Liferay hardening principles

  • 1,317 views
Uploaded on

Liferay Road Show 12.9.2013, Sampsa Sohlman, Liferay

Liferay Road Show 12.9.2013, Sampsa Sohlman, Liferay

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • thank you
    its very good
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
1,317
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
68
Comments
1
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Hardening Principles Copyright © 2000-2013 Liferay, Inc. All Rights Reserved. No material may be reproduced electronically or in print, duplicated, copied, sold, resold, or otherwise exploited for any commercial purpose without express written consent of Liferay, Inc.
  • 2. Time for DEMO! Let's d0 s0me hacking Time for DEMO! Let's d0 s0me hacking
  • 3. WHAT IS HARDENING? “Hardening refers to providing various means of protection in a computer system. Protection is provided in various layers and is often referred to as defense in depth. Protecting in layers means to protect at the host level, the application level, the operating system level, the user level, the physical level and all the sublevels in between. Each level requires a unique method of security.” - http://www.techopedia.com/definition/24833/hardening “In computing, hardening is usually the process of securing a system by reducing its surface of vulnerability. A system has a larger vulnerability surface the more that it does; in principle a single-function system is more secure than a multipurpose one. Reducing available vectors of attack typically includes the removal of unnecessary software, unnecessary usernames or logins and the disabling or removal of unnecessary services.” - http://en.wikipedia.org/wiki/Hardening_(computing)
  • 4. LAYERS OF HARDENING NETWORK SERVER APPLICATION
  • 5. NETWORK Usually Liferay Portal's operating environment has been spread out to multiple servers.
  • 6. NETWORK - HARDENING Think which connections are needed? Allow Liferay server should access only servers that is required. Database, Solr, Disk- share, Web-services, staging live server.. Liferay Portal should not have direct Internet connection Connections through HTTP server Connecting to internet through Proxy Image: wikipedia.org
  • 7. SERVER Liferay running at server Image: wikipedia.org
  • 8. SERVER - HARDENING Server administration (Unix, Linux) No root level access, only SUDO Administrators should use own personal user id's to administer Block unnecessary ports with Firewall Disable unwanted services All the applications and services should run with their respective operating system user account. Separate disk spaces for the system, application, data, logs and temp files chroot the Application server installation
  • 9. APPLICATION Liferay specific hardening principles
  • 10. APPLICATION – LIFERAY #1 Remove demo data! (if exists)
  • 11. APPLICATION – LIFERAY #2 Disable and change default administrative accounts. Change the username / email / password portal.properties ( default value ) default.admin.screen.name=test default.admin.password=test default.admin.email.address.prefix=test portal.properties ( default value ) default.admin.screen.name=test default.admin.password=test default.admin.email.address.prefix=test
  • 12. APPLICATION – LIFERAY #3 Keep you Liferay system patched!
  • 13. APPLICATION – LIFERAY #4 Disable create account if registration is not required! portal.properties ( default value ) company.security.strangers=true # Also good to disable open.id auth open.id.auth.enabled=true portal.properties ( default value ) company.security.strangers=true # Also good to disable open.id auth open.id.auth.enabled=true
  • 14. APPLICATION – LIFERAY #5 Make sure that password are stored securely! portal.properties ( default value ) passwords.encryption.algorithm=SHA ## SHOULD BE SSHA or better portal.properties ( default value ) passwords.encryption.algorithm=SHA ## SHOULD BE SSHA or better
  • 15. APPLICATION – LIFERAY #6 Design permission scheme for Portal users! NEVER RUN PORTAL USER WITH ADMINISTRATION ROLE
  • 16. APPLICATION – LIFERAY #7 Do not show portlets if user do not have permission! portal.properties ( default value ) layout.show.portlet.access.denied=true portal.properties ( default value ) layout.show.portlet.access.denied=true
  • 17. APPLICATION – LIFERAY #8 Change authentication token / shared secret portal.properties ( default value ) auth.token.shared.secret=BAHyWOT9TbPB portal.properties ( default value ) auth.token.shared.secret=BAHyWOT9TbPB
  • 18. APPLICATION – LIFERAY #9 Do not change touch p_auth and p_p_auth tokens settings! portal.properties ( default value ) auth.token.check.enabled=true portlet.add.default.resource.check.enabled=true portal.properties ( default value ) auth.token.check.enabled=true portlet.add.default.resource.check.enabled=true
  • 19. APPLICATION – LIFERAY #10 Disabling autologin functionality that is not required! portal.properties ( default value ) ## SET NOT REQUIRED FALSE com.liferay.portal.servlet.filters.autologin.AutoLoginFilter=true com.liferay.portal.servlet.filters.sso.cas.CASFilter=true com.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter=true com.liferay.portal.servlet.filters.sso.ntlm.NtlmPostFilter=true com.liferay.portal.servlet.filters.sso.opensso.OpenSSOFilter=true com.liferay.portal.sharepoint.SharepointFilter=true ## REMOVE REQUIRED auto.login.hooks=com.liferay.portal.security.auth.CASAutoLogin... auto.login.ignore.hosts= auto.login.ignore.paths= portal.properties ( default value ) ## SET NOT REQUIRED FALSE com.liferay.portal.servlet.filters.autologin.AutoLoginFilter=true com.liferay.portal.servlet.filters.sso.cas.CASFilter=true com.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter=true com.liferay.portal.servlet.filters.sso.ntlm.NtlmPostFilter=true com.liferay.portal.servlet.filters.sso.opensso.OpenSSOFilter=true com.liferay.portal.sharepoint.SharepointFilter=true ## REMOVE REQUIRED auto.login.hooks=com.liferay.portal.security.auth.CASAutoLogin... auto.login.ignore.hosts= auto.login.ignore.paths=
  • 20. APPLICATION – LIFERAY #11 HTTP / HTTPS ?
  • 21. APPLICATION – LIFERAY #12 Disable Liferay remote services that are not used! portal.properties ( default value ) spring.remoting.servlet.hosts.allowed=127.0.0.1,SERVER_IP spring.remoting.servlet.https.required=false tunnel.servlet.hosts.allowed=127.0.0.1,SERVER_IP tunnel.servlet.https.required=false axis.servlet.hosts.allowed=127.0.0.1,SERVER_IP axis.servlet.https.required=false atom.servlet.hosts.allowed=127.0.0.1,SERVER_IP atom.servlet.https.required=false webdav.servlet.hosts.allowed= webdav.servlet.https.required=false json.servlet.hosts.allowed= json.servlet.https.required=false jsonws.servlet.hosts.allowed= jsonws.servlet.https.required=false portal.properties ( default value ) spring.remoting.servlet.hosts.allowed=127.0.0.1,SERVER_IP spring.remoting.servlet.https.required=false tunnel.servlet.hosts.allowed=127.0.0.1,SERVER_IP tunnel.servlet.https.required=false axis.servlet.hosts.allowed=127.0.0.1,SERVER_IP axis.servlet.https.required=false atom.servlet.hosts.allowed=127.0.0.1,SERVER_IP atom.servlet.https.required=false webdav.servlet.hosts.allowed= webdav.servlet.https.required=false json.servlet.hosts.allowed= json.servlet.https.required=false jsonws.servlet.hosts.allowed= jsonws.servlet.https.required=false
  • 22. APPLICATION – LIFERAY #13 Disable core-portlets or just functionality that you are not ever going to use! StrutsActionHooks can be used to disable functionality Modify liferay-porlet-ext.xml with Ext-plugin: StrutsActionHooks can be used to disable functionality Modify liferay-porlet-ext.xml with Ext-plugin: liferay-portlet-ext.xml <portlet> <portlet-name>...</portlet-name> <include>false</include> </portlet> liferay-portlet-ext.xml <portlet> <portlet-name>...</portlet-name> <include>false</include> </portlet>
  • 23. APPLICATION – LIFERAY #14 Change Company encryption key size and algorithm portal.properties ( default value ) company.encryption.key.size=56 company.encryption.algorithm=DES portal.properties ( default value ) company.encryption.key.size=56 company.encryption.algorithm=DES
  • 24. APPLICATION – LIFERAY #15 Security Manager - PACL! portal.properties # # NOTE: This is default setting # portal.security.manager.strategy=smart portal.properties # # NOTE: This is default setting # portal.security.manager.strategy=smart liferay-plugin-package.properties security-manager-enabled=true # The make work easier liferay-plugin-package.properties security-manager-enabled=true # The make work easier
  • 25. APPLICATION – LIFERAY #16 Antisamy Plugin
  • 26. APPLICATION – LIFERAY #17 Audit Plugin!
  • 27. APPLICATION – LIFERAY #18 Log rotation!
  • 28. PLUGIN DEVELOPMENT OWASP 10 Use frameworks that helps you to avoid XSS. Use Liferay API's to escape where ever necessary HTMLUtil.escape (..) etc. Liferay tags, make sure that escapeModel=true Use Lifeay permission framework ServiceBuilder: Remember to write permission checks in the remote services Support Security Manager / PACL!
  • 29. RECOVERING! Make disaster recovery plan Step by step instructions to rebuild new system How to buildup system again from backups? How long time this will take? Test the plan!
  • 30. WHAT ELSE? Liferay portal is only one component of your Liferay installation. Give a hardening though also to: Http server Apache: https://www.google.fi/search?q=hardening+apache2 Application server Tomcat: https://www.owasp.org/index.php/Securing_tomcat Database MySql: https://www.google.fi/search?q=hardening+mysql Other services
  • 31. Thanks guys! Questions!