Hardening

Secure your system by reducing
its surface of vulnerability

March 25th, 2019 / Faktor E Multimedia GmbH

111
slides to go

What does
system
hardening
mean?

What does it
not mean?

Reduce the
surface of
vulnerability

What is the
attack surface?

The system
consists of
many layers

Suggestions

Operating System

Webserver

DBMS

Database
Management
System

Compiler

Interpreter

Simplified: any kind of programming language

Every layer
is vulnerable

So we potentially have to take care of them all

A system is only as

safe as its weakest link

Operating
System

Which services are running?

FTP?

It is
2019!

SSH

SSH
key-based
authentication only

No shared passwords


No PERF 😱

«Personalized» authentication using separate SSH keys per user

GIT

Mail
server?

There
are
many
more...

Let's go for a little digression

Puppet
Ansible

Hardening

automation️

Let's get back on track

Get rid of all services you
do not need!

Not only
disable
these
services...

...get
rid
of
them!

secure code
is no code

Managed servers
offer only
limited possibilities

Check the possibilities of
your hosting
plan

Do not forget your
Docker containers...

There are many more...

Webserver

Apache
NGINX

Secure
Sockets
Layer

No virtual host
without

SSL encryption

A system is only as

safe as its weakest link

Enforce SSL

HSTS (HTTP Strict Transport Security)

Keep your document
root clean!

  • setup.txt
  • composer.json
  • typo3conf
  • dump.sql
  • composer.lock
  • .git
  • CHANGELOG
  • README.md
  • .gitignore
  • vendor

Do not just
deny access
using your
webserver
configuration

They do
not belong
to the
document root
at all.

Check which files you need on production at all

Composer

Write protect
directories
whenever possible

å

Access rights for users

CLI User

Apache-User

Loaded modules?

Unused
virtual
hosts?

DBMS

MySQL
MariaDB

Access rights for users

Different users
for CLI and
webserver

Compiler / Interpreter

Ruby on Rails

Loaded modules?

PHP configuration

  • register_globals
  • APCu module
  • MySQL drivers
  • eval
  • display_errors
  • upload_max_filesize
  • FTP module
  • max_execution_time
  • max_file_uploads

Disallow PHP execution on writable folders

Especially on directories containing user
generated content

related stuff

Content Management System

Any other

TYPO3 Secure Installation

Get rid of all code you do not need!

secure code
is no code

Unused extensions?

Not only
disable
these
extensions...

...get
rid
of
them!

secure code
is no code

Get rid of the InstallTool on production

Use the TYPO3
console
instead

DBMS again...

NO Adminer

NO PhpMyAdmin

Use Navicat

or MySQL Workbench

or HeidiSQL

Access rights for users

Write
access
only for
UGC

Use the TYPO3 console
to warm up
caches

In a
perfect
world

The only remaining place to add exploit code is typo3temp/var/Cache/Code

There
is one
more
thing

Fefe
aka. Felix von Leitner

Antipatterns und Missverständnisse in der Software Entwicklung

Questions?