Web applications continue to be an easy target for many attackers. There's generally a large attack surface, many best practices are often forgotten, and a single coding flaw can lead to a full compromise of the database or arbitrary code execution. Still, a quality Content Management System (CMS) can provide for a very functional web deployment and is hard to pass-up for many organizations.Here are some thoughts and tips for helping to add overall improvements to the deployment stack of a Drupal 7 site. While some of these items may not fit your deployment needs, you should still be able to find equivalent technologies to do similar hardening. As a further caveat, additional areas of hardening have been excluded since this list could go on for a few blog posts if we tried to fit in everything.Drupal
- Patch all modules as soon as updates are available, preferably after you've tested them on a development site.
- Install and configure the module Security Kit to provide for additional protections against XSS, CSRF, click-jacking, and add HSTS for SSL.
- Utilize the Tiny-IDS module to view attacks against your site. Add IP addresses attacking your deployment to a firewall or block via .htaccess.
- Investigate findings of the Security Review module to see any misconfiguration that may lead to potential issues.
- Integrate Duo Security's module to provide for two-factor authentication, preventing simple brute-force attacks against weak passwords.
- If you don't utilize two-factor (or even if you do), please enforce strong passphrases to ensure that you're not compromised easily.
MySQL
- Limit exposure of your database service to only the loop-back interface (lo0) or, better yet, only to a socket (skip-networking in my.cnf).
- Use a separate user for Drupal, different from your 'root' MySQL account. Do not give more privileges than are required to run your site.
- If you're very concerned about SQL Injection attacks, you have the option to deploy an SQL security proxy such as GreenSQL.
CentOS
- Ensure a fully patched, current-branch of your Operating System deployment.
- Leave SELinux enabled and fix any incompatibilities that you run across (sealert -a /var/log/audit/audit.log).
- Similar to Drupal, utilize Duo Security for two-factor authentication for SSH.
- Limit SSH access to internal networks or via VPN — don't needlessly expose it to the Internet.
- Utilize IPTables to firewall all ingress and egress traffic not explicitly needed to run your web site properly.
Apache
- Disable all modules not required to run the site properly.
- Set ServerTokens to Prod to reduce the amount of information the server discloses about its self.
- Utilize SSL for any pages with sensitive form data (such as logins) and ensure proper configuration with SSL Server Test.
- Ensure detailed logging exists for all traffic, whether successful or resulting in an error.
- Limit visibility to sensitive pages or forms using .htaccess directives with authentication or IP requirements.
PHP
- Keep your system's version of PHP fully patched.
- Disable all modules not required to run the site properly.
- Set expose_php to off to hide the specific version information of PHP running.
- Set display_errors and display_startup_errors to off in order to prevent showing debugging information to end-users.
- Enable session.cookie_secure with a setting of 1 in your server will be handling user sessions via SSL (which it should).
- Set session.cookie_httponly to 1 to help prevent XSS attacks from stealing user sessions.
- Configure session.hash_function to 1 for usage of SHA-1 instead of MD5 for session ID generation.
That concludes our overview of Drupal deployment hardening tips. While there are certainly other avenues, technologies, modules, and configuration settings possible to further increase security, this list would be considered a great start for most organizations. The best approach to security is one that has layered mechanisms to help provide a better, more holistic approach to mitigation. Before implementing any of these tips, however, you should thoroughly test each one in a sandboxed or development environment to ensure they work as you expected and have no adverse consequences for your deployment.