Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure Your Site

Matt Farina
October 12, 2013
Technology
0
2.4k

Secure Your Site

An introduction to securing Drupal sites.

Matt Farina

October 12, 2013
Tweet

More Decks by Matt Farina

See All by Matt Farina
Faster Mobile Sites
mattfarina
1
2.3k
Front End Performance Improvements
mattfarina
5
2.1k
Building Faster Websites
mattfarina
3
210
Faster Front End Performance
mattfarina
3
310

Other Decks in Technology

See All in Technology
エンジニアの健康管理術 / Engineer Health Management Techniques
y_sone
7
3.3k
結果的にこうなった。から見える メカニズムのようなもの。
recruitengineers
PRO
1
110
貧民的プログラミングのすすめ
kakehashi
PRO
2
180
AI Agent時代なのでAWSのLLMs.txtが欲しい!
watany
3
380
【内製開発Summit 2025】イオンスマートテクノロジーの内製化組織の作り方/In-house-development-summit-AST
aeonpeople
2
1.2k
AI自体のOps 〜LLMアプリの運用、AWSサービスとOSSの使い分け〜
minorun365
PRO
9
1.2k
開発者のための FinOps/FinOps for Engineers
oracle4engineer
PRO
2
270
30→150人のエンジニア組織拡大に伴うアジャイル文化を醸成する役割と取り組みの変化
nagata03
0
370
フォーイット_エンジニア向け会社紹介資料_Forit_Company_Profile.pdf
forit_tech
1
1.7k
リクルートのエンジニア組織を下支えする 新卒の育成の仕組み
recruitengineers
PRO
2
190
2025/3/1 公共交通オープンデータデイ2025
morohoshi
0
110
Pwned Labsのすゝめ
ken5scal
2
580

Featured

See All Featured
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
21
2.5k
Stop Working from a Prison Cell
hatefulcrawdad
268
20k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
11
540
Java REST API Framework Comparison - PWX 2021
mraible
29
8.4k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Build The Right Thing And Hit Your Dates
maggiecrowley
34
2.5k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
13
1k
The Invisible Side of Design
smashingmag
299
50k
Optimizing for Happiness
mojombo
377
70k
Side Projects
sachag
452
42k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.7k
Faster Mobile Websites
deanohume
306
31k

Transcript

  1. Secure Your Site Matt Farina Engineer at HP Cloud

  2. http://bit.ly/SecureYourSite You can get the slides at...

  3. • @mattfarina on twitter • Drupal.org UID 25701 (Over 8

    Years) • Co-Author of Drupal 7 Module Development • A Lead Engineer at HP Cloud

  4. http://techcrunch.com/2013/10/03/adobe-gets-hacked-product-source-code-and-data-for-2-9m-customers-likely-accessed/ Did you hear, Adobe was hacked

  5. http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever A Picture Of The Internet

  6. http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever 420,000 Hacked Linux Based Systems

  7. http://www.forbes.com/sites/cherylsnappconner/2013/09/14/are-you-prepared-71-of-cyber-attacks-hit-small-business/ 71% attacked sites of orgs with less than 100

    People

  8. http://blog.erratasec.com/2013/09/we-scanned-internet-for-port-22.html Scan port 22 (ssh) for the Internet in a

    day

  9. I’ve Watched Attacks Happen

  10. I’ve Found Hacked Servers

  11. For the sake of your users, secure your site.

  12. https://help.ubuntu.com/12.04/serverguide/security.html Harden Your Servers

  13. https://help.ubuntu.com/community/AutoWeeklyUpdateHowTo Keep packages up to date for security releases

  14. Lock Down Access Web Server DB Server

  15. http://openvpn.net/ Use A VPN

  16. http://stackoverflow.com/questions/2661799/removing-x-powered-by Removing X-Powered-By Header ; In your php.ini file set!

    expose_php = off > curl -i -X HEAD https://drupal.org! ...! X-Powered-By: PHP/5.3.27! ...

