secure your site
TRANSCRIPT
Secure Your SiteMatt FarinaLead EngineerHP Cloud
http://bit.ly/SecureYourSiteYou can get the slides at...
• @mattfarina on twitter
• Drupal.org UID 25701 (Over 8 Years)
• Co-Author of Drupal 7 Module Development
• Lead Engineer at HP Cloud
http://techcrunch.com/2013/10/03/adobe-gets-hacked-product-source-code-and-data-for-2-9m-customers-likely-accessed/
Did you hear, Adobe was hacked
http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever
A Picture Of The Internet
http://motherboard.vice.com/blog/this-is-most-detailed-picture-internet-ever
420,000 Hacked Linux Based Systems
http://www.forbes.com/sites/cherylsnappconner/2013/09/14/are-you-prepared-71-of-cyber-attacks-hit-small-business/
71% attacked sites of orgs with less than 100 People
http://blog.erratasec.com/2013/09/we-scanned-internet-for-port-22.html
Scan port 22 (ssh) for the Internet in a day
I’ve Watched Attacks Happen
I’ve Found Hacked Servers
For the sake of your users, secure your site.
https://help.ubuntu.com/12.04/serverguide/security.html
Harden Your Servers
https://help.ubuntu.com/community/AutoWeeklyUpdateHowTo
Keep packages up to date for security releases
Lock Down Access
Web Server DB Server
http://stackoverflow.com/questions/2661799/removing-x-powered-by
Removing X-Powered-By Header
; In your php.ini file setexpose_php = off
> curl -i -X HEAD https://drupal.org...X-Powered-By: PHP/5.3.27...
On to Drupal
Use HTTPS/SSL/TLS
You can redirect to https via .htaccess
# Redirect when the request comes to httpRewriteCond %{HTTPS} offRewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
https://drupal.org/project/securepages
Secure Pages Module
https://drupal.org/node/947312
Secure UID 1
https://drupal.org/project/password
If you’re on Drupal 6 use real password hashing
https://github.com/ircmaxell/password_compat
PHP Password API Backward Compatability
Change Admin passwords regularly and
make them strong.
Remove the clues it’s Drupal
• Remove the text files (e.g., CHANGELOG.txt)
• Remove install.php
• web.config or .htaccess if not in use
Remove Generator Meta Tag
/** * Implements hook_html_head_alter(). */function custom_html_head_alter(&$head_elements) { if (isset($head_elements['system_meta_generator'])) { unset($head_elements['system_meta_generator']); }}
<meta name="generator" content="Drupal 7 (http://drupal.org)" />
Remove X-Generator Header
// Override the header.drupal_add_http_header(‘X-Generator’, ‘’)
> curl -i -X HEAD https://2013.drupalcampmi.org...X-Generator: Drupal 7 (http://drupal.org)...
https://api.drupal.org/api/drupal/includes!bootstrap.inc/function/drupal_add_http_header/7
Add X-Frame-Options Header
drupal_add_http_header('X-Frame-Options', 'SAMEORIGIN');
> curl -i -X HEAD https://marketplace.hpcloud.com...X-Frame-Options: SAMEORIGIN...
https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
http://www.lullabot.com/blog/article/keeping-drupals-files-safe
Secure The Filesystem
Web server user should not have write permission to Drupal
http://www.hpcloud.com/products-services/object-storage
Backup to offsite location
https://drupal.org/project/backup_migrate
Backup and Migrate Module
https://drupal.org/project/aes
Encrypt Backups
Backup Creds Not On Production Server
Web Server DB Server
Backup Server Storage
I shouldn’t have to tell you but...
https://drupal.org/project/usage/drupal
Keep Drupal Up To Date
https://drupal.org/documentation/modules/update
Update Manager Module
Sign-up For Security Announcements
Encrypt Sensitive Information
https://drupal.org/project/aes
AES Encryption Module
http://phpseclib.sourceforge.net/
PHP Secure Communications Library
Encrypted Field Modules
• Encrypted Settings Fieldhttps://drupal.org/project/encset
• Field Encryptionhttps://drupal.org/project/field_encrypt
• Encrypted Texthttps://drupal.org/project/encrypted_text
Or, Store Them In A Secure Service
drupal_http_request() does not check SSL
certificates.
Using Guzzle
// A little more complicated$client = new \Guzzle\Http\Client('http://guzzlephp.org');$request = $client->get('/');$response = $request->send();
// A simple exampleGuzzle\Http\StaticClient::mount();$response = Guzzle::get('http://guzzlephp.org');
Inject Cert To drupal_http_request()
$opts = array(‘ssl’ => array(‘verify_host’ => TRUE,‘verify_peer’ => TRUE,‘allow_self_signed’ => FALSE,‘cafile’ => ‘path/to/cert.pem’,
),);$context = stream_create_context($opts);$ops = array( ‘context’ => $context,);$res = drupal_http_request(‘http://example.com’, $ops);
Review Your Logs Regularly
http://www.loggly.com/docs/alerts-overview/
Automated Alerts
This is just the beginning...
Questions?Slides are at...
http://bit.ly/SecureYourSite