DrupalCamp Helsinki 27.9.2011

1. Hardening Drupal setup
DrupalCamp Helsinki 27.9.2011
Tero Alén

2. Backgrounds
CTO at Zeeland Group which is 5th biggest marketing company in Finland
Focus on Symfony and Drupal
Zeeland Group has team of 10 developers who has backgrounds in IT
Used Drupal from version 4

3. Agenda
Why should I care?
Know your enemies
Principles of security
Hardening your server
Hardening you Drupal

4. Why should I care
We don’t process money so we are not interesting target for crackers
Some possible uses for random websites
Defacing
Spreading malware for your visitors
Using your box for spam delivery

5. Why should I care
We don’t process money so we are not interesting target for crackers
Some possible uses for random websites
Defacing
Spreading malware for your visitors
Using your box for spam delivery

6. Why should I care
We don’t process money so we are not interesting target for crackers
Some possible uses for random websites

7. Why should I care
We don’t process money so we are not interesting target for crackers
Some possible uses for random websites
Defacing

8. Why should I care
We don’t process money so we are not interesting target for crackers
Some possible uses for random websites
Defacing
Spreading malware for your visitors

9. Why should I care
We don’t process money so we are not interesting target for crackers
Some possible uses for random websites
Defacing
Spreading malware for your visitors
Using your box for spam delivery

11. How they do it?
Common vulnerabilities: XSS, SQL injection, remote file inclusion, etc
See more from OWASP - Open Web Application Security Project
Include (malware) code to page via XSS or SQL injection
Upload PHP shell via remote file inclusion or insecure file upload
Upload spam script via remote file inclusion or insecure file upload
Lot of other ways which you have hard to even imagine

12. Basics first

14. Keep it simple

15. Run only services which you really need
Keep it simple

16. Run only services which you really need
Enable only modules/extension you need (from Apache, PHP and Drupal)
Keep it simple

17. Run only services which you really need
Enable only modules/extension you need (from Apache, PHP and Drupal)
Keep it simple
Every new application in stack is new possibility for exploitation

