove the clues it’s Drupal • Remove the text files
(e.g., CHANGELOG.txt) • Remove install.php • web.config or .htaccess if not in use
Remove Generator Meta Tag /**! * Implements hook_html_head_alter().! */! function
custom_html_head_alter(&$head_elements) {! if (isset($head_elements['system_meta_generator'])) {! unset($head_elements['system_meta_generator']);! }! } <meta name="generator" content="Drupal 7 (http://drupal.org)" />
Remove X-Generator Header // Override the header.! drupal_add_http_header(‘X-Generator’, ‘’) >
curl -i -X HEAD https://2013.drupalcampmi.org! ...! X-Generator: Drupal 7 (http://drupal.org)! ... https://api.drupal.org/api/drupal/includes!bootstrap.inc/function/drupal_add_http_header/7
Add X-Frame-Options Header drupal_add_http_header('X-Frame-Options', 'SAMEORIGIN'); > curl -i -X HEAD
https://marketplace.hpcloud.com! ...! X-Frame-Options: SAMEORIGIN! ... https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
http://www.lullabot.com/blog/article/keeping-drupals-files-safe Secure The Filesystem
Web server user should not have write permission to Drupal
http://www.hpcloud.com/products-services/object-storage Backup to offsite location
https://drupal.org/project/backup_migrate Backup and Migrate Module
https://drupal.org/project/aes Encrypt Backups
Backup Creds Not On Production Server Web Server DB Server
Backup Server Storage
I shouldn’t have to tell you but...
https://drupal.org/project/usage/drupal Keep Drupal Up To Date
https://drupal.org/documentation/modules/update Update Manager Module
Sign-up For Security Announcements
Encrypt Sensitive Information
https://drupal.org/project/aes AES Encryption Module
http://phpseclib.sourceforge.net/ PHP Secure Communications Library
Encrypted Field Modules • Encrypted Settings Field https://drupal.org/project/encset • Field
Encryption https://drupal.org/project/field_encrypt • Encrypted Text https://drupal.org/project/encrypted_text
Or, Store Them In A Secure Service
drupal_http_request() does not check SSL certificates.
http://guzzlephp.org/ Guzzle
Using Guzzle // A little more complicated! $client = new
\Guzzle\Http\Client('http://guzzlephp.org');! $request = $client->get('/');! $response = $request->send(); // A simple example! Guzzle\Http\StaticClient::mount();! $response = Guzzle::get('http://guzzlephp.org');
Inject Cert To drupal_http_request() $opts = array(! ‘ssl’ => array(!
‘CN_match’ => ‘example.com’,! ‘verify_peer’ => TRUE,! ‘allow_self_signed’ => FALSE,! ‘cafile’ => ‘path/to/cert.pem’,! ),! );! $context = stream_context_create($opts);! $ops = array(! ‘context’ => $context,! );! $res = drupal_http_request(‘http://example.com’, $ops);
Review Your Logs Regularly
http://logstash.net/ Logstash
http://www.loggly.com/ Loggly
http://www.loggly.com/docs/alerts-overview/ Automated Alerts
This is just the beginning...
Questions? Slides are at... http://bit.ly/SecureYourSite