Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure Your Site
Search
Matt Farina
October 12, 2013
Technology
0
2.4k
Secure Your Site
An introduction to securing Drupal sites.
Matt Farina
October 12, 2013
Tweet
Share
More Decks by Matt Farina
See All by Matt Farina
Faster Mobile Sites
mattfarina
1
2.4k
Front End Performance Improvements
mattfarina
5
2.2k
Building Faster Websites
mattfarina
3
220
Faster Front End Performance
mattfarina
3
310
Other Decks in Technology
See All in Technology
マーケットプレイス版Oracle WebCenter Content For OCI
oracle4engineer
PRO
3
960
ビズリーチが挑む メトリクスを活用した技術的負債の解消 / dev-productivity-con2025
visional_engineering_and_design
3
7.7k
Operating Operator
shhnjk
1
590
NewSQLや分散データベースを支えるRaftの仕組み - 仕組みを理解して知る得意不得意
hacomono
PRO
2
170
Zero Data Loss Autonomous Recovery Service サービス概要
oracle4engineer
PRO
2
7.8k
american airlines®️ USA Contact Numbers: Complete 2025 Support Guide
supportflight
1
110
自律的なスケーリング手法FASTにおけるVPoEとしてのアカウンタビリティ / dev-productivity-con-2025
yoshikiiida
1
17k
2025-07-06 QGIS初級ハンズオン「はじめてのQGIS」
kou_kita
0
170
OPENLOGI Company Profile for engineer
hr01
1
34k
開発生産性を組織全体の「生産性」へ! 部門間連携の壁を越える実践的ステップ
sudo5in5k
2
7.2k
20250707-AI活用の個人差を埋めるチームづくり
shnjtk
4
3.9k
Flutter向けPDFビューア、pdfrxのpdfium WASM対応について
espresso3389
0
130
Featured
See All Featured
How to Ace a Technical Interview
jacobian
278
23k
KATA
mclloyd
30
14k
Making Projects Easy
brettharned
116
6.3k
The Pragmatic Product Professional
lauravandoore
35
6.7k
How GitHub (no longer) Works
holman
314
140k
Building Flexible Design Systems
yeseniaperezcruz
328
39k
The Power of CSS Pseudo Elements
geoffreycrofte
77
5.9k
Gamification - CAS2011
davidbonilla
81
5.4k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Being A Developer After 40
akosma
90
590k
GraphQLの誤解/rethinking-graphql
sonatard
71
11k
Documentation Writing (for coders)
carmenintech
72
4.9k
Transcript
Secure Your Site Matt Farina Engineer at HP Cloud
http://bit.ly/SecureYourSite You can get the slides at...
• @mattfarina on twitter • Drupal.org UID 25701 (Over 8
Years) • Co-Author of Drupal 7 Module Development • A Lead Engineer at HP Cloud
http://techcrunch.com/2013/10/03/adobe-gets-hacked-product-source-code-and-data-for-2-9m-customers-likely-accessed/ Did you hear, Adobe was hacked
http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever A Picture Of The Internet
http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever 420,000 Hacked Linux Based Systems
http://www.forbes.com/sites/cherylsnappconner/2013/09/14/are-you-prepared-71-of-cyber-attacks-hit-small-business/ 71% attacked sites of orgs with less than 100
People
http://blog.erratasec.com/2013/09/we-scanned-internet-for-port-22.html Scan port 22 (ssh) for the Internet in a
day
I’ve Watched Attacks Happen
I’ve Found Hacked Servers
For the sake of your users, secure your site.
https://help.ubuntu.com/12.04/serverguide/security.html Harden Your Servers
https://help.ubuntu.com/community/AutoWeeklyUpdateHowTo Keep packages up to date for security releases
Lock Down Access Web Server DB Server
http://openvpn.net/ Use A VPN
http://stackoverflow.com/questions/2661799/removing-x-powered-by Removing X-Powered-By Header ; In your php.ini file set!
expose_php = off > curl -i -X HEAD https://drupal.org! ...! X-Powered-By: PHP/5.3.27! ...
On to Drupal
Use HTTPS/SSL/TLS
None
You can redirect to https via .htaccess # Redirect when
the request comes to http! RewriteCond %{HTTPS} off! RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
https://drupal.org/project/securepages Secure Pages Module
https://drupal.org/node/947312 Secure UID 1
https://drupal.org/project/password If you’re on Drupal 6 use real password hashing
http://php.net/password PHP Password API
https://github.com/ircmaxell/password_compat PHP Password API Backward Compatability
Change Admin passwords regularly and make them strong.
Remove the clues it’s Drupal • Remove the text files
(e.g., CHANGELOG.txt) • Remove install.php • web.config or .htaccess if not in use
Remove Generator Meta Tag /**! * Implements hook_html_head_alter().! */! function
custom_html_head_alter(&$head_elements) {! if (isset($head_elements['system_meta_generator'])) {! unset($head_elements['system_meta_generator']);! }! } <meta name="generator" content="Drupal 7 (http://drupal.org)" />
Remove X-Generator Header // Override the header.! drupal_add_http_header(‘X-Generator’, ‘’) >
curl -i -X HEAD https://2013.drupalcampmi.org! ...! X-Generator: Drupal 7 (http://drupal.org)! ... https://api.drupal.org/api/drupal/includes!bootstrap.inc/function/drupal_add_http_header/7
Add X-Frame-Options Header drupal_add_http_header('X-Frame-Options', 'SAMEORIGIN'); > curl -i -X HEAD
https://marketplace.hpcloud.com! ...! X-Frame-Options: SAMEORIGIN! ... https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
http://www.lullabot.com/blog/article/keeping-drupals-files-safe Secure The Filesystem
Web server user should not have write permission to Drupal
http://www.hpcloud.com/products-services/object-storage Backup to offsite location
https://drupal.org/project/backup_migrate Backup and Migrate Module
https://drupal.org/project/aes Encrypt Backups
Backup Creds Not On Production Server Web Server DB Server
Backup Server Storage
I shouldn’t have to tell you but...
https://drupal.org/project/usage/drupal Keep Drupal Up To Date
https://drupal.org/documentation/modules/update Update Manager Module
Sign-up For Security Announcements
Encrypt Sensitive Information
https://drupal.org/project/aes AES Encryption Module
http://phpseclib.sourceforge.net/ PHP Secure Communications Library
Encrypted Field Modules • Encrypted Settings Field https://drupal.org/project/encset • Field
Encryption https://drupal.org/project/field_encrypt • Encrypted Text https://drupal.org/project/encrypted_text
Or, Store Them In A Secure Service
drupal_http_request() does not check SSL certificates.
http://guzzlephp.org/ Guzzle
Using Guzzle // A little more complicated! $client = new
\Guzzle\Http\Client('http://guzzlephp.org');! $request = $client->get('/');! $response = $request->send(); // A simple example! Guzzle\Http\StaticClient::mount();! $response = Guzzle::get('http://guzzlephp.org');
Inject Cert To drupal_http_request() $opts = array(! ‘ssl’ => array(!
‘CN_match’ => ‘example.com’,! ‘verify_peer’ => TRUE,! ‘allow_self_signed’ => FALSE,! ‘cafile’ => ‘path/to/cert.pem’,! ),! );! $context = stream_context_create($opts);! $ops = array(! ‘context’ => $context,! );! $res = drupal_http_request(‘http://example.com’, $ops);
Review Your Logs Regularly
http://logstash.net/ Logstash
http://www.loggly.com/ Loggly
http://www.loggly.com/docs/alerts-overview/ Automated Alerts
This is just the beginning...
Questions? Slides are at... http://bit.ly/SecureYourSite