18. Using phpMyAdmin?
/PMA2005/scripts/setup.php: 2 Time(s) /phpMyAdmin‐2.6.0‐rc3/scripts/setup.php: 1 Time(s) /phpmy‐admin/scripts/setup.php: 2 Time(s)
/admin/phpmyadmin/scripts/setup.php: 1 Time(s) /phpMyAdmin‐2.6.1‐pl1/scripts/setup.php: 2 Time(s) /phpmyadmin/scripts/setup.php: 2 Time(s)
/admin/pma/scripts/setup.php: 2 Time(s) /phpMyAdmin‐2.6.1‐pl2/scripts/setup.php: 2 Time(s) /phpmyadmin1/scripts/setup.php: 2 Time(s)
/admin/scripts/setup.php: 2 Time(s) /phpMyAdmin‐2.6.1‐pl3/scripts/setup.php: 1 Time(s) /phpmyadmin2/scripts/setup.php: 2 Time(s)
/admm/scripts/setup.php: 2 Time(s) /phpMyAdmin‐2.6.1‐rc1/scripts/setup.php: 1 Time(s) /pma/scripts/setup.php: 1 Time(s)
/admn/scripts/setup.php: 2 Time(s) /phpMyAdmin‐2.6.1/scripts/setup.php: 2 Time(s) /pma2005/scripts/setup.php: 2 Time(s)
/databaseadmin/scripts/setup.php: 1 Time(s) /phpMyAdmin‐2.6.2‐beta1/scripts/setup.php: 1 Time(s) /scripts/setup.php: 2 Time(s)
/db/scripts/setup.php: 2 Time(s) /phpMyAdmin‐2.6.2‐pl1/scripts/setup.php: 2 Time(s) /sqlmanager/scripts/setup.php: 2 Time(s)
/dbadmin/scripts/setup.php: 2 Time(s) /phpMyAdmin‐2.6.2‐rc1/scripts/setup.php: 1 Time(s) /sqlweb/scripts/setup.php: 2 Time(s)
/myadmin/scripts/setup.php: 2 Time(s) /phpMyAdmin‐2.6.2/scripts/setup.php: 1 Time(s) /typo3/phpmyadmin/scripts/setup.php: 1 Time(s)
/mysql‐admin/scripts/setup.php: 2 Time(s) /phpMyAdmin‐2.6.3‐pl1/scripts/setup.php: 1 Time(s) /web/scripts/setup.php: 1 Time(s)
/mysql/scripts/setup.php: 2 Time(s) /phpMyAdmin‐2.6.3‐rc1/scripts/setup.php: 2 Time(s) /webadmin/scripts/setup.php: 2 Time(s)
/mysqladmin/scripts/setup.php: 4 Time(s) /phpMyAdmin‐2.6.3/scripts/setup.php: 3 Time(s) /webdb/scripts/setup.php: 1 Time(s)
/mysqlmanager/scripts/setup.php: 2 Time(s) /phpMyAdmin‐2.6.4‐pl1/scripts/setup.php: 2 Time(s) /websql/scripts/setup.php: 4 Time(s)
/p/m/a/scripts/setup.php: 2 Time(s) /phpMyAdmin‐2.6.4‐pl2/scripts/setup.php: 1 Time(s) /xampp/phpmyadmin/scripts/setup.php: 2 Time(s)
/php‐my‐admin/scripts/setup.php: 4 Time(s) /phpMyAdmin‐2.6.4‐pl3/scripts/setup.php: 1 Time(s)
/php‐myadmin/scripts/setup.php: 2 Time(s) /phpMyAdmin‐2.6.4‐pl4/scripts/setup.php: 2 Time(s)
/phpMyAdmin‐2.2.3/scripts/setup.php: 2 Time(s) /phpMyAdmin‐2.6.4‐rc1/scripts/setup.php: 2 Time(s)
/phpMyAdmin‐2.2.6/scripts/setup.php: 2 Time(s) /phpMyAdmin‐2.6.4/scripts/setup.php: 2 Time(s)
/phpMyAdmin‐2.5.1/scripts/setup.php: 2 Time(s) /phpMyAdmin‐2.7.0‐beta1/scripts/setup.php: 1 Time(s)
/phpMyAdmin‐2.5.4/scripts/setup.php: 2 Time(s) /phpMyAdmin‐2.7.0‐pl1/scripts/setup.php: 2 Time(s)
/phpMyAdmin‐2.5.5‐pl1/scripts/setup.php: 2 Time(s) /phpMyAdmin‐2.7.0‐pl2/scripts/setup.php: 1 Time(s)
/phpMyAdmin‐2.5.5‐rc1/scripts/setup.php: 2 Time(s) /phpMyAdmin‐2.7.0‐rc1/scripts/setup.php: 1 Time(s)
/phpMyAdmin‐2.5.5‐rc2/scripts/setup.php: 1 Time(s) /phpMyAdmin‐2.7.0/scripts/setup.php: 2 Time(s)
/phpMyAdmin‐2.5.5/scripts/setup.php: 1 Time(s) /phpMyAdmin‐2.8.0‐beta1/scripts/setup.php: 2 Time(s)
/phpMyAdmin‐2.5.6‐rc1/scripts/setup.php: 1 Time(s) /phpMyAdmin‐2.8.0‐rc1/scripts/setup.php: 1 Time(s)
/phpMyAdmin‐2.5.6‐rc2/scripts/setup.php: 1 Time(s) /phpMyAdmin‐2.8.0‐rc2/scripts/setup.php: 1 Time(s)
/phpMyAdmin‐2.5.6/scripts/setup.php: 2 Time(s) /phpMyAdmin‐2.8.0.1/scripts/setup.php: 2 Time(s)
/phpMyAdmin‐2.5.7‐pl1/scripts/setup.php: 1 Time(s) /phpMyAdmin‐2.8.0.2/scripts/setup.php: 2 Time(s)
/phpMyAdmin‐2.5.7/scripts/setup.php: 2 Time(s) /phpMyAdmin‐2.8.0.3/scripts/setup.php: 1 Time(s)
/phpMyAdmin‐2.6.0‐alpha/scripts/setup.php: 2 Time(s) /phpMyAdmin‐2.8.0.4/scripts/setup.php: 2 Time(s)
/phpMyAdmin‐2.6.0‐alpha2/scripts/setup.php: 1 Time(s) /phpMyAdmin‐2.8.0/scripts/setup.php: 1 Time(s)
/phpMyAdmin‐2.6.0‐beta1/scripts/setup.php: 2 Time(s) /phpMyAdmin‐2.8.1‐rc1/scripts/setup.php: 2 Time(s)
/phpMyAdmin‐2.6.0‐beta2/scripts/setup.php: 1 Time(s) /phpMyAdmin‐2.8.1/scripts/setup.php: 1 Time(s)
/phpMyAdmin‐2.6.0‐pl2/scripts/setup.php: 2 Time(s) /phpMyAdmin‐2.8.2/scripts/setup.php: 2 Time(s)
/phpMyAdmin‐2.6.0‐pl3/scripts/setup.php: 1 Time(s) /phpMyAdmin‐2/scripts/setup.php: 2 Time(s)
/phpMyAdmin‐2.6.0‐rc1/scripts/setup.php: 1 Time(s) /phpMyAdmin/scripts/setup.php: 3 Time(s)
/phpMyAdmin‐2.6.0‐rc2/scripts/setup.php: 2 Time(s) /phpadmin/scripts/setup.php: 2 Time(s)
/phpmanager/scripts/setup.php: 2 Time(s)

