Project

General

Profile

Inherited Site Security Review » History » Revision 2

Revision 1 (Jon Goldberg, 11/21/2017 10:33 PM) → Revision 2/6 (Jon Goldberg, 11/21/2017 10:33 PM)

# Inherited Site Security Review 

 This is a checklist of steps to take when inheriting a site that JMA did not build.    This list is not comprehensive, and we should add to it over time. 

 * Reset the passwords of server and CMS (encourage client to do latter) 
 * Disable unnecessary logins of server and CMS (encourage client to do latter) 
 * If CiviCRM, check civicrm_contact for API keys.    Remove/change them. 
 * If CiviCRM, check for CiviConnect apps. 
 * Remove interactive shell login from legitimate server users who don't need a shell. 
 * Removing all unnecessary public RSA keys for ssh access 
 * Remove unnecessary software from the server.    TODO: Explain how to find this (dpkg -l, ps -ef, etc.) 
 * Review all running services on the server with service --status-all or (preferably, if using systemd) systemctl 
 * check listening servers with # netstat -lp 
 * compare that output to an nmap scan of localhost # nmap -sT -O localhost 
  * 
 ** they should line up closely. if nmap shows a port open that netstat does not, run a rootkit checker and investigate further. 
 * Compare THAT output to an nmap scan from another computer (your own - or a dev server if your ISP blocks some ports): `nmap nmap -sT -O www.example.org` www.example.org 
 * install fail2ban if not already installed.    Consider also tripwire and some iptables. 
 * Check for hacks.    While [this resource](https://hq.palantetech.coop/projects/commons/wiki/Unhacking_a_WordPress_site) this resource is incomplete, it suffices for now.    Despite the name, it's useful for Drupal AND WordPress.    Be sure to grep a dump of the database and not just the filesystem.