Hardened Plone. Making Your Plone Site Even More Secure. Presented by: Nathan Van Gheem

Transcription

1 Hardened Plone Making Your Plone Site Even More Secure Presented by: Nathan Van Gheem

2 Plone Security Flexible and granular ACL/roles-based security model of Zope All input in Plone is validated Plone does not use a SQL database (injection) Very good security track record More information on org/products/plone/security/overview

3 Unauthorized access XSS CSRF DOS/DDOS Types of Attacks,IRC, :52:42,#ddos,xxx.xxxxxx.com.,<powertool>,Let's all just go to xxx.xxx and push "F5 F5 F5" over and over.,,,

4 The Obvious Things To Do Patch your software! Assign privileges correctly Remove old users Run Plone as unprivileged user(default ZEO install)

5 Drawbacks Plone includes a lot of features. This is great, but it also provides opportunity for attackers to gather information from your site. Examples: RSS feeds include author and username. There is no way through configuration to disable it except by customizing the template.

6 Separate editing site Read-only Plone Sanitize Nginx/Apache Varnish CDN WAF Proxy blocks Protecting Plone

7 Separate Editing Backend Protected by multi-factor authentication RSA WiKID Factored(by Wildcard Corp.) org/pypi/factored Basic authentication on proxy server Different DNS for backends

8 Factored Demo...

9 Read-Only RW ZEO replicates to read-only public sites Assures that even if a user account is exploited, it's not possible to do any damage on the public site Various setups to accomplish read-only Plone Replication Mixing RW and RO rsync Data.fs and blob files to RO server

10 ZRS Replication Can be pricey Works very well No nice monitoring or stats No easy way to turn it off except to change config, restart server ZODB clients >= 3.8 ZODB server >=3.9 RelStorage Supports mysql and postgres There are existing replication strategies for these databases

11 Read-Only ZEO Server

12 Read-Only ZEO Client

13 Read-Only Zope Instance

14 Read-Only Demo...

15 Read-Only With Buildout No options directly in buildout configuration for read-only Manually entering it can be a pain especially when making changes to buildout Use wildcard.recipe.insertinto

16 Wildcard.recipe.insertinto

17 Drawback To Straight Up Read-Only Ugly read-only error message Some things are not written to the database until they are accessed. For instance, custom image scales

18 Read-Only Cont. Or, to prevent the possible case where writeon-read will cause Zope to throw errors, you can abort all transactions.

19 Read-Only Subscriber Demo...

20 Careful Using Doom And Abort... It will prevent most mail from getting sent. To fix this, you can do a conditional abort

21 If You Must Have R/W... - Have different ZEO clients handle R/W operations - Use proxy rules to only have certain urls go to write clients - Other clients can be read-only. Yes, you can mix r/w and r/o clients. - Use Wildcard.lockdown

22 wildcard.lockdown Provide rules to only be able to write to the database for certain types of requests. Create rules Install product Enable rules

23 Example Rule

24 Example Using Lockdown...

25 Rule Settings path An enabling glob expression. This path is always based on the relative Plone site, not the Zope root. request_method Enabling HTTP request method portal_type Published object's portal type host Enabling globing globbing expression for the host name logged_in require user to be logged in custom Custom function to do manual checks against the request object. Return True if you want to commit, False if not.

26 Sanitize Information on backend servers Unnecessary headers Information on users

27 Specific Things In Plone To Sanitize Custom RSS feeds Block logins, password resets Anonymous should not be able to see editor information searchformembers

28 Monitor Text For Info On Backends When users save content, do checks to make sure they aren't saving bad links or other info about backends Also, use TinyMCE events to fix bad links

29 Pseudo Subscriber For Checking Text

30 ZCML Wiring For Subscriber

31 Blocking Requests Use your front ends to block as many maliciously intended requests as possible no reason for plone to even deal with them Can accomplish in Nginx, Apache, Varnish, HAProxy, etc.

32 What Can You Block? Public side, make sure to block anything that users should not be accessing: manage_?*, login*, logged*, require_login*, acl_users*, searchformembers, etc... Also, block any known bad request types. Does your site need POST requests? Rate limiting? Maybe only POST requests?

33 Example Nginx Blocks

34 Caching Varnish Optimize caching By default, cache everything. Everything you serve should have a ttl on it If you have a large site, might be a good idea to continually crawl the site to keep more items in cache Serve stale content if backend is down

35 Normalizing URLs To optimize caching Remove hash from URLs Sort query parameters(varnish) com/cyberroadie/varnish-urlsort Whitelist query parameters Remove cookies, user agent, etc. Block known bad URL types In CDN, Nginx or Varnish Strip Google params

36 Sample Varnish Saint mode -- use stale Grace period -- max time in cache Use always down backend If request fails, restart request with always down backend used, then it'll serve stale.

37 Proxy Setup Limit the number of simultaneous requests being sent to each plone client.max_connections setting for backend Varnish config maxconn setting for haproxy Do not overload Plone Allow proxies to pool requests so plone can serve content at a steady pace Know your expected load

38 Cloudflare/Incapsula Caching CDN WAF Recaptcha for suspicious users Minify Loads of other features No fine grained cache invalidation though

39 Benefits of WAF Can detect various vulnerabilities and XSS attacks and automatically block them for nginx for apache

40 Drawbacks of WAF Blocks a bunch of things that are not Plone related--although, you can customize More server overhead

41 Conclusion Prevent information from getting into the hands of malicious users Protect your Plone servers Always serve content, stale if necessary.

42 More Information psusymp.hardenedplone sample product

43 Questions? Thanks, Nathan Van Gheem website: nathanvangheem.com irc: vangheem twitter: vangheezy