Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure Your Site

Matt Farina
October 12, 2013

Secure Your Site

An introduction to securing Drupal sites.

Matt Farina

October 12, 2013
Tweet

More Decks by Matt Farina

Other Decks in Technology

Transcript

  1. Secure Your Site
    Matt Farina

    Engineer at HP Cloud

    View Slide

  2. http://bit.ly/SecureYourSite
    You can get the slides at...

    View Slide

  3. • @mattfarina on twitter

    • Drupal.org UID 25701 (Over 8 Years)

    • Co-Author of Drupal 7 Module Development

    • A Lead Engineer at HP Cloud

    View Slide

  4. http://techcrunch.com/2013/10/03/adobe-gets-hacked-product-source-code-and-data-for-2-9m-customers-likely-accessed/
    Did you hear, Adobe was hacked

    View Slide

  5. http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever
    A Picture Of The Internet

    View Slide

  6. http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever
    420,000 Hacked Linux Based Systems

    View Slide

  7. http://www.forbes.com/sites/cherylsnappconner/2013/09/14/are-you-prepared-71-of-cyber-attacks-hit-small-business/
    71% attacked sites of orgs with less than 100 People

    View Slide

  8. http://blog.erratasec.com/2013/09/we-scanned-internet-for-port-22.html
    Scan port 22 (ssh) for the Internet in a day

    View Slide

  9. I’ve Watched Attacks Happen

    View Slide

  10. I’ve Found Hacked Servers

    View Slide

  11. For the sake of your
    users, secure your site.

    View Slide

  12. https://help.ubuntu.com/12.04/serverguide/security.html
    Harden Your Servers

    View Slide

  13. https://help.ubuntu.com/community/AutoWeeklyUpdateHowTo
    Keep packages up to date for security releases

    View Slide

  14. Lock Down Access
    Web Server DB Server

    View Slide

  15. http://openvpn.net/
    Use A VPN

    View Slide

  16. http://stackoverflow.com/questions/2661799/removing-x-powered-by
    Removing X-Powered-By Header
    ; In your php.ini file set!
    expose_php = off
    > curl -i -X HEAD https://drupal.org!
    ...!
    X-Powered-By: PHP/5.3.27!
    ...

    View Slide

  17. On to Drupal

    View Slide

  18. Use HTTPS/SSL/TLS

    View Slide

  19. View Slide

  20. You can redirect to https via .htaccess
    # Redirect when the request comes to http!
    RewriteCond %{HTTPS} off!
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    View Slide

  21. https://drupal.org/project/securepages
    Secure Pages Module

    View Slide

  22. https://drupal.org/node/947312
    Secure UID 1

    View Slide

  23. https://drupal.org/project/password
    If you’re on Drupal 6 use real password hashing

    View Slide

  24. http://php.net/password
    PHP Password API

    View Slide

  25. https://github.com/ircmaxell/password_compat
    PHP Password API Backward Compatability

    View Slide

  26. Change Admin
    passwords regularly and
    make them strong.

    View Slide

  27. Remove the clues it’s Drupal
    • Remove the text files (e.g., CHANGELOG.txt)

    • Remove install.php

    • web.config or .htaccess if not in use

    View Slide

  28. Remove Generator Meta Tag
    /**!
    * Implements hook_html_head_alter().!
    */!
    function custom_html_head_alter(&$head_elements) {!
    if (isset($head_elements['system_meta_generator'])) {!
    unset($head_elements['system_meta_generator']);!
    }!
    }

    View Slide

  29. Remove X-Generator Header
    // Override the header.!
    drupal_add_http_header(‘X-Generator’, ‘’)
    > curl -i -X HEAD https://2013.drupalcampmi.org!
    ...!
    X-Generator: Drupal 7 (http://drupal.org)!
    ...
    https://api.drupal.org/api/drupal/includes!bootstrap.inc/function/drupal_add_http_header/7

    View Slide

  30. Add X-Frame-Options Header
    drupal_add_http_header('X-Frame-Options', 'SAMEORIGIN');
    > curl -i -X HEAD https://marketplace.hpcloud.com!
    ...!
    X-Frame-Options: SAMEORIGIN!
    ...
    https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options

    View Slide

  31. http://www.lullabot.com/blog/article/keeping-drupals-files-safe
    Secure The Filesystem

    View Slide

  32. Web server user
    should not have write
    permission to Drupal

    View Slide

  33. http://www.hpcloud.com/products-services/object-storage
    Backup to offsite location

    View Slide

  34. https://drupal.org/project/backup_migrate
    Backup and Migrate Module

    View Slide

  35. https://drupal.org/project/aes
    Encrypt Backups

    View Slide

  36. Backup Creds Not On Production Server
    Web Server DB Server
    Backup Server Storage

    View Slide

  37. I shouldn’t have to tell
    you but...

    View Slide

  38. https://drupal.org/project/usage/drupal
    Keep Drupal Up To Date

    View Slide

  39. https://drupal.org/documentation/modules/update
    Update Manager Module

    View Slide

  40. Sign-up For Security Announcements

    View Slide

  41. Encrypt Sensitive
    Information

    View Slide

  42. https://drupal.org/project/aes
    AES Encryption Module

    View Slide

  43. http://phpseclib.sourceforge.net/
    PHP Secure Communications Library

    View Slide

  44. Encrypted Field Modules
    • Encrypted Settings Field

    https://drupal.org/project/encset

    • Field Encryption

    https://drupal.org/project/field_encrypt

    • Encrypted Text

    https://drupal.org/project/encrypted_text


    View Slide

  45. Or, Store Them In A Secure Service

    View Slide

  46. drupal_http_request()
    does not check SSL
    certificates.

    View Slide

  47. http://guzzlephp.org/
    Guzzle

    View Slide

  48. Using Guzzle
    // A little more complicated!
    $client = new \Guzzle\Http\Client('http://guzzlephp.org');!
    $request = $client->get('/');!
    $response = $request->send();
    // A simple example!
    Guzzle\Http\StaticClient::mount();!
    $response = Guzzle::get('http://guzzlephp.org');

    View Slide

  49. Inject Cert To drupal_http_request()
    $opts = array(!
    ‘ssl’ => array(!
    ‘CN_match’ => ‘example.com’,!
    ‘verify_peer’ => TRUE,!
    ‘allow_self_signed’ => FALSE,!
    ‘cafile’ => ‘path/to/cert.pem’,!
    ),!
    );!
    $context = stream_context_create($opts);!
    $ops = array(!
    ‘context’ => $context,!
    );!
    $res = drupal_http_request(‘http://example.com’, $ops);

    View Slide

  50. Review Your Logs
    Regularly

    View Slide

  51. http://logstash.net/
    Logstash

    View Slide

  52. http://www.loggly.com/
    Loggly

    View Slide

  53. http://www.loggly.com/docs/alerts-overview/
    Automated Alerts

    View Slide

  54. This is just the
    beginning...

    View Slide

  55. Questions?
    Slides are at...

    http://bit.ly/SecureYourSite

    View Slide