drupal paranoia
If you can't read please download the document
TRANSCRIPT
Drupal : VPS
.
, . - , . , .
, , , .
, .
(, )
( , , )
( .)
VPS. , shared-, shared- . - shared- . , .
>>>> , ? , , . , , . , . shared-, , CPU, , - , . .
:
(ftp, ssh, ...)
: (ssh, ftp)
:
.
. - DOS.
, shell- , .
, , .
. , , - ., ?
, . , , . , . . , . . ? , . , , , .
Drupal:
update status
PHP
1
paranoia PHP
1
paranoia
, update status . drupal.org . PHP , , , . PHP , . . , , , . #1, - . , . paranoia .
Drupal + HTTPS
:http://example.com/* -
http://example.com/admin*
https://example.com only!
? :custom_url_rewrite_inbound(
&$result, $path, $path_language)
$_SERVER['HTTP_X_SSL_CONNECT']
$_SERVER['HTTP_X_FORWARDED_HOST']
$_SERVER['HTTP_HOST'] .
. , HTTPS . , https. , .
[SKIPED ] . , .
:
: captcha
Spam
URL Spam
Mollom
Akismet
., - . , , . - .
. Spam. . .: Mollom drupal.ru . . Mollom , .
:
- drupal.ru !
100
,
. . , , , ; , . , , , . , . drupal.ru: - !
Apache mod_security
mod_security GET POST
(-) SQL injections
XSS
HTTP-
Apache Nginx. mod_security, . . . GET POST . SQL, -, . HTTP-. . , . .
PHP
mod_php Apache
open_base_dir
FastCGI Apache NGINX
Suhosin PHP
PHP Apache . : . PHP FastCGI, : .Suhosin , . PHP, PHP. PHP, PHP. Suhosin 2007 , PHP Linux FreeBSD.
FTP (use SFTP)
VPS/: ( root)
files tmp , Drupal
: index.html
ftp, . , ftp- , , Reported attack site, -.
secure-shell DrupalDo.
POSIX ACL : , user:group:other rwx
ACL
acltools: getfacl/setfacl
access control lists (ACL). ACL . ACL, . setfacl getfacl.
hook_user()
Fail2ban DOS SSH FTP
Drupal:failregex = \|user\|\|.*\|Login attempt failed (.+)\.$
IP
. , , / .
, . , . ...
, hook_user().
fail2ban...
: IP
?
, . , mysql ssh . Mysql tcp- ssh , . , . . , , mysql. , , .
loopback-
AES, Blowfish, DES...
Linux:
. . : . . , . - . : . , . . , , .
(, , PHP)
(Zabbix, ZenOSS)CPU
,
Linux, *BSD, Windows
. .
, Zabbix, [ ].
zabbix , , zabbix .
:
/:http://fail2ban.org
http://modsecurity.org
http://suhosin.org
http://zabbix.com
:www.drupal.ru/node/31163 - fail2ban + Drupal
http://tr.im/x5cQ -
, . , - , , ?
.
TODO: ACL.
OpenOffice
Futurama
?
.
Creative Commons SA .
Cryptographic options ---> DES and Triple DES EDE cipher algorithms Blowfish cipher algorithm AES cipher algorithms (i586)
$ cryptsetup -c aes -y create mycrypt /dev/vg/storage$ mkfs.ext4 /dev/mapper/mycrypt$ mount /dev/mapper/mycrypt /var/lib/mysql/secured$ losetup -e aes /dev/loop0 /mnt/secured