{{last_updated_at}} by {{last_updated_by}}

Inherited Site Security Review

This is a checklist of steps to take when inheriting a site that Megaphone did not build. This list is not comprehensive, and we should add to it over time.

  • Change the admin email for the CMS if it goes to the old vendor (WP: Settings » General. Drupal: Configuration » Site Information).
  • Reset the passwords of server and CMS (encourage client to do latter)
  • Disable unnecessary logins of server and CMS (encourage client to do latter)
  • If CiviCRM, check civicrm_contact for API keys. Remove/change them.
  • Remove interactive shell login from legitimate server users who don't need a shell: passwd -l $USERNAME
  • Remove all unnecessary public RSA keys for ssh access rm /home/$USERNAME/.ssh/authorized_keys*
  • Remove unnecessary software from the server. TODO: Explain how to find this (dpkg -l, yum list installed, ps -ef, etc.)
  • Review all running services on the server with service --status-all or (preferably, if using systemd) systemctl
  • check listening servers with # netstat -lp
  • compare that output to an nmap scan of localhost # nmap -sT -O localhost
    • they should line up closely. if nmap shows a port open that netstat does not, run a rootkit checker and investigate further.
  • Compare THAT output to an nmap scan from another computer (your own - or a dev server if your ISP blocks some ports): nmap -sT -O
  • install fail2ban if not already installed. Consider also tripwire and some iptables.
  • Check for hacks. While this resource is incomplete, it suffices for now. Despite the name, it's useful for Drupal AND WordPress. Be sure to grep a dump of the database and not just the filesystem.

Updated by Jon Goldberg almost 2 years ago · 6 revisions