SlideShare ist ein Scribd-Unternehmen logo

Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)

‱
‱
C
cgmonroe

This is an updated version of this talk given at DrupalCamp Atlanta (DCA) This presentation is an overview / case study of things learned by experiencing GDPR Security audits, DoS attacks, brute force login attacks, annoying robot crawlers, and hackers doing security probes. The session will cover the following main topics with tips on how to protected against each of these. An overview of security threats Server Level Attacks Code Level Attacks User Access Attacks Internal Attacks Some suggestions on developing a security plan People attending should come away with useful knowledge (modules, best practices, sites that help, front end tools and the like) that will help secure their sites.

Technologie
1 von 30
Downloaden Sie, um offline zu lesen
Tips on Securing Drupal Sites Greg Monroe SolarWind MSP DrupalCamp Atlanta 2018 The information here is my own and not the views of my employer
DrupalCamp Atlanta 2018 Security
 the Final Frontier This is a semi-case study based on my experiences Not a Deep Dive Will be trying to walk the line between DevOps and Site Admin / Builders One size does not fit all. Pick the tips that can help you
DrupalCamp Atlanta 2018 Why you should care
DrupalCamp Atlanta 2018 Some Common Threat Vectors Server Attacks, e.g. DDoS, SSL attacks, nuisance probes Code Attacks, e.g. DrupalGeddon#, Contrib bugs, non-Drupal code, Server bugs User access attacks, e.g. Brute force, Social Eng., Phishing "Internal" attacks, e.g. Valid users, Shared Resource Attacks
DrupalCamp Atlanta 2018 Server “Attacks” DDOS attacks Nuisance probes and general 404 requests Various non-search engine crawl bots SSL Vunerabilities
DrupalCamp Atlanta 2018 Server Attack Tips Trip wires and Problem id tools Layered Defenses Use a CDN Varnish or Nginx proxy Htaccess rules Drupal Secure HTTP Headers Golden Rule: Keep attackers from using precious Drupal resources.
DrupalCamp Atlanta 2018 www.draw-shapes.de www.draw-shapes.de draw-shapes.de Internet SSL Traditional Enterprise FIrewall Varnish Web Server Drupal Cache Drupal Engine Internet draw-shapes.de Traditional Small Internet www.draw-shapes.de draw-shapes.de Hybrid CDN Cloudflare
DrupalCamp Atlanta 2018 Trip Wires and Problem ID Uptime Monitoring (Pingdom and the like/ use Post requests) Disclaimer Pingdom is owned by SolarWinds Disk Usage Monitoring (logs, site, and SQL database) CPU Monitoring 404 / 403 Errors Log Analysis Tools ( GoAccess.io ) Grep and Pipes, e.g. grep “14/Jul” access.log | grep -v <office ip> https://www.abuseipdb.com/
DrupalCamp Atlanta 2018 Cloudflare Layered Defense In Minutes Low cost / high value Free SSL CDN lite with world wide proxy servers. World class protection against common hacks DDoS built in Page rules Requires control of your domain Another layer of cache to clear Internet www.draw-shapes.de draw-shapes.de Cloudflare
DrupalCamp Atlanta 2018 Traditional Alternatives CDN like AWS Cloudfront or Verizon Edgecast Varnish or Nginx caching front end .htaccess rules Deny unwanted crawlers Block DdoS or nuisance URL requests Drupal Configure cache properly Use Fast 404
DrupalCamp Atlanta 2018 DDoS Response Example :00 Notification from monitoring site was down :10 Checks showed 100% CPU & lots of incoming requests :12 Verified request spike by showing request/ min with: cat access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":"$3}' | sort -nk1 - nk2 | uniq -c | awk '{ if ($1 > 10) print $0}' Requests Time 26 05:08 14 05:09 11 05:10 399 05:11 162 05:12 160 05:13 146 05:14 177 05:15 178 05:16
DrupalCamp Atlanta 2018 DDoS Response Example :20 Turned on CF “Under Attack” mode :25 Requests back to < 50 per min :30 Examined peak request time with: cat access.log | grep "2018:05:11" | cut -d' ' -f1 | sort | uniq -c | sort :60 Bad IPs segmented / CF returned to normal. Requests IP 10 42.120.X.X 10 42.120.X.X 1 103.22.X.X. 11 42.120.X.X 11 42.120.X.X 11 42.120.X.X 1 207.46.X.X 1 23.111.X.X 12 42.120.X.X 12 42.120.X.X 38 Ips from 42.120.x.x
DrupalCamp Atlanta 2018 Some Sample .htaccess rules # Stop some bad web crawlers RewriteCond %{HTTP_USER_AGENT} AhrefsBot [NC,OR] RewriteCond %{HTTP_USER_AGENT} spbot [NC,OR] RewriteCond %{HTTP_USER_AGENT} DigExt [NC,OR] RewriteCond %{HTTP_USER_AGENT} Sogou [NC,OR] RewriteCond %{HTTP_USER_AGENT} MJ12 [NC,OR] RewriteCond %{HTTP_USER_AGENT} majestic12 [NC,OR] RewriteCond %{HTTP_USER_AGENT} 80legs [NC,OR] RewriteCond %{HTTP_USER_AGENT} SISTRIX [NC,OR] RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR] RewriteCond %{HTTP_USER_AGENT} Semrush [NC,OR] RewriteCond %{HTTP_USER_AGENT} Ezooms [NC,OR] RewriteCond %{HTTP_USER_AGENT} CCBot [NC,OR] RewriteCond %{HTTP_USER_AGENT} Ahrefs [NC] RewriteRule !^robots.txt$ - [F,L] # Stop problem URLs from flooding Drupal Log. RewriteRule ^/?autodiscover/autodiscover.xml$ - [R=404,L,NC] RewriteRule ^/?wp-login.php - [R=404,L,NC] RewriteCond %{REQUEST_METHOD} POST RewriteRule (^|/)events/ - [F,L] # Deny post to site index. RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} ^/$ RewriteRule ^ - [F,L] draw-shapes.de https://www.neting.it/multiple-urls-htaccess-redirect-checker.php
DrupalCamp Atlanta 2018 SSL Tools Test your SSL Strength https://www.ssllabs.com/ssltest/ Free SSL Certificates https://letsencrypt.org/ SSL Server Config https://mozilla.github.io/server-side- tls/ssl-config-generator/?hsts=no
