In these times of digital transformation, websites are becoming increasingly important as a medium for information, transactions and presentation. At the same time, legislators have created strict rules for handling personal data in recent years.
Consequently, website outages and hacker attacks entail not only high economic but also legal risks:
In this article we would like to point out measures that minimize the above mentioned risks.
In the TYPO3 Association a dedicated Security Team is responsible for monitoring and controlling security related issues and problems around TYPO3.
It is definitely recommended to follow the team's releases via the channels email distribution list and Twitter account(@typo3_security).
At https://typo3.org/help/security-advisories/ you can find a list of all known security vulnerabilities as well as corresponding recommendations for action, which are published as so-called "security bulletins".
There are three types of bulletins("Security Bulletins") that are published with a unique identifier:
Where yyyy is the corresponding year of release and nnn is a sequential number.
Security-relevant information that does not directly affect the source code of TYPO3 or extensions is published as so-called Public Service Announcements. These include problems with third party software like Apache, PHP or mySQL.
Severity is an indicator of the urgency of a vulnerability:
Severity | Meaning |
---|---|
Critical | highest level of urgency requiring immediate action |
High | second-highest level, need for action as soon as possible |
Medium | your installation is not necessarily affected, nevertheless update should be done |
Low | the installation is only affected under certain - rather unlikely - circumstances. In this case, too, we recommend an update. |
Why is it important to always install the latest security update?
TYPO3 is a open source code system. By comparing the old version and the new version, hackers can very quickly see what changes have been made. In this way, the vulnerability of the old version then also becomes visible.
Therefore, one of the most important rules in terms of safety:
Always keep the system up to date with the latest security patch.
Install the code directly from get.typo3.org. Avoid supposedly simpler third-party installation packages. Compare the hash value of the downloaded file with the one published on the official website.
Only the user (e.g. "apache") under which the web server is running should have read and write permissions. Programmers/administrators should be given appropriate rights through a group assignment. Basically the write permissions for the directories "fileadmin", "typo3conf" and "typo3temp" are sufficient.
The file typo3conf/LocalConfiguration.php is the most important configuration file in TYPO3. It should not be readable (because database access data is contained here in plain text) or writable (because a change of the installtool password and thus the creation of an admin account is possible) by unauthorized persons.
.
Only selected administrators should have so-called "maintainer rights" to use the installtool.
Editors should generally not have ftp/ssh/scp access to the web server.
Under the item "Reports" in the TYPO3 backend there is a section "Security", which should be completely set to green.
Server Response on static files
This is a common warning message that is often displayed after a standard installation. This describes the possibility to upload files with the syntax "maliciouscode.html.txt" (or "maliciouscode.svg.txt") with the TYPO3 file manager. Some web servers treat these files as HTML files because they contain the string ".html".
Since html and svg files can contain malicious code, it is possible for editors to subvert the system in this way. We describe in a separate article about server response on static files how you can fix this problem..
Under "Log" important events in TYPO3 are logged. This includes system errors, also login attempts, editorial actions, file uploads and much more.
This log is therefore an important tool for ongoing system monitoring:
In TYPO3 there are some possibilities to be informed about system changes or other events by mail.
You can use the "System Status Update" scheduler task to monitor the system environment automatically. In case of errors/warnings (or if desired basically) a mail will be sent to the address stored in the task definition.
Let you be notified by mail when a user("1") or at least administrator("2") logs in:
$GLOBALS['TYPO3_CONF_VARS']['BE']['warning_mode’] = 1 oder 2
$GLOBALS['TYPO3_CONF_VARS']['BE']['warning_email_addr’] = <MAILADRESSE>
(Both values can be set via the install tool).
Editors can also be notified via their personal settings (see switch "Notify me by email when somebody logs in from my account") when somebody logs in via their account.
You can manually track failed login attempts by setting the "Action" filter field to "Login" under "Reports" and specifying the desired time period:
The following are additional measures that further increase the protection of your TYPO3 system:
As of TYPO3 v11, it is possible to allow backend users to access the backend only via multi-factor authentication.
Access to the backend.
More info in our article on multifactor authentication with TYPO3.
Anonymize the data in the sys_log table using the scheduler(Task " Anonymize IP addresses in database tables")
Using HTTP Security Headers is another way to make your website more secure. The headers instruct browsers, for example, to make server requests only via "https"( "HTTP Strict Transport Security response header" or HSTS for short), prevent and avoid attacks through cross site scripting, MIME sniffing and clickjacking, among other things.
You can test whether your website is adequately protected with these headers at https://securityheaders.com.
You can find a simple solution for setting the HTTP Security Header in our DSGVO article.
In TYPO3 there is the possibility to output HTML(and therefore also svg/JavaScript) code as content element on a page. You should disable this feature at least for editors via the "Access Lists" in the settings of the user(or better the group)
HTML, JavaScript and SVG files may contain malicious code. The possibility of uploading such files via the file manager should therefore be prevented if possible.
Delete regularly via the scheduler-Task Table Garbage Collection die Tabellen syslog und sys_history
If you - like most - use the extension powermail , also delete the tables tx_powermail_domain_model_mail and tx_poswer,ail_domain_model_answer.
An important part of keeping a website running as smoothly as possible is keeping a backup.
Das Backup einer TYPO3 Installation umfasst zwei Komponenten
1. Files
Decisive are usually the two directories:
<WEBROOT>/fileadmin
<WEBROOT>/typo3conf
These are standard directories that can also be located elsewhere in special cases. "typo3conf", for example, can be located outside the webroot path for security reasons. "fileadmin" may be named differently or there may be other directories ("file mounts").
2. Database
TYPO3 needs a database, which of course also has to be backed up.
Backup test
To ensure that backups are complete and can be restored without problems, they should be tested. In practice, it is often a good idea to restore a backup in a second environment and then use this as a test environment at the same time for tasks that are not to be performed immediately in the live system (such as security update, template changes, etc.).
Backups should not be kept (only) locally. We have developed our own backup script that allows mirroring backups to other servers.
Keep in mind that backups may contain personal data as defined by the GDPR and take appropriate protection measures, such as encryption and password protection.
Since potential functional errors, data loss, and/or corrupt code are detected late in most cases, backups should be available over a longer period of time, not just from the previous day.
We recommend the following backup intervals:
You need support for the secure operation of your TYPO3 installation(s)? As a TYPO3 agency with certified developers we are happy to support you and offer profeesional TYPO3 support. We are looking forward to your contact us.