Liferay Road Show 12.9.2013, Sampsa Sohlman, Liferay

1. Hardening Principles
Copyright © 2000-2013 Liferay, Inc.
All Rights Reserved.
No material may be reproduced electronically or in print, duplicated,
copied, sold, resold, or otherwise exploited for any commercial purpose
without express written consent of Liferay, Inc.

3. Time for
DEMO!
Let's d0 s0me hacking
Time for
DEMO!
Let's d0 s0me hacking

4. WHAT IS HARDENING?
“Hardening refers to providing various means of protection in a computer system.
Protection is provided in various layers and is often referred to as defense in depth.
Protecting in layers means to protect at the host level, the application level, the
operating system level, the user level, the physical level and all the sublevels in
between. Each level requires a unique method of security.”
- http://www.techopedia.com/definition/24833/hardening
“In computing, hardening is usually the process of securing a system by reducing its
surface of vulnerability. A system has a larger vulnerability surface the more that it does;
in principle a single-function system is more secure than a multipurpose one. Reducing
available vectors of attack typically includes the removal of unnecessary software,
unnecessary usernames or logins and the disabling or removal of unnecessary services.”
- http://en.wikipedia.org/wiki/Hardening_(computing)

5. LAYERS OF HARDENING
NETWORK
SERVER
APPLICATION

6. NETWORK
Usually Liferay Portal's
operating environment has
been spread out to multiple
servers.

7. NETWORK - HARDENING
Think which connections are
needed?
Allow Liferay server should
access only servers that is
required. Database, Solr, Disk-
share, Web-services, staging live
server..
Liferay Portal should not have direct
Internet connection
Connections through HTTP server
Connecting to internet through
Proxy
Image: wikipedia.org

8. SERVER
Liferay running at server
Image: wikipedia.org

9. SERVER - HARDENING
Server administration (Unix, Linux)
No root level access, only SUDO
Administrators should use own personal user id's to administer
Block unnecessary ports with Firewall
Disable unwanted services
All the applications and services should run with their respective operating
system user account.
Separate disk spaces for the system, application, data, logs and temp files
chroot the Application server installation

10. APPLICATION
Liferay
specific hardening principles

11. APPLICATION – LIFERAY #1
Remