Liferay hardening principles
-
Upload
ambientia -
Category
Technology
-
view
1.390 -
download
2
description
Transcript of Liferay hardening principles
Hardening Principles
Copyright © 2000-2013 Liferay, Inc.All Rights Reserved.
No material may be reproduced electronically or in print, duplicated,copied, sold, resold, or otherwise exploited for any commercial purpose
without express written consent of Liferay, Inc.
Time for DEMO!
Let's d0 s0me hacking
Time for DEMO!
Let's d0 s0me hacking
WHAT IS HARDENING?
“Hardening refers to providing various means of protection in a computer system. Protection is provided in various layers and is often referred to as defense in depth. Protecting in layers means to protect at the host level, the application level, the operating system level, the user level, the physical level and all the sublevels in between. Each level requires a unique method of security.”
- http://www.techopedia.com/definition/24833/hardening
“In computing, hardening is usually the process of securing a system by reducing its surface of vulnerability. A system has a larger vulnerability surface the more that it does; in principle a single-function system is more secure than a multipurpose one. Reducing available vectors of attack typically includes the removal of unnecessary software, unnecessary usernames or logins and the disabling or removal of unnecessary services.”
- http://en.wikipedia.org/wiki/Hardening_(computing)
LAYERS OF HARDENING
NETWORK
SERVER
APPLICATION
NETWORK
Usually Liferay Portal's operating environment has been spread out to multiple
servers.
NETWORK - HARDENING
Think which connections are needed?
Allow Liferay server should access only servers that is required. Database, Solr, Disk-share, Web-services, staging live server..
Liferay Portal should not have direct Internet connection
Connections through HTTP server
Connecting to internet through Proxy
Image: wikipedia.org
SERVER
Liferay running at server
Image: wikipedia.org
SERVER - HARDENING
Server administration (Unix, Linux)
No root level access, only SUDO
Administrators should use own personal user id's to administer
Block unnecessary ports with Firewall
Disable unwanted services
All the applications and services should run with their respective operating system user account.
Separate disk spaces for the system, application, data, logs and temp files
chroot the Application server installation
APPLICATION
Liferay specific hardening principles
APPLICATION – LIFERAY #1
Remove demo data!(if exists)
APPLICATION – LIFERAY #2
Disable and change default administrative accounts. Change the username / email /
passwordportal.properties ( default value )
default.admin.screen.name=test default.admin.password=testdefault.admin.email.address.prefix=test
portal.properties ( default value )
default.admin.screen.name=test default.admin.password=testdefault.admin.email.address.prefix=test
APPLICATION – LIFERAY #3
Keep you Liferay system patched!
APPLICATION – LIFERAY #4
Disable create account if registration is not required!
portal.properties ( default value )
company.security.strangers=true
# Also good to disable open.id auth
open.id.auth.enabled=true
portal.properties ( default value )
company.security.strangers=true
# Also good to disable open.id auth
open.id.auth.enabled=true
APPLICATION – LIFERAY #5
Make sure that password are stored securely!
portal.properties ( default value )
passwords.encryption.algorithm=SHA
## SHOULD BE SSHA or better
portal.properties ( default value )
passwords.encryption.algorithm=SHA
## SHOULD BE SSHA or better
APPLICATION – LIFERAY #6
Design permission scheme for Portal users!
NEVER RUN PORTAL USER
WITHADMINISTRATION
ROLE
APPLICATION – LIFERAY #7
Do not show portlets if user do not have permission!
portal.properties ( default value )
layout.show.portlet.access.denied=true
portal.properties ( default value )
layout.show.portlet.access.denied=true
APPLICATION – LIFERAY #8
Change authentication token / shared secret
portal.properties ( default value )
auth.token.shared.secret=BAHyWOT9TbPB
portal.properties ( default value )
auth.token.shared.secret=BAHyWOT9TbPB
APPLICATION – LIFERAY #9
Do not change touch p_auth and p_p_auth tokens settings!
portal.properties ( default value )
auth.token.check.enabled=trueportlet.add.default.resource.check.enabled=true
portal.properties ( default value )
auth.token.check.enabled=trueportlet.add.default.resource.check.enabled=true
APPLICATION – LIFERAY #10
Disabling autologin functionality that is not required!portal.properties ( default value )
## SET NOT REQUIRED FALSE
com.liferay.portal.servlet.filters.autologin.AutoLoginFilter=truecom.liferay.portal.servlet.filters.sso.cas.CASFilter=truecom.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter=truecom.liferay.portal.servlet.filters.sso.ntlm.NtlmPostFilter=truecom.liferay.portal.servlet.filters.sso.opensso.OpenSSOFilter=truecom.liferay.portal.sharepoint.SharepointFilter=true
## REMOVE REQUIRED
auto.login.hooks=com.liferay.portal.security.auth.CASAutoLogin...