DrupalCamp Atlanta 2018 Secure HTTP Headers Do Your Research on These Security Kit Module (seckit) Content-Security-Policy https://wiki.mozilla.org/Security/CSP X-XSS-Protection X-Content-Type-Options X-Frame-Options Strict-Transport-Security Referrer-Policy https://securityheaders.com/
DrupalCamp Atlanta 2018 Code Attack Tips Main Points Get Security updates and determine if they are Critical or not. Commit to Updating Critical Releases the same day they are released and non-Critical within a few days. Schedule reviews of the Update Report and related release notes. Update modules regularly. Keep the rest of the ‘stack’ updated
DrupalCamp Atlanta 2018 Code Attack Tips Drupal Core Keep your code updated Subscribe to Drupal Security Alerts Subscribe to the RSS Feed @ https://www.drupal.org/project/webmas ters/issues/2965777 Follow Tweets by @drupalsecurity handle all security announcements are posted to an email list. To subscribe to email: log in, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab. Contrib Modules Use the core Update Reports module Read the release note / test before going to production Follow issues of any patches you use Check the status of any Dev releases you use If you use modules not covered by the security team, look closely at what they do.
DrupalCamp Atlanta 2018 Code Attack Tips Use Drupal APIs, e.g. render arrays and twig. Sanitize Output Secure Database Queries Have Permissions on Admin routes Check Permissions when displaying content Schedule peer security/code reviews https://www.drupal.org/docs/8/security Custom Modules
DrupalCamp Atlanta 2018 Code Attack Tips (cont.) Server Software Keep the OS and tools up to date Keep PhP up to date Keep Apache (or Nginx) up to date Keep your SQL software up to date If you control it, keep it updated. If you don’t make sure the people who do also keep it updated.
DrupalCamp Atlanta 2018 User Attack Tips Main Points Use Two Factor Authentication Everywhere You Can Protect Your Site Login Capability Implement Good User Management Practices Enforce Strong Password Practices
DrupalCamp Atlanta 2018 User Attack Tips TFA Quick Install Install and enable the modules: real_aes, key, encrypt, ga_login & tfa Create a random key in a file outside your web root with: dd if=/dev/urandom bs=32 count=1 | base64 -i - > path/to/my/encrypt.key Visit the Keys module's configuration page and "Add Key" Name your Key Key type: "Encryption" Provider: "File" File location: `path/to/my/encrypt.key` as generated above.
DrupalCamp Atlanta 2018 User Attack Tips TFA(cont.) Visit the Encrypt module's configuration page and "Add Encryption Profile" Label your Encryption Profile Encryption method: "Authenticated AES (Real AES)" Encryption Key: Select the Key you created in the previous step. Visit the TFA module's configuration page. Enable TFA Select your desired Validation Plugin(s). Encryption Profile: Select the Encryption Profile you created in the previous step. Adjust other settings as desired. Grant "Set up TFA for account" to "Authenticated user" Consider granting "Require TFA process" for some roles
DrupalCamp Atlanta 2018 User Attack Tips TFA(cont.) User Setup Need either Google Authenticator or Authy Login to the site Go to your user profile Select the Security Tab Follow the instructions there
DrupalCamp Atlanta 2018 User Attack Tips Protected Logins Server Firewall Host Name IP .htaccess ModuleLogin Login
DrupalCamp Atlanta 2018 User Attack Tips Protected Logins Set up an 'edit' host name that with the same IP as your site, e.g. secret.example.com => www.example.com. Allow this host name access to the site (settings.php trusted host patterns) Modify the .htaccess rules to only allow access to /user, /admin, /devel, and node/*/* URLs from the edit host Require login to edit site using require_login and require_login_by_site See http://drupal.org/project/require_login_by_site for details
DrupalCamp Atlanta 2018 User Attack Tips Login Management GUARDR Distro (www.drupal.org/project/guardr) Monitor Login Access (login_report) Block account after 5 invalid attempts ( login_security ) Login Screen should have an authorized only notice (modal block) Limit number of concurrent sessions ( session_limit ) Automatically log users out after a period of inactivity (autologout)
DrupalCamp Atlanta 2018 User Attack Tips Strong Passwords Define strong Rules and enforce them with the password_policy module (use Dev version) Passwords must be at least 8 characters in length. Passwords must contain characters from three of the following four categories: English uppercase characters (A through Z). English lowercase characters (a through z). Base 10 digits (0 through 9). Non-alphabetic characters (for example, !, $, #, %). Password history: users should not be able to re-use the last five (5) passwords Password age: Passwords must be changed every 90 days.
DrupalCamp Atlanta 2018 Internal Attacks Limit Permissions Peer Review Disable users who have not accessed site for 30 days (user_expire) Don’t use shared accounts Protect your data, limit access to any bulk download tools. Monitor logs for unusual activity
DrupalCamp Atlanta 2018 Security Plans Overview This is not a set it up and forget it process... security takes vigilance. Basic Rules Define area’s of responsibility Define who is responsible for these Define an audit plan for the area Define response plans for the areas Where needed, defined who audits that the area’s plan is being done
DrupalCamp Atlanta 2018 Questions? ? And Thank You Google: Slideshare CGMonroe DCA Security Drupal.org/u/cgmonroe

