Today's security announcement highlights the perils of leaving install.php and update.php available on production sites. This article shows how to quickly deny access to install.php and update.php in an apache environment, with special mention of how to apply it to all of your sites if you're using Aegir.
Background
Today's security announcement highlights the potential consequences of leaving install.php and update.php on your production sites. Given it's best practise to use a deployment approach such as Capistrano, Aegir or some other combination of tools like git, jenkins, drush etc - access to install.php and update.php should not be needed on a production site.
Techniques
In your vhost file
You can easily block access to install.php and update.php with this one line entry in your apache vhost config
RedirectMatch 403 "/(install|update).php"
Restart apache and you're away, requests to install.php or update.php will result in a 403
Aegir
As the vhost files in aegir are dynamically generated, you need to use some special sauce to achieve the same result
As detailed in the Aegir documentation you can create drush inc files to inject additional config into a site's vhost config
To do so create the following file at /var/aegir/.drush/install_php.drush.inc
function install_php_provision_apache_vhost_config($uri, $data) {
return "RedirectMatch 403 \"/(install|update).php\"";
}
Then it's simply a matter of verifying each site through the Aegir interface, which in turn regenerates the vhost config with the new entry
Any new sites created will automatically get this entry
Summary
Denying access to install.php and update.php on a production server is good practise, and given how easy it is to achieve, should be part of your standard configuration
Tagged
Drupal System Administration