Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By juerg on
I am planning to set up a drupal site for the internal communication of a local branch of a NGO. The content (documents, discussions, etc.) is confidential information.
How can I make the installation as secure as possible?
From other forum topics I understand that I should
1) use https://example.com as base URL
2) limit access only to registered users
3) disable registration and manually register the user who are allowed to access the information
Is there anything else, which can be done in a shared hosting environment?
What else would make sense to protect the site if I am going to rent either a virtual or a root server? My main concern is that someone might get access to the host server and therefore get access to the files and the database.
All suggestions or links will be much appreciated!
Juerg
Comments
Following are some things
Following are some things you may have already considered:
- Disable ALL permissions for anonymous users
- Use private file system, so unauthenticated users can't view attachments/images using fully-qualified links.
- Add a robots.txt with the following lines:
User-agent: *
Disallow: /
Quick robots.txt question
Hi, just wondering how effective adding the disallow is in robots.txt if some crawlers ignore it altogether.
I'm running a site that has only authenticated users. Registration goes through the admin, and anonymous users have no permissions (and can't get past login).
Can bots still take my lunch money?
Thanks.
If you are really paranoid
Don't use shared web hosting - you never know who else is on the box or what kind of buggy websites they have.
Go for a virtual server, or if the budget allows a dedicated server.
Bear in mind though that now the onus would be on you to harden the server and keep up to date with patches. But provided you can do that, you would be in a much stronger position security wise than being on a shared host. You also get greater control over the server for solving those pesky webhost configuration problems.
A good solution would be a Debian Sarge virtual host with someone like Rimu Hosting - I've heard good things about them and they use Xen for their virtual hosts which so far seems to have good security.
--
Anton
Does VPN make sense?
Thank you for all suggestions.
So far I feel like going for a (small) dedicated server because I don't really trust our providers of shared web hosting plans.
Since this server would only be used for 2 to 3 closed user groups with about 10 users each, would it make sense to allow access only via virtual private network (VPN)? Or are there any better means to secure such a dedicated server running drupal?
Juerg
SSL vs VPN
VPN would probably be less secure than SSL/TLS, and certainly a lot more work to set up.
If HTTPS is the only service offered to the web, then a VPN is unnecessary anyway.
Some really paranoid over the top and possibly pointless other things you could do:
Require SSL/TLS client certs,
Have a host base firewall restricting the SSL conections to just those IPs that your users come from.
Depending on the situation though, those ideas would probably just be creating a large admin headache for yourself without increasing security all that much. One of your users getting their machines trojaned would probably be a bigger risk anyway.
--
Anton
Encryption of information?
Thank you for the clarification regarding VPN. If just HTTPS connections are allowed, does this mean that file attachments get encrypted for the transfer, too?
Is there a possibility to save the content (nodes) in encrypted form into the database? And to encrypt the directory where file attachments are stored?
The idea behind this is that if someone manages to break into the server, he/she could not use the data available. However, this would only give additional security if the key to decrypt was supplied by the (regular) user (key not stored on the server).
Juerg
Security overload
Yep pretty much everything in and out of Drupal is HTTP (or HTTPS i your case) - even uploads. There are some exceptions eg SMTP messages (it sounds like you won't be doing that though).
This is where security paranoia departs the real world :)
If you are encrypting everything - what do you encrypt it with? Symmetric keys? Public Keys? A server key? A unique per user key?
If it's a server key - the key gets compromised when the server does. If it's a per user key - how does anyone read anybody elses content?
Assuming you do manage to create a secure user friendly PKI system that actually works - does your content travel all the way out of the database to the browser encrypted? Or does the web server (ie Apache/PHP/Drupal) need to decrypt it before reencrypting it as SSL. If it gets decrypted on the server, the someone with root can still get the content at that stage. If it stays encrypted all the way through - won't you have to build some decryption mechanism into the users browser?
And per user keys would still be the weak link in the chain - presumably you can't harden all their client machines to the same extent that the server is? Who knows what they'll end up installing or getting infected with.
Yep.
Realistically if someone gets root on your server - you're screwed. No amount of making life more difficult for your users is going to get around that. Your efforts should go into hardening the server so it doesn't get rooted.
Organisations that require that amount of paranoia wouldn't be connected to the internet at all (or supposed 'air gaps' at the very least), and would have tons of physical security too. I would think that if your NGO is like that, you wouldn't need (or even be allowed) to ask for security advice here :)
Encryption is hard, and unless you are using well proven built in stuff like SSL/TLS don't bother unless your really really know what your are doing.
You'd get better bang for your buck from traditional server hardening efforts. I think the following setup is beyond paranoid (and I wouldn't go anywhere near this far), but hey you might get some ideas:
Dedicated server with good physical security. Use a specially hardened OS like SELinux, Trusted Solaris, Trusted BSD (if it still exists) etc - and spend ages completely hardening all the kernel access stuff. All server software hardened and chrooted/jailed etc. All client machines are physically secure, hardened and on static IPs with smartcard based logins. Server authentication uses SSL client certs. Server firewall only accepts connections from the client IPs
But lets face it - if security was that important, you wouldn't be using a PHP based web app would you? :)
--
Anton
Getting more realistic
Anton,
Thank you very much for your explanation. You certainly opened my eyes!
You are right, if the security requirements were that high, we would apply e.g. Lotus Notes – a server we already have in house and for security reasons it is not directly connected with the Internet. However I dislike the company who provides that proprietary product and so I was looking for a similar solution based on Drupal (a software I love...).
Most of the users will have a dial-in connection to the Internet and therefore they don't have a fixed IP. In addition most of them are remote and inexperienced with computers. Modifications to their PC's software would be just like asking for troubles.
As bottom line, I will implement Drupal on a dedicated server and restrict access to HTTPS. I will look into the possibility of applying SELinux but from what you are saying I fear this could get too complicated for me to maintain (I have only limited experience with Linux and no experience at all with SELinux).
Due to my limited experience, it is very difficult to judge where the highest risks really are and how to fight them. As a result of this, I planed to apply as much security as possible...
Thank you again and best regards
Juerg
Based on your experience
I wouldn't recommend SELinux - it would be too tricky for you at this stage. If something is hard to use for someone, they will have a hard time securing it. Generally speaking complexity is the enemy of security.
Just using a minimal Debian install would be better.
Another option would be something like OpenBSD, they have hardened Apache a bit more than others have. That can make it harder to get web apps running though.
Realistically Apache/PHP will probably be your weakest link.
--
Anton
Starting with Debian Sarge
Anton,
I followed this advice and have started with a Debian Sarge 3.1 installation. After 2 or 3 months of experience I can still decide whether I want to restart with something different.
Thank you very much for your advice. Best regards
Juerg
Check this out
You may also be interested in something like this; http://tor.eff.org/. I just started reading about it myself as I want to protect the anonymity of my users as well as hiding my site from censorship and other network surveillances. I'll let the tor website explain the rest.
Anyone have anything to say about this form of anonymity?