Empfohlen

Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding Practices
OWASPKerala
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
Siddharth Bezalwar
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
Vlad Fedosov
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
Jim Manico
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
Jim Manico
 
Hardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoiaHardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoia
zznate
 
Secure code
Secure codeSecure code
Secure code
ddeogun
 

Empfohlen

Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding Practices
OWASPKerala
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
Siddharth Bezalwar
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
Vlad Fedosov
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
Jim Manico
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
Jim Manico
 
Hardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoiaHardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoia
zznate
 
Secure code
Secure codeSecure code
Secure code
ddeogun
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecture
Prabath Siriwardena
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Websecurify
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
Jim Manico
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-london
nettitude_labs
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016
zznate
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
Stormpath
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
Mateusz Olejarka
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hacking
Iftach Ian Amit
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
testuser1223
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
Jim Manico
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)
Soham Kansodaria
 
Persistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionPersistant Cookies and LDAP Injection
Persistant Cookies and LDAP Injection
MaulikLakhani
 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developers
n|u - The Open Security Community
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - security
dzhengo44
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
Katy Anton
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit Giri
OWASP Delhi
 
Tips on Securing Drupal Sites
Tips on Securing Drupal SitesTips on Securing Drupal Sites
Tips on Securing Drupal Sites
cgmonroe
 
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Amazon Web Services
 

Weitere Àhnliche Inhalte

Was ist angesagt?

Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Websecurify
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
Jim Manico
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
Stormpath
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
Jim Manico
 

Was ist angesagt? (20)

Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecture
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-london
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hacking
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)
 
Persistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionPersistant Cookies and LDAP Injection
Persistant Cookies and LDAP Injection
 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developers
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - security
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit Giri
 

Ähnlich wie Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)

Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Amazon Web Services
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
Amazon Web Services
 
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
Amazon Web Services
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
Andrey Devyatkin
 

Ähnlich wie Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA) (20)

Tips on Securing Drupal Sites
Tips on Securing Drupal SitesTips on Securing Drupal Sites
Tips on Securing Drupal Sites
 
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
 
Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp Bratislava
 
Scout xss csrf_security_presentation_chicago
Scout xss csrf_security_presentation_chicagoScout xss csrf_security_presentation_chicago
Scout xss csrf_security_presentation_chicago
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal Development
 
Performance Tune Up for Web Developers
Performance Tune Up for Web DevelopersPerformance Tune Up for Web Developers
Performance Tune Up for Web Developers
 
Instrumenting plugins for Performance Schema
Instrumenting plugins for Performance SchemaInstrumenting plugins for Performance Schema
Instrumenting plugins for Performance Schema
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
 
Developing Drizzle Replication Plugins
Developing Drizzle Replication PluginsDeveloping Drizzle Replication Plugins
Developing Drizzle Replication Plugins
 
Mini Curso Django Ii Congresso Academico Ces
Mini Curso Django Ii Congresso Academico CesMini Curso Django Ii Congresso Academico Ces
Mini Curso Django Ii Congresso Academico Ces
 
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
 
21 05-2018
21 05-201821 05-2018
21 05-2018
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad Savitsky
 
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
 
Doing Drupal security right
Doing Drupal security rightDoing Drupal security right
Doing Drupal security right
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
 
CloudWatch hidden features for debugging serverless application
CloudWatch hidden features for debugging serverless applicationCloudWatch hidden features for debugging serverless application
CloudWatch hidden features for debugging serverless application
 

Mehr von cgmonroe

Structured SEO Data Overview and How To
Structured SEO Data Overview and How ToStructured SEO Data Overview and How To
Structured SEO Data Overview and How To
cgmonroe
 
Structured SEO Data: An overview and how to for Drupal
Structured SEO Data: An overview and how to for DrupalStructured SEO Data: An overview and how to for Drupal
Structured SEO Data: An overview and how to for Drupal
cgmonroe
 

Mehr von cgmonroe (12)

Structured SEO Data Overview and How To
Structured SEO Data Overview and How ToStructured SEO Data Overview and How To
Structured SEO Data Overview and How To
 
Structured SEO Data: An overview and how to for Drupal
Structured SEO Data: An overview and how to for DrupalStructured SEO Data: An overview and how to for Drupal
Structured SEO Data: An overview and how to for Drupal
 
Becoming "Facet"-nated with Search API
Becoming "Facet"-nated with Search APIBecoming "Facet"-nated with Search API
Becoming "Facet"-nated with Search API
 
Intro to drupal module internals asheville
Intro to drupal module internals ashevilleIntro to drupal module internals asheville
Intro to drupal module internals asheville
 
Using Content Delivery Networks with Drupal
Using Content Delivery Networks with DrupalUsing Content Delivery Networks with Drupal
Using Content Delivery Networks with Drupal
 
Solr facets and custom indices
Solr facets and custom indicesSolr facets and custom indices
Solr facets and custom indices
 
HTML Purifier, WYSIWYG, and TinyMCE
HTML Purifier, WYSIWYG, and TinyMCEHTML Purifier, WYSIWYG, and TinyMCE
HTML Purifier, WYSIWYG, and TinyMCE
 
Using the Features API
Using the Features APIUsing the Features API
Using the Features API
 
The Drupal Strongarm Module - Tips and Tricks.
The Drupal Strongarm Module - Tips and Tricks.The Drupal Strongarm Module - Tips and Tricks.
The Drupal Strongarm Module - Tips and Tricks.
 
