Hardened Plone Making Your Plone Site Even More Secure Presented by: Nathan Van Gheem
Plone Security Flexible and granular ACL/roles-based security model of Zope All input in Plone is validated Plone does not use a SQL database (injection) Very good security track record More information on http://plone. org/products/plone/security/overview
Unauthorized access XSS CSRF DOS/DDOS Types of Attacks,IRC,2012-05-14 15:52:42,#ddos,xxx.xxxxxx.com.,<powertool>,Let's all just go to xxx.xxx and push "F5 F5 F5" over and over.,,,
The Obvious Things To Do Patch your software! Assign privileges correctly Remove old users Run Plone as unprivileged user(default ZEO install)
Drawbacks Plone includes a lot of features. This is great, but it also provides opportunity for attackers to gather information from your site. Examples: RSS feeds include author and username. There is no way through configuration to disable it except by customizing the template.
Separate editing site Read-only Plone Sanitize Nginx/Apache Varnish CDN WAF Proxy blocks Protecting Plone
Separate Editing Backend Protected by multi-factor authentication RSA WiKID Factored(by Wildcard Corp.) http://pypi.python. org/pypi/factored Basic authentication on proxy server Different DNS for backends
Factored Demo...
Read-Only RW ZEO replicates to read-only public sites Assures that even if a user account is exploited, it's not possible to do any damage on the public site Various setups to accomplish read-only Plone Replication Mixing RW and RO rsync Data.fs and blob files to RO server
ZRS Replication Can be pricey Works very well No nice monitoring or stats No easy way to turn it off except to change config, restart server ZODB clients >= 3.8 ZODB server >=3.9 RelStorage Supports mysql and postgres There are existing replication strategies for these databases
Read-Only ZEO Server
Read-Only ZEO Client
Read-Only Zope Instance
Read-Only Demo...
Read-Only With Buildout No options directly in buildout configuration for read-only Manually entering it can be a pain especially when making changes to buildout Use wildcard.recipe.insertinto
Wildcard.recipe.insertinto
Drawback To Straight Up Read-Only Ugly read-only error message Some things are not written to the database until they are accessed. For instance, custom image scales
Read-Only Cont. Or, to prevent the possible case where writeon-read will cause Zope to throw errors, you can abort all transactions.
Read-Only Subscriber Demo...
Careful Using Doom And Abort... It will prevent most mail from getting sent. To fix this, you can do a conditional abort
If You Must Have R/W... - Have different ZEO clients handle R/W operations - Use proxy rules to only have certain urls go to write clients - Other clients can be read-only. Yes, you can mix r/w and r/o clients. - Use Wildcard.lockdown
wildcard.lockdown Provide rules to only be able to write to the database for certain types of requests. Create rules Install product Enable rules
Example Rule
Example Using Lockdown...
Rule Settings path An enabling glob expression. This path is always based on the relative Plone site, not the Zope root. request_method Enabling HTTP request method portal_type Published object's portal type host Enabling globing globbing expression for the host name logged_in require user to be logged in custom Custom function to do manual checks against the request object. Return True if you want to commit, False if not.
Sanitize Information on backend servers Unnecessary headers Information on users
Specific Things In Plone To Sanitize Custom RSS feeds Block logins, password resets Anonymous should not be able to see editor information searchformembers
Monitor Text For Info On Backends When users save content, do checks to make sure they aren't saving bad links or other info about backends Also, use TinyMCE events to fix bad links
Pseudo Subscriber For Checking Text
ZCML Wiring For Subscriber
Blocking Requests Use your front ends to block as many maliciously intended requests as possible no reason for plone to even deal with them Can accomplish in Nginx, Apache, Varnish, HAProxy, etc.
What Can You Block? Public side, make sure to block anything that users should not be accessing: manage_?*, login*, logged*, require_login*, acl_users*, searchformembers, etc... Also, block any known bad request types. Does your site need POST requests? Rate limiting? Maybe only POST requests?
Example Nginx Blocks
Caching Varnish Optimize caching By default, cache everything. Everything you serve should have a ttl on it If you have a large site, might be a good idea to continually crawl the site to keep more items in cache Serve stale content if backend is down
Normalizing URLs To optimize caching Remove hash from URLs Sort query parameters(varnish) https://github. com/cyberroadie/varnish-urlsort Whitelist query parameters Remove cookies, user agent, etc. Block known bad URL types In CDN, Nginx or Varnish Strip Google params
Sample Varnish http://nathanvangheem.com/news/high-availability-varnishconfiguration-for-plone Saint mode -- use stale Grace period -- max time in cache Use always down backend If request fails, restart request with always down backend used, then it'll serve stale.
Proxy Setup Limit the number of simultaneous requests being sent to each plone client.max_connections setting for backend Varnish config maxconn setting for haproxy Do not overload Plone Allow proxies to pool requests so plone can serve content at a steady pace Know your expected load
Cloudflare/Incapsula Caching CDN WAF Recaptcha for suspicious users Minify Loads of other features No fine grained cache invalidation though
Benefits of WAF Can detect various vulnerabilities and XSS attacks and automatically block them http://code.google.com/p/naxsi/ for nginx http://www.modsecurity.org/ for apache
Drawbacks of WAF Blocks a bunch of things that are not Plone related--although, you can customize More server overhead
Conclusion Prevent information from getting into the hands of malicious users Protect your Plone servers Always serve content, stale if necessary.
More Information psusymp.hardenedplone sample product https://github.com/vangheem/psusymp.hardenedplone https://github.com/collective/wildcard.lockdown http://nathanvangheem.com/news/high-availabilityvarnish-configuration-for-plone http://nathanvangheem.com/news/notes-on-a-moresecure-plone-deployment
Questions? Thanks, Nathan Van Gheem website: nathanvangheem.com irc: vangheem twitter: vangheezy