20. Use checklists

22. Hardening Apache

23. Restrict information leakage

24. Restrict information leakage
ServerTokens Prod
ServerSignature Off

25. Load only modules really needed

26. Load only modules really needed
#LoadModule ldap_module modules/mod_ldap.so
#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
#LoadModule include_module modules/mod_include.so
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so

27. Start by restrictive rules

28. Start by restrictive rules
<Directory / >
Options None
AllowOverride None
Order allow,deny
</Directory>

29. Hardening PHP

30. Use Suhosin
(both patch and extension)

31. Disable url_fopen

32. Don’t expose PHP

33. Don’t expose PHP
expose_php = Off

34. Enable open_basedir

35. Do NOT display errors in any circumstances on production

36. Disable ‘dangerous’ functions

37. fpassthru
Disable ‘dangerous’ functions

38. crack_*
fpassthru
Disable ‘dangerous’ functions

39. crack_*
fpassthru psock-functions
Disable ‘dangerous’ functions

40. crack_*
fpassthru psock-functions
ini-functions
Disable ‘dangerous’ functions

41. crack_*
fpassthru psock-functions
ini-functions
Disable ‘dangerous’ functions
shell_exec, exec, passthru, system

42. crack_*
fpassthru psock-functions
ini-functions
Disable ‘dangerous’ functions
shell_exec, exec, passthru, system
chown,hell-exec,dl

43. crack_*
fpassthru psock-functions
ini-functions
Disable ‘dangerous’ functions
popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status,proc_close
shell_exec, exec, passthru, system
chown,hell-exec,dl

44. crack_*
fpassthru psock-functions
posix_*
ini-functions
Disable ‘dangerous’ functions
popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status,proc_close
shell_exec, exec, passthru, system
chown,hell-exec,dl

45. Hardening Drupal

46. Enable update module!

48. Make Drupal’s fingerprint less visible by removing files not needed

49. Make Drupal’s fingerprint less visible by removing files not needed
*.txt
install.php

50. Make Drupal’s fingerprint less visible by removing files not needed
*.txt CHANGELOG.txt will tell if you lack by updates
install.php

51. Allow web server user to write only sites/[default]/files

52. Allow web server user to write only sites/[default]/files
Disable PHP interpreter if you haven’t enable .htaccess (as reccomened for Apache hardening)

53. Allow web server user to write only sites/[default]/files
Disable PHP interpreter if you haven’t enable .htaccess (as reccomened for Apache hardening)
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Options None
Options +FollowSymLinks

54. Some security modules
Secure Pages
redirect important pages to SSL version
Security Review
one kind of checklist
Login Security or Flood Control
login attempt limiter
Password Policy
password constraints
Salt (for Drupal 6)
salt password hashes

55. Some paranoia is good when selecting modules.
Use only well known modules.

56. Some further reading
National Security Agency Hardening Guides
http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml
OWASP - Open Web Application Security Project
https://www.owasp.org/index.php/Main_Page
Drupal Security Advisories
http://drupal.org/security

57. Thank you
Tero Alén
tero.alen@zeeland.fi
twitter.com/teroalen