Secure Your Site

Secure Your Site
Matt Farina

Engineer at HP Cloud

View Slide

http://bit.ly/SecureYourSite
You can get the slides at...

View Slide

• @mattfarina on twitter

• Drupal.org UID 25701 (Over 8 Years)

• Co-Author of Drupal 7 Module Development

• A Lead Engineer at HP Cloud

View Slide

http://techcrunch.com/2013/10/03/adobe-gets-hacked-product-source-code-and-data-for-2-9m-customers-likely-accessed/
Did you hear, Adobe was hacked

View Slide

http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever
A Picture Of The Internet

View Slide

http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever
420,000 Hacked Linux Based Systems

View Slide

http://www.forbes.com/sites/cherylsnappconner/2013/09/14/are-you-prepared-71-of-cyber-attacks-hit-small-business/
71% attacked sites of orgs with less than 100 People

View Slide

http://blog.erratasec.com/2013/09/we-scanned-internet-for-port-22.html
Scan port 22 (ssh) for the Internet in a day

View Slide

I’ve Watched Attacks Happen

View Slide

I’ve Found Hacked Servers

View Slide

For the sake of your
users, secure your site.

View Slide

https://help.ubuntu.com/12.04/serverguide/security.html
Harden Your Servers

View Slide

https://help.ubuntu.com/community/AutoWeeklyUpdateHowTo
Keep packages up to date for security releases

View Slide

Lock Down Access
Web Server DB Server

View Slide

http://openvpn.net/
Use A VPN

View Slide

http://stackoverﬂow.com/questions/2661799/removing-x-powered-by
Removing X-Powered-By Header
; In your php.ini file set!
expose_php = off
> curl -i -X HEAD https://drupal.org!
...!
X-Powered-By: PHP/5.3.27!
...

View Slide

On to Drupal

View Slide

Use HTTPS/SSL/TLS

View Slide

View Slide

You can redirect to https via .htaccess
# Redirect when the request comes to http!
RewriteCond %{HTTPS} off!
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

View Slide

https://drupal.org/project/securepages
Secure Pages Module

View Slide

https://drupal.org/node/947312
Secure UID 1

View Slide

https://drupal.org/project/password
If you’re on Drupal 6 use real password hashing

View Slide

http://php.net/password
PHP Password API

View Slide

https://github.com/ircmaxell/password_compat
PHP Password API Backward Compatability

View Slide

Change Admin
passwords regularly and
make them strong.

View Slide

Remove the clues it’s Drupal
• Remove the text ﬁles (e.g., CHANGELOG.txt)

• Remove install.php

• web.conﬁg or .htaccess if not in use

View Slide

Remove Generator Meta Tag
/**!
* Implements hook_html_head_alter().!
*/!
function custom_html_head_alter(&$head_elements) {!
if (isset($head_elements['system_meta_generator'])) {!
unset($head_elements['system_meta_generator']);!
}!
}

View Slide

Remove X-Generator Header
// Override the header.!
drupal_add_http_header(‘X-Generator’, ‘’)
> curl -i -X HEAD https://2013.drupalcampmi.org!
...!
X-Generator: Drupal 7 (http://drupal.org)!
...
https://api.drupal.org/api/drupal/includes!bootstrap.inc/function/drupal_add_http_header/7

View Slide

Add X-Frame-Options Header
drupal_add_http_header('X-Frame-Options', 'SAMEORIGIN');
> curl -i -X HEAD https://marketplace.hpcloud.com!
...!
X-Frame-Options: SAMEORIGIN!
...
https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options

View Slide

http://www.lullabot.com/blog/article/keeping-drupals-ﬁles-safe
Secure The Filesystem

View Slide

Web server user
should not have write
permission to Drupal

View Slide

http://www.hpcloud.com/products-services/object-storage
Backup to offsite location

View Slide

https://drupal.org/project/backup_migrate
Backup and Migrate Module

View Slide

https://drupal.org/project/aes
Encrypt Backups

View Slide

Backup Creds Not On Production Server
Web Server DB Server
Backup Server Storage

View Slide

I shouldn’t have to tell
you but...

View Slide

https://drupal.org/project/usage/drupal
Keep Drupal Up To Date

View Slide

https://drupal.org/documentation/modules/update
Update Manager Module

View Slide

Sign-up For Security Announcements

View Slide

Encrypt Sensitive
Information

View Slide

https://drupal.org/project/aes
AES Encryption Module

View Slide

http://phpseclib.sourceforge.net/
PHP Secure Communications Library

View Slide

Encrypted Field Modules
• Encrypted Settings Field 
https://drupal.org/project/encset

• Field Encryption 
https://drupal.org/project/ﬁeld_encrypt

• Encrypted Text 
https://drupal.org/project/encrypted_text 

View Slide

Or, Store Them In A Secure Service

View Slide

drupal_http_request()
does not check SSL
certiﬁcates.

View Slide

http://guzzlephp.org/
Guzzle

View Slide

Using Guzzle
// A little more complicated!
$client = new \Guzzle\Http\Client('http://guzzlephp.org');!
$request = $client->get('/');!
$response = $request->send();
// A simple example!
Guzzle\Http\StaticClient::mount();!
$response = Guzzle::get('http://guzzlephp.org');

View Slide

Inject Cert To drupal_http_request()
$opts = array(!
‘ssl’ => array(!
‘CN_match’ => ‘example.com’,!
‘verify_peer’ => TRUE,!
‘allow_self_signed’ => FALSE,!
‘cafile’ => ‘path/to/cert.pem’,!
),!
);!
$context = stream_context_create($opts);!
$ops = array(!
‘context’ => $context,!
);!
$res = drupal_http_request(‘http://example.com’, $ops);

View Slide

Secure Your Site

Secure Your Site

Matt Farina

More Decks by Matt Farina

Other Decks in Technology

Featured

Transcript