beef up your drupal security with apache mod_rewrite and SSH
if you felt a waft of cold air when you read the recent highly critical drupal security announcement on arbirary code execution using
now go to your favorite browser and proxy your traffic through a local ssh SOCKS proxy e.g. on firefox 2.0 on windoze do the following:
if you found this article useful, and you are interested in other articles on linux, drupal, scaling, performance and LAMP applications, consider subscribing to my technical blog.
install.php, you were right. your bum was hanging squarely out of the window, and you should probably consider beefing up your security.
drupal's default exposure of files like install.php and cron.php present inherent security risks, for both denial-of-service and intrusion. combine this with critical administrative functionality available to the world, protected only by user defined passwords, broadcast over the internet in clear-text, and you've got potential for some real problems.
fortunately, there are some easy and practical things you can do to tighten things up.
step one: block the outside world from your sensitive pages
one easy way to tighten up your security, is to simply block access to your sensitive pages from anyone outside your local network. this can be done by using apache's mod_rewrite. for example, you could block access to any administrative page by adding the following into your.htaccess file in your drupal directory (the one containing sites, scripts, modules etc.). the example only allows access from IPs in the range 192.*.*.* or 200.*.*.*:
<IfModule mod_rewrite.c>
RewriteEngine on
# Allow only internal access to admin
RewriteCond %{REMOTE_ADDR} !^(192|200)\..*$
RewriteRule ^admin/.* - [F]
[...]
</IfModule>step two: tunnel into your server for administrative access
now that you've locked yourself out of your server for remote administrative access, you'd better figure how to get back in. SOCKS-proxy and ssh-tunneling to the rescue! assuming that your server is running an ssh server, setup a ssh tunnel (from the machine you are browsing on) to your server as follows:ssh -D 9999 user@server.example.com- select the tools->options (edit->preferences on linux) menu
- go to the "connections" section of the "network" tab, click "settings"
- set the SOCKS host to localhost port 9999
your bum should be feeling warmer already.
some more rules
some other rules that you might want to consider include (RewriteCond omitted for brevity)
# allow only internal access to node editing
RewriteRule ^node/.*/edit.* - [F]
# allow only internal access to sensitive pages
RewriteRule ^update.php - [F]
RewriteRule ^cron.php - [F]
RewriteRule ^install.php - [F]debugging
can't get your rewrite rules to work? shock! ... consider adding this to your vhost configuration (e.g. /etc/apache2/sites-available/default) to see what (the hell) is going on.
RewriteLog /var/log/apache2/vhost.rewrite.txt
RewriteLogLevel 3thanks
thanks to curtis (madman) hilger and paul (windows is not your friend) lathrop for help with this.
tech blog
if you found this article useful, and you are interested in other articles on linux, drupal, scaling, performance and LAMP applications, consider subscribing to my technical blog. - john's blog
- 10027 reads
nice article
nice article
This is wonderful! Perhaps
This is wonderful! Perhaps it should be in the core .htaccess and commented out by default.
Another option would be to put these "admin" types of pages into a directory called maintenance/ or something and then make that whole directory protected by .htacess some rules like "Allow from YOURIP, Denv from all"
Perhaps you could open an issue and provide a patch for this?
greggles. yea, i like the
greggles. yea, i like the idea of having a directory to store all the sensitive files, keeping the .htaccess file simple as possible. i also like the idea of having these types of rules readily available in the default .htaccess. i'll follow up with your suggestions.
post new comment