2. Backgrounds
CTO at Zeeland Group which is 5th biggest marketing company in Finland
Focus on Symfony and Drupal
Zeeland Group has team of 10 developers who has backgrounds in IT
Used Drupal from version 4
3. Agenda
Why should I care?
Know your enemies
Principles of security
Hardening your server
Hardening you Drupal
4. Why should I care
We don’t process money so we are not interesting target for crackers
Some possible uses for random websites
Defacing
Spreading malware for your visitors
Using your box for spam delivery
5. Why should I care
We don’t process money so we are not interesting target for crackers
Some possible uses for random websites
Defacing
Spreading malware for your visitors
Using your box for spam delivery
6. Why should I care
We don’t process money so we are not interesting target for crackers
Some possible uses for random websites
7. Why should I care
We don’t process money so we are not interesting target for crackers
Some possible uses for random websites
Defacing
8. Why should I care
We don’t process money so we are not interesting target for crackers
Some possible uses for random websites
Defacing
Spreading malware for your visitors
9. Why should I care
We don’t process money so we are not interesting target for crackers
Some possible uses for random websites
Defacing
Spreading malware for your visitors
Using your box for spam delivery
10.
11. How they do it?
Common vulnerabilities: XSS, SQL injection, remote file inclusion, etc
See more from OWASP - Open Web Application Security Project
Include (malware) code to page via XSS or SQL injection
Upload PHP shell via remote file inclusion or insecure file upload
Upload spam script via remote file inclusion or insecure file upload
Lot of other ways which you have hard to even imagine
16. Run only services which you really need
Enable only modules/extension you need (from Apache, PHP and Drupal)
Keep it simple
17. Run only services which you really need
Enable only modules/extension you need (from Apache, PHP and Drupal)
Keep it simple
Every new application in stack is new possibility for exploitation
52. Allow web server user to write only sites/[default]/files
Disable PHP interpreter if you haven’t enable .htaccess (as reccomened for Apache hardening)
53. Allow web server user to write only sites/[default]/files
Disable PHP interpreter if you haven’t enable .htaccess (as reccomened for Apache hardening)
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Options None
Options +FollowSymLinks
54. Some security modules
Secure Pages
redirect important pages to SSL version
Security Review
one kind of checklist
Login Security or Flood Control
login attempt limiter
Password Policy
password constraints
Salt (for Drupal 6)
salt password hashes
55. Some paranoia is good when selecting modules.
Use only well known modules.
56. Some further reading
National Security Agency Hardening Guides
http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml
OWASP - Open Web Application Security Project
https://www.owasp.org/index.php/Main_Page
Drupal Security Advisories
http://drupal.org/security
57. Thank you
Tero Alén
tero.alen@zeeland.fi
twitter.com/teroalen