  17. On to Drupal

  18. Use HTTPS/SSL/TLS

  19. None

  20. You can redirect to https via .htaccess # Redirect when

    the request comes to http! RewriteCond %{HTTPS} off! RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

  21. https://drupal.org/project/securepages Secure Pages Module

  22. https://drupal.org/node/947312 Secure UID 1

  23. https://drupal.org/project/password If you’re on Drupal 6 use real password hashing

  24. http://php.net/password PHP Password API

  25. https://github.com/ircmaxell/password_compat PHP Password API Backward Compatability

  26. Change Admin passwords regularly and make them strong.

  27. Remove the clues it’s Drupal • Remove the text files

    (e.g., CHANGELOG.txt) • Remove install.php • web.config or .htaccess if not in use

  28. Remove Generator Meta Tag /**! * Implements hook_html_head_alter().! */! function

    custom_html_head_alter(&$head_elements) {! if (isset($head_elements['system_meta_generator'])) {! unset($head_elements['system_meta_generator']);! }! } <meta name="generator" content="Drupal 7 (http://drupal.org)" />

  29. Remove X-Generator Header // Override the header.! drupal_add_http_header(‘X-Generator’, ‘’) >

    curl -i -X HEAD https://2013.drupalcampmi.org! ...! X-Generator: Drupal 7 (http://drupal.org)! ... https://api.drupal.org/api/drupal/includes!bootstrap.inc/function/drupal_add_http_header/7

  30. Add X-Frame-Options Header drupal_add_http_header('X-Frame-Options', 'SAMEORIGIN'); > curl -i -X HEAD

    https://marketplace.hpcloud.com! ...! X-Frame-Options: SAMEORIGIN! ... https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options

  31. http://www.lullabot.com/blog/article/keeping-drupals-files-safe Secure The Filesystem

  32. Web server user should not have write permission to Drupal

  33. http://www.hpcloud.com/products-services/object-storage Backup to offsite location

  34. https://drupal.org/project/backup_migrate Backup and Migrate Module

  35. https://drupal.org/project/aes Encrypt Backups

  36. Backup Creds Not On Production Server Web Server DB Server

    Backup Server Storage

  37. I shouldn’t have to tell you but...

  38. https://drupal.org/project/usage/drupal Keep Drupal Up To Date

  39. https://drupal.org/documentation/modules/update Update Manager Module

  40. Sign-up For Security Announcements

  41. Encrypt Sensitive Information

  42. https://drupal.org/project/aes AES Encryption Module

  43. http://phpseclib.sourceforge.net/ PHP Secure Communications Library

  44. Encrypted Field Modules • Encrypted Settings Field
 https://drupal.org/project/encset • Field

    Encryption
 https://drupal.org/project/field_encrypt • Encrypted Text
 https://drupal.org/project/encrypted_text


  45. Or, Store Them In A Secure Service

  46. drupal_http_request() does not check SSL certificates.

  47. http://guzzlephp.org/ Guzzle

  48. Using Guzzle // A little more complicated! $client = new

    \Guzzle\Http\Client('http://guzzlephp.org');! $request = $client->get('/');! $response = $request->send(); // A simple example! Guzzle\Http\StaticClient::mount();! $response = Guzzle::get('http://guzzlephp.org');

  49. Inject Cert To drupal_http_request() $opts = array(! ‘ssl’ => array(!

    ‘CN_match’ => ‘example.com’,! ‘verify_peer’ => TRUE,! ‘allow_self_signed’ => FALSE,! ‘cafile’ => ‘path/to/cert.pem’,! ),! );! $context = stream_context_create($opts);! $ops = array(! ‘context’ => $context,! );! $res = drupal_http_request(‘http://example.com’, $ops);

  50. Review Your Logs Regularly

  51. http://logstash.net/ Logstash

  52. http://www.loggly.com/ Loggly

  53. http://www.loggly.com/docs/alerts-overview/ Automated Alerts

  54. This is just the beginning...

  55. Questions? Slides are at... http://bit.ly/SecureYourSite