4. What is Security
• Protecting website data
• Protecting from unauthorized access
5. What is Security
• Protecting website data
• Protecting from unauthorized access
• Protecting from modification
6. What is Security
• Protecting website data
• Protecting from unauthorized access
• Protecting from modification
• Protecting from destruction
7. What is Security
• Protecting website data
• Protecting from unauthorized access
• Protecting from modification
• Protecting from destruction
• Maintaining access to the data
16. Other Attack Vectors
• General Vulnerabilities (a.k.a. What we’re
not going to cover)
• Operating System
17. Other Attack Vectors
• General Vulnerabilities (a.k.a. What we’re
not going to cover)
• Operating System
• Web Server
18. Other Attack Vectors
• General Vulnerabilities (a.k.a. What we’re
not going to cover)
• Operating System
• Web Server
• PHP
19. Other Attack Vectors
• General Vulnerabilities (a.k.a. What we’re
not going to cover)
• Operating System
• Web Server
• PHP
• MySQL
20. Other Attack Vectors
• General Vulnerabilities (a.k.a. What we’re
not going to cover)
• Operating System
• Web Server
• PHP
• MySQL
• Javascript (Theme, WYSIWYG, etc...)
21. Other Attack Vectors
• General Vulnerabilities (a.k.a. What we’re
not going to cover)
• Operating System
• Web Server
• PHP
• MySQL
• Javascript (Theme, WYSIWYG, etc...)
• Authentication (Facebook, OpenID...)
22. Keep Up to Date
• How to stay informed (Drupal)
• Signup for emails from Security Team
• RSS Feed
• Twitter
• Update Status module - with email
setting
30. Database Users
• Use different database users for each site
you run
• Only give needed permissions on proper
database
31. Database Users
• Use different database users for each site
you run
• Only give needed permissions on proper
database
• Limit hosts a user can connect from
(‘username’@‘localhost’)
32. Database Users
• Use different database users for each site
you run
• Only give needed permissions on proper
database
• Limit hosts a user can connect from
(‘username’@‘localhost’)
• Don’t use root!
34. HTTPS
• Use HTTPS if at all possible
• Session hijacking
• Packet sniffing on open networks
35. HTTPS
• Use HTTPS if at all possible
• Session hijacking
• Packet sniffing on open networks
• Secure Pages module
36. HTTPS
• Use HTTPS if at all possible
• Session hijacking
• Packet sniffing on open networks
• Secure Pages module
• OR .htaccess rule to redirect all traffic
37. HTTPS
• Use HTTPS if at all possible
• Session hijacking
• Packet sniffing on open networks
• Secure Pages module
• OR .htaccess rule to redirect all traffic
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R,L]
php_value session.cookie_secure 1
45. Secure Pages & Secure
Pages Prevent Hijack
• http://drupal.org/project/securepages
• http://drupal.org/project/
securepages_prevent_hijack (Drupal 6
only)
• Redirects selected pages to use SSL
• Protects a few common pages by default
• Drupal 6 needs session hijack prevention
46. Password Policy
• http://drupal.org/project/
password_policy
• Allows site builders to define a password
complexity level for users
• Also implements a password expiration
feature
49. Paranoia
• http://drupal.org/project/paranoia
• Disables granting of the "use PHP for
block visibility" permission
• Disables creation of input formats that
use the PHP filter
• Disables editing the user #1 account
• Disables disabling itself
53. Input Formats/Filters
• Default Input filter = EVERYONE has
access
• Better Formats module (Only needed for
Drupal 6)
• Some type of filtered input should be
default
56. Input Formats/Filters
• PHP Filter module (comes in core)
• Don’t use it!
• Some recommend removing the module
from the code base
• If you do use it, make sure you know who
has access
57. File Uploads
• Don’t allow unsafe uploads
• Both core file uploads and fields/cck files
60. Protect Drupal from
Outside
• Use a firewall to deny access
• Deny access at the web server
61. Protect Drupal from
Outside
• Use a firewall to deny access
• Deny access at the web server
<LocationMatch "/(user|login|admin)/">
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
#Example Network 1
Allow from 165.91.200.0/255.255.252.0
...
</LocationMatch>
64. Other Gotchas
• Settings.php
• ONLY web server needs read access to this
file
• Should not be writable
• Leaving a sql dump in a web accessible folder
65. Other Gotchas
• Settings.php
• ONLY web server needs read access to this
file
• Should not be writable
• Leaving a sql dump in a web accessible folder
• Don’t e-mail passwords
• !password token