[WEB SECURITY] LAMP Security Guide - Focused on Drupal
jlk at thrashyour.com
Tue Nov 19 15:04:26 EST 2013
Telling folks to use ssh keys and disable password authentication would be a big win. In general, there's plenty of guides on hardening a lamp stack - why not point users to one of those instead of re-inventing wheels?
Why tell folks to use cron when Drupal has a built-in cron system since 7?
I didn't see mention of using a WAF?
Most folks using Drupal do so within an environment that has a control panel like CPanel or Virtualmin - and those panels will make several of your steps (such as keeping systems up-to-date) easier, so I'm thinking it'd be better to embrace the CP and show users how to run securely with one.
Have you run this by the Drupal security team? They'll probably give the best feedback.
On Nov 17, 2013, at 9:10 PM, Mike Gifford <mike at openconcept.ca> wrote:
> With the help of a number of other people, I've written up the following security guide, geared specifically at Drupal:
> It's pretty comprehensive, but I'm certain there's stuff that's been missed. It's certainly the most useful for people using Drupal or another framework within a PHP environment.
> I'm sure I'm already linking to resources developed by others on this list. If I'm missing other resources, do let me know. This document will evolve as people suggest new ways to harden their their servers/apps.
> If someone else has already gone through the work of describing how to set up some component of a secured server/site, I'd much rather point folks in that direction.
> The first part of the guide is really designed to share with management, while the latter part is much more for system administrators. Ultimately, management needs to have things written in a format that they can understand, so that they know how to properly resource it.
> Mike Gifford, President, OpenConcept Consulting Inc.
> Drupal 8 Core Accessibility Maintainer -> http://drupal.org/user/27930
> http://twitter.com/mgifford | http://linkedin.com/in/mgifford
> Open source web development for social change – http://openconcept.ca
> The Web Security Mailing List
> WebSecurity RSS Feed
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> websecurity at lists.webappsec.org
More information about the websecurity