Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure Your Site

Matt Farina
October 12, 2013

Secure Your Site

An introduction to securing Drupal sites.

Matt Farina

October 12, 2013
Tweet

More Decks by Matt Farina

Other Decks in Technology

Transcript

  1. Secure Your Site Matt Farina Engineer at HP Cloud

  2. http://bit.ly/SecureYourSite You can get the slides at...

  3. • @mattfarina on twitter • Drupal.org UID 25701 (Over 8

    Years) • Co-Author of Drupal 7 Module Development • A Lead Engineer at HP Cloud
  4. http://techcrunch.com/2013/10/03/adobe-gets-hacked-product-source-code-and-data-for-2-9m-customers-likely-accessed/ Did you hear, Adobe was hacked

  5. http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever A Picture Of The Internet

  6. http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever 420,000 Hacked Linux Based Systems

  7. http://www.forbes.com/sites/cherylsnappconner/2013/09/14/are-you-prepared-71-of-cyber-attacks-hit-small-business/ 71% attacked sites of orgs with less than 100

    People
  8. http://blog.erratasec.com/2013/09/we-scanned-internet-for-port-22.html Scan port 22 (ssh) for the Internet in a

    day
  9. I’ve Watched Attacks Happen

  10. I’ve Found Hacked Servers

  11. For the sake of your users, secure your site.

  12. https://help.ubuntu.com/12.04/serverguide/security.html Harden Your Servers

  13. https://help.ubuntu.com/community/AutoWeeklyUpdateHowTo Keep packages up to date for security releases

  14. Lock Down Access Web Server DB Server

  15. http://openvpn.net/ Use A VPN

  16. http://stackoverflow.com/questions/2661799/removing-x-powered-by Removing X-Powered-By Header ; In your php.ini file set!

    expose_php = off > curl -i -X HEAD https://drupal.org! ...! X-Powered-By: PHP/5.3.27! ...
  17. On to Drupal

  18. Use HTTPS/SSL/TLS

  19. None
  20. You can redirect to https via .htaccess # Redirect when

    the request comes to http! RewriteCond %{HTTPS} off! RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
  21. https://drupal.org/project/securepages Secure Pages Module

  22. https://drupal.org/node/947312 Secure UID 1

  23. https://drupal.org/project/password If you’re on Drupal 6 use real password hashing

  24. http://php.net/password PHP Password API

  25. https://github.com/ircmaxell/password_compat PHP Password API Backward Compatability

  26. Change Admin passwords regularly and make them strong.

  27. Remove the clues it’s Drupal • Remove the text files

    (e.g., CHANGELOG.txt) • Remove install.php • web.config or .htaccess if not in use
  28. Remove Generator Meta Tag /**! * Implements hook_html_head_alter().! */! function

    custom_html_head_alter(&$head_elements) {! if (isset($head_elements['system_meta_generator'])) {! unset($head_elements['system_meta_generator']);! }! } <meta name="generator" content="Drupal 7 (http://drupal.org)" />
  29. Remove X-Generator Header // Override the header.! drupal_add_http_header(‘X-Generator’, ‘’) >

    curl -i -X HEAD https://2013.drupalcampmi.org! ...! X-Generator: Drupal 7 (http://drupal.org)! ... https://api.drupal.org/api/drupal/includes!bootstrap.inc/function/drupal_add_http_header/7
  30. Add X-Frame-Options Header drupal_add_http_header('X-Frame-Options', 'SAMEORIGIN'); > curl -i -X HEAD

    https://marketplace.hpcloud.com! ...! X-Frame-Options: SAMEORIGIN! ... https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
  31. http://www.lullabot.com/blog/article/keeping-drupals-files-safe Secure The Filesystem

  32. Web server user should not have write permission to Drupal

  33. http://www.hpcloud.com/products-services/object-storage Backup to offsite location

  34. https://drupal.org/project/backup_migrate Backup and Migrate Module

  35. https://drupal.org/project/aes Encrypt Backups

  36. Backup Creds Not On Production Server Web Server DB Server

    Backup Server Storage
  37. I shouldn’t have to tell you but...

  38. https://drupal.org/project/usage/drupal Keep Drupal Up To Date

  39. https://drupal.org/documentation/modules/update Update Manager Module

  40. Sign-up For Security Announcements

  41. Encrypt Sensitive Information

  42. https://drupal.org/project/aes AES Encryption Module

  43. http://phpseclib.sourceforge.net/ PHP Secure Communications Library

  44. Encrypted Field Modules • Encrypted Settings Field
 https://drupal.org/project/encset • Field

    Encryption
 https://drupal.org/project/field_encrypt • Encrypted Text
 https://drupal.org/project/encrypted_text

  45. Or, Store Them In A Secure Service

  46. drupal_http_request() does not check SSL certificates.

  47. http://guzzlephp.org/ Guzzle

  48. Using Guzzle // A little more complicated! $client = new

    \Guzzle\Http\Client('http://guzzlephp.org');! $request = $client->get('/');! $response = $request->send(); // A simple example! Guzzle\Http\StaticClient::mount();! $response = Guzzle::get('http://guzzlephp.org');
  49. Inject Cert To drupal_http_request() $opts = array(! ‘ssl’ => array(!

    ‘CN_match’ => ‘example.com’,! ‘verify_peer’ => TRUE,! ‘allow_self_signed’ => FALSE,! ‘cafile’ => ‘path/to/cert.pem’,! ),! );! $context = stream_context_create($opts);! $ops = array(! ‘context’ => $context,! );! $res = drupal_http_request(‘http://example.com’, $ops);
  50. Review Your Logs Regularly

  51. http://logstash.net/ Logstash

  52. http://www.loggly.com/ Loggly

  53. http://www.loggly.com/docs/alerts-overview/ Automated Alerts

  54. This is just the beginning...

  55. Questions? Slides are at... http://bit.ly/SecureYourSite