Secure Your Site - Speaker Deck

Slide 1

Slide 1 text

Secure Your Site Matt Farina Engineer at HP Cloud

Slide 2

Slide 2 text

http://bit.ly/SecureYourSite You can get the slides at...

Slide 3

Slide 3 text

• @mattfarina on twitter • Drupal.org UID 25701 (Over 8 Years) • Co-Author of Drupal 7 Module Development • A Lead Engineer at HP Cloud

Slide 4

Slide 4 text

http://techcrunch.com/2013/10/03/adobe-gets-hacked-product-source-code-and-data-for-2-9m-customers-likely-accessed/ Did you hear, Adobe was hacked

Slide 5

Slide 5 text

http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever A Picture Of The Internet

Slide 6

Slide 6 text

http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever 420,000 Hacked Linux Based Systems

Slide 7

Slide 7 text

http://www.forbes.com/sites/cherylsnappconner/2013/09/14/are-you-prepared-71-of-cyber-attacks-hit-small-business/ 71% attacked sites of orgs with less than 100 People

Slide 8

Slide 8 text

http://blog.erratasec.com/2013/09/we-scanned-internet-for-port-22.html Scan port 22 (ssh) for the Internet in a day

Slide 9

Slide 9 text

I’ve Watched Attacks Happen

Slide 10

Slide 10 text

I’ve Found Hacked Servers

Slide 11

Slide 11 text

For the sake of your users, secure your site.

Slide 12

Slide 12 text

https://help.ubuntu.com/12.04/serverguide/security.html Harden Your Servers

Slide 13

Slide 13 text

https://help.ubuntu.com/community/AutoWeeklyUpdateHowTo Keep packages up to date for security releases

Slide 14

Slide 14 text

Lock Down Access Web Server DB Server

Slide 15

Slide 15 text

http://openvpn.net/ Use A VPN

Slide 16

Slide 16 text

http://stackoverﬂow.com/questions/2661799/removing-x-powered-by Removing X-Powered-By Header ; In your php.ini file set! expose_php = off > curl -i -X HEAD https://drupal.org! ...! X-Powered-By: PHP/5.3.27! ...

Slide 17

Slide 17 text

On to Drupal

Slide 18

Slide 18 text

Use HTTPS/SSL/TLS

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

You can redirect to https via .htaccess # Redirect when the request comes to http! RewriteCond %{HTTPS} off! RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Slide 21

Slide 21 text

https://drupal.org/project/securepages Secure Pages Module

Slide 22

Slide 22 text

https://drupal.org/node/947312 Secure UID 1

Slide 23

Slide 23 text

https://drupal.org/project/password If you’re on Drupal 6 use real password hashing

Slide 24

Slide 24 text

http://php.net/password PHP Password API

Slide 25

Slide 25 text

https://github.com/ircmaxell/password_compat PHP Password API Backward Compatability

Slide 26

Slide 26 text

Change Admin passwords regularly and make them strong.

Slide 27

Slide 27 text

Remove the clues it’s Drupal • Remove the text ﬁles (e.g., CHANGELOG.txt) • Remove install.php • web.conﬁg or .htaccess if not in use

Slide 28

Slide 28 text

Remove Generator Meta Tag /**! * Implements hook_html_head_alter().! */! function custom_html_head_alter(&$head_elements) {! if (isset($head_elements['system_meta_generator'])) {! unset($head_elements['system_meta_generator']);! }! }

Slide 29

Slide 29 text

Remove X-Generator Header // Override the header.! drupal_add_http_header(‘X-Generator’, ‘’) > curl -i -X HEAD https://2013.drupalcampmi.org! ...! X-Generator: Drupal 7 (http://drupal.org)! ... https://api.drupal.org/api/drupal/includes!bootstrap.inc/function/drupal_add_http_header/7

Slide 30

Slide 30 text

Add X-Frame-Options Header drupal_add_http_header('X-Frame-Options', 'SAMEORIGIN'); > curl -i -X HEAD https://marketplace.hpcloud.com! ...! X-Frame-Options: SAMEORIGIN! ... https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options

Slide 31

Slide 31 text

http://www.lullabot.com/blog/article/keeping-drupals-ﬁles-safe Secure The Filesystem

Slide 32

Slide 32 text

Web server user should not have write permission to Drupal

Slide 33

Slide 33 text

http://www.hpcloud.com/products-services/object-storage Backup to offsite location

Slide 34

Slide 34 text

https://drupal.org/project/backup_migrate Backup and Migrate Module

Slide 35

Slide 35 text

https://drupal.org/project/aes Encrypt Backups

Slide 36

Slide 36 text

Backup Creds Not On Production Server Web Server DB Server Backup Server Storage

Slide 37

Slide 37 text

I shouldn’t have to tell you but...

Slide 38

Slide 38 text

https://drupal.org/project/usage/drupal Keep Drupal Up To Date

Slide 39

Slide 39 text

https://drupal.org/documentation/modules/update Update Manager Module

Slide 40

Slide 40 text

Sign-up For Security Announcements

Slide 41

Slide 41 text

Encrypt Sensitive Information

Slide 42

Slide 42 text

https://drupal.org/project/aes AES Encryption Module

Slide 43

Slide 43 text

http://phpseclib.sourceforge.net/ PHP Secure Communications Library

Slide 44

Slide 44 text

Encrypted Field Modules • Encrypted Settings Field  https://drupal.org/project/encset • Field Encryption  https://drupal.org/project/ﬁeld_encrypt • Encrypted Text  https://drupal.org/project/encrypted_text 

Slide 45

Slide 45 text

Or, Store Them In A Secure Service

Slide 46

Slide 46 text

drupal_http_request() does not check SSL certiﬁcates.

Slide 47

Slide 47 text

http://guzzlephp.org/ Guzzle

Slide 48

Slide 48 text

Using Guzzle // A little more complicated! $client = new \Guzzle\Http\Client('http://guzzlephp.org');! $request = $client->get('/');! $response = $request->send(); // A simple example! Guzzle\Http\StaticClient::mount();! $response = Guzzle::get('http://guzzlephp.org');

Slide 49

Slide 49 text

Inject Cert To drupal_http_request() $opts = array(! ‘ssl’ => array(! ‘CN_match’ => ‘example.com’,! ‘verify_peer’ => TRUE,! ‘allow_self_signed’ => FALSE,! ‘cafile’ => ‘path/to/cert.pem’,! ),! );! $context = stream_context_create($opts);! $ops = array(! ‘context’ => $context,! );! $res = drupal_http_request(‘http://example.com’, $ops);