Intro to CSS Selectors in Drupal
Intro to CSS Selectors in DrupalIntro to CSS Selectors in Drupal
Intro to CSS Selectors in Drupal
 
Drupal Workflow Concepts
Drupal Workflow ConceptsDrupal Workflow Concepts
Drupal Workflow Concepts
 
TriDUG WebFM Presentation
TriDUG WebFM PresentationTriDUG WebFM Presentation
TriDUG WebFM Presentation
 

KĂŒrzlich hochgeladen

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel AraĂșjo
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 

KĂŒrzlich hochgeladen (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)

  • 1. Tips on Securing Drupal Sites Greg Monroe SolarWind MSP DrupalCamp Atlanta 2018 The information here is my own and not the views of my employer
  • 2. DrupalCamp Atlanta 2018 Security
 the Final Frontier This is a semi-case study based on my experiences Not a Deep Dive Will be trying to walk the line between DevOps and Site Admin / Builders One size does not fit all. Pick the tips that can help you
  • 3. DrupalCamp Atlanta 2018 Why you should care
  • 4. DrupalCamp Atlanta 2018 Some Common Threat Vectors Server Attacks, e.g. DDoS, SSL attacks, nuisance probes Code Attacks, e.g. DrupalGeddon#, Contrib bugs, non-Drupal code, Server bugs User access attacks, e.g. Brute force, Social Eng., Phishing "Internal" attacks, e.g. Valid users, Shared Resource Attacks
  • 5. DrupalCamp Atlanta 2018 Server “Attacks” DDOS attacks Nuisance probes and general 404 requests Various non-search engine crawl bots SSL Vunerabilities
  • 6. DrupalCamp Atlanta 2018 Server Attack Tips Trip wires and Problem id tools Layered Defenses Use a CDN Varnish or Nginx proxy Htaccess rules Drupal Secure HTTP Headers Golden Rule: Keep attackers from using precious Drupal resources.
  • 7. DrupalCamp Atlanta 2018 www.draw-shapes.de www.draw-shapes.de draw-shapes.de Internet SSL Traditional Enterprise FIrewall Varnish Web Server Drupal Cache Drupal Engine Internet draw-shapes.de Traditional Small Internet www.draw-shapes.de draw-shapes.de Hybrid CDN Cloudflare
  • 8. DrupalCamp Atlanta 2018 Trip Wires and Problem ID Uptime Monitoring (Pingdom and the like/ use Post requests) Disclaimer Pingdom is owned by SolarWinds Disk Usage Monitoring (logs, site, and SQL database) CPU Monitoring 404 / 403 Errors Log Analysis Tools ( GoAccess.io ) Grep and Pipes, e.g. grep “14/Jul” access.log | grep -v <office ip> https://www.abuseipdb.com/
  • 9. DrupalCamp Atlanta 2018 Cloudflare Layered Defense In Minutes Low cost / high value Free SSL CDN lite with world wide proxy servers. World class protection against common hacks DDoS built in Page rules Requires control of your domain Another layer of cache to clear Internet www.draw-shapes.de draw-shapes.de Cloudflare
  • 10. DrupalCamp Atlanta 2018 Traditional Alternatives CDN like AWS Cloudfront or Verizon Edgecast Varnish or Nginx caching front end .htaccess rules Deny unwanted crawlers Block DdoS or nuisance URL requests Drupal Configure cache properly Use Fast 404
  • 11. DrupalCamp Atlanta 2018 DDoS Response Example :00 Notification from monitoring site was down :10 Checks showed 100% CPU & lots of incoming requests :12 Verified request spike by showing request/ min with: cat access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":"$3}' | sort -nk1 - nk2 | uniq -c | awk '{ if ($1 > 10) print $0}' Requests Time 26 05:08 14 05:09 11 05:10 399 05:11 162 05:12 160 05:13 146 05:14 177 05:15 178 05:16
  • 12. DrupalCamp Atlanta 2018 DDoS Response Example :20 Turned on CF “Under Attack” mode :25 Requests back to < 50 per min :30 Examined peak request time with: cat access.log | grep "2018:05:11" | cut -d' ' -f1 | sort | uniq -c | sort :60 Bad IPs segmented / CF returned to normal. Requests IP 10 42.120.X.X 10 42.120.X.X 1 103.22.X.X. 11 42.120.X.X 11 42.120.X.X 11 42.120.X.X 1 207.46.X.X 1 23.111.X.X 12 42.120.X.X 12 42.120.X.X 38 Ips from 42.120.x.x
  • 13. DrupalCamp Atlanta 2018 Some Sample .htaccess rules # Stop some bad web crawlers RewriteCond %{HTTP_USER_AGENT} AhrefsBot [NC,OR] RewriteCond %{HTTP_USER_AGENT} spbot [NC,OR] RewriteCond %{HTTP_USER_AGENT} DigExt [NC,OR] RewriteCond %{HTTP_USER_AGENT} Sogou [NC,OR] RewriteCond %{HTTP_USER_AGENT} MJ12 [NC,OR] RewriteCond %{HTTP_USER_AGENT} majestic12 [NC,OR] RewriteCond %{HTTP_USER_AGENT} 80legs [NC,OR] RewriteCond %{HTTP_USER_AGENT} SISTRIX [NC,OR] RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR] RewriteCond %{HTTP_USER_AGENT} Semrush [NC,OR] RewriteCond %{HTTP_USER_AGENT} Ezooms [NC,OR] RewriteCond %{HTTP_USER_AGENT} CCBot [NC,OR] RewriteCond %{HTTP_USER_AGENT} Ahrefs [NC] RewriteRule !^robots.txt$ - [F,L] # Stop problem URLs from flooding Drupal Log. RewriteRule ^/?autodiscover/autodiscover.xml$ - [R=404,L,NC] RewriteRule ^/?wp-login.php - [R=404,L,NC] RewriteCond %{REQUEST_METHOD} POST RewriteRule (^|/)events/ - [F,L] # Deny post to site index. RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} ^/$ RewriteRule ^ - [F,L] draw-shapes.de https://www.neting.it/multiple-urls-htaccess-redirect-checker.php
  • 14. DrupalCamp Atlanta 2018 SSL Tools Test your SSL Strength https://www.ssllabs.com/ssltest/ Free SSL Certificates https://letsencrypt.org/ SSL Server Config https://mozilla.github.io/server-side- tls/ssl-config-generator/?hsts=no
  • 15. DrupalCamp Atlanta 2018 Secure HTTP Headers Do Your Research on These Security Kit Module (seckit) Content-Security-Policy https://wiki.mozilla.org/Security/CSP X-XSS-Protection X-Content-Type-Options X-Frame-Options Strict-Transport-Security Referrer-Policy https://securityheaders.com/
  • 16. DrupalCamp Atlanta 2018 Code Attack Tips Main Points Get Security updates and determine if they are Critical or not. Commit to Updating Critical Releases the same day they are released and non-Critical within a few days. Schedule reviews of the Update Report and related release notes. Update modules regularly. Keep the rest of the ‘stack’ updated
  • 17. DrupalCamp Atlanta 2018 Code Attack Tips Drupal Core Keep your code updated Subscribe to Drupal Security Alerts Subscribe to the RSS Feed @ https://www.drupal.org/project/webmas ters/issues/2965777 Follow Tweets by @drupalsecurity handle all security announcements are posted to an email list. To subscribe to email: log in, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab. Contrib Modules Use the core Update Reports module Read the release note / test before going to production Follow issues of any patches you use Check the status of any Dev releases you use If you use modules not covered by the security team, look closely at what they do.
  • 18. DrupalCamp Atlanta 2018 Code Attack Tips Use Drupal APIs, e.g. render arrays and twig. Sanitize Output Secure Database Queries Have Permissions on Admin routes Check Permissions when displaying content Schedule peer security/code reviews https://www.drupal.org/docs/8/security Custom Modules
  • 19. DrupalCamp Atlanta 2018 Code Attack Tips (cont.) Server Software Keep the OS and tools up to date Keep PhP up to date Keep Apache (or Nginx) up to date Keep your SQL software up to date If you control it, keep it updated. If you don’t make sure the people who do also keep it updated.
  • 20. DrupalCamp Atlanta 2018 User Attack Tips Main Points Use Two Factor Authentication Everywhere You Can Protect Your Site Login Capability Implement Good User Management Practices Enforce Strong Password Practices
  • 21. DrupalCamp Atlanta 2018 User Attack Tips TFA Quick Install Install and enable the modules: real_aes, key, encrypt, ga_login & tfa Create a random key in a file outside your web root with: dd if=/dev/urandom bs=32 count=1 | base64 -i - > path/to/my/encrypt.key Visit the Keys module's configuration page and "Add Key" Name your Key Key type: "Encryption" Provider: "File" File location: `path/to/my/encrypt.key` as generated above.
  • 22. DrupalCamp Atlanta 2018 User Attack Tips TFA(cont.) Visit the Encrypt module's configuration page and "Add Encryption Profile" Label your Encryption Profile Encryption method: "Authenticated AES (Real AES)" Encryption Key: Select the Key you created in the previous step. Visit the TFA module's configuration page. Enable TFA Select your desired Validation Plugin(s). Encryption Profile: Select the Encryption Profile you created in the previous step. Adjust other settings as desired. Grant "Set up TFA for account" to "Authenticated user" Consider granting "Require TFA process" for some roles
  • 23. DrupalCamp Atlanta 2018 User Attack Tips TFA(cont.) User Setup Need either Google Authenticator or Authy Login to the site Go to your user profile Select the Security Tab Follow the instructions there
  • 24. DrupalCamp Atlanta 2018 User Attack Tips Protected Logins Server Firewall Host Name IP .htaccess ModuleLogin Login
  • 25. DrupalCamp Atlanta 2018 User Attack Tips Protected Logins Set up an 'edit' host name that with the same IP as your site, e.g. secret.example.com => www.example.com. Allow this host name access to the site (settings.php trusted host patterns) Modify the .htaccess rules to only allow access to /user, /admin, /devel, and node/*/* URLs from the edit host Require login to edit site using require_login and require_login_by_site See http://drupal.org/project/require_login_by_site for details
  • 26. DrupalCamp Atlanta 2018 User Attack Tips Login Management GUARDR Distro (www.drupal.org/project/guardr) Monitor Login Access (login_report) Block account after 5 invalid attempts ( login_security ) Login Screen should have an authorized only notice (modal block) Limit number of concurrent sessions ( session_limit ) Automatically log users out after a period of inactivity (autologout)
  • 27. DrupalCamp Atlanta 2018 User Attack Tips Strong Passwords Define strong Rules and enforce them with the password_policy module (use Dev version) Passwords must be at least 8 characters in length. Passwords must contain characters from three of the following four categories: English uppercase characters (A through Z). English lowercase characters (a through z). Base 10 digits (0 through 9). Non-alphabetic characters (for example, !, $, #, %). Password history: users should not be able to re-use the last five (5) passwords Password age: Passwords must be changed every 90 days.
  • 28. DrupalCamp Atlanta 2018 Internal Attacks Limit Permissions Peer Review Disable users who have not accessed site for 30 days (user_expire) Don’t use shared accounts Protect your data, limit access to any bulk download tools. Monitor logs for unusual activity
  • 29. DrupalCamp Atlanta 2018 Security Plans Overview This is not a set it up and forget it process... security takes vigilance. Basic Rules Define area’s of responsibility Define who is responsible for these Define an audit plan for the area Define response plans for the areas Where needed, defined who audits that the area’s plan is being done
  • 30. DrupalCamp Atlanta 2018 Questions? ? And Thank You Google: Slideshare CGMonroe DCA Security Drupal.org/u/cgmonroe