auto.login.ignore.hosts=auto.login.ignore.paths=
portal.properties ( default value )
## SET NOT REQUIRED FALSE
com.liferay.portal.servlet.filters.autologin.AutoLoginFilter=truecom.liferay.portal.servlet.filters.sso.cas.CASFilter=truecom.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter=truecom.liferay.portal.servlet.filters.sso.ntlm.NtlmPostFilter=truecom.liferay.portal.servlet.filters.sso.opensso.OpenSSOFilter=truecom.liferay.portal.sharepoint.SharepointFilter=true
## REMOVE REQUIRED
auto.login.hooks=com.liferay.portal.security.auth.CASAutoLogin...
auto.login.ignore.hosts=auto.login.ignore.paths=
APPLICATION – LIFERAY #11
HTTP / HTTPS ?
APPLICATION – LIFERAY #12
Disable Liferay remote services that are not used!portal.properties ( default value )spring.remoting.servlet.hosts.allowed=127.0.0.1,SERVER_IPspring.remoting.servlet.https.required=false
tunnel.servlet.hosts.allowed=127.0.0.1,SERVER_IPtunnel.servlet.https.required=false
axis.servlet.hosts.allowed=127.0.0.1,SERVER_IPaxis.servlet.https.required=false
atom.servlet.hosts.allowed=127.0.0.1,SERVER_IPatom.servlet.https.required=false
webdav.servlet.hosts.allowed=webdav.servlet.https.required=false
json.servlet.hosts.allowed=json.servlet.https.required=falsejsonws.servlet.hosts.allowed=jsonws.servlet.https.required=false
portal.properties ( default value )spring.remoting.servlet.hosts.allowed=127.0.0.1,SERVER_IPspring.remoting.servlet.https.required=false
tunnel.servlet.hosts.allowed=127.0.0.1,SERVER_IPtunnel.servlet.https.required=false
axis.servlet.hosts.allowed=127.0.0.1,SERVER_IPaxis.servlet.https.required=false
atom.servlet.hosts.allowed=127.0.0.1,SERVER_IPatom.servlet.https.required=false
webdav.servlet.hosts.allowed=webdav.servlet.https.required=false
json.servlet.hosts.allowed=json.servlet.https.required=falsejsonws.servlet.hosts.allowed=jsonws.servlet.https.required=false
APPLICATION – LIFERAY #13
Disable core-portlets or just functionality that you are not ever going to use!
StrutsActionHooks can be used to disable functionality
Modify liferay-porlet-ext.xml with Ext-plugin:
StrutsActionHooks can be used to disable functionality
Modify liferay-porlet-ext.xml with Ext-plugin:
liferay-portlet-ext.xml <portlet>
<portlet-name>...</portlet-name><include>false</include>
</portlet>
liferay-portlet-ext.xml <portlet>
<portlet-name>...</portlet-name><include>false</include>
</portlet>
APPLICATION – LIFERAY #14
Change Company encryption key size and algorithm
portal.properties ( default value )
company.encryption.key.size=56company.encryption.algorithm=DES
portal.properties ( default value )
company.encryption.key.size=56company.encryption.algorithm=DES
APPLICATION – LIFERAY #15
Security Manager - PACL!
portal.properties
## NOTE: This is default setting#portal.security.manager.strategy=smart
portal.properties
## NOTE: This is default setting#portal.security.manager.strategy=smart
liferay-plugin-package.properties
security-manager-enabled=true
# The make work easier
liferay-plugin-package.properties
security-manager-enabled=true
# The make work easier
APPLICATION – LIFERAY #16
Antisamy Plugin
APPLICATION – LIFERAY #17
Audit Plugin!
APPLICATION – LIFERAY #18
Log rotation!
PLUGIN DEVELOPMENT
OWASP 10
Use frameworks that helps you to avoid XSS.
Use Liferay API's to escape where ever necessary
HTMLUtil.escape (..) etc.
Liferay tags, make sure that escapeModel=true
Use Lifeay permission framework
ServiceBuilder: Remember to write permission checks in the remote services
Support Security Manager / PACL!
RECOVERING!
Make disaster recovery plan
Step by step instructions to rebuild new system
How to buildup system again from backups?
How long time this will take?
Test the plan!
WHAT ELSE?
Liferay portal is only one component of your Liferay installation.
Give a hardening though also to:
Http server
Apache: https://www.google.fi/search?q=hardening+apache2
Application server
Tomcat: https://www.owasp.org/index.php/Securing_tomcat
Database
MySql: https://www.google.fi/search?q=hardening+mysql
Other services
Thanks guys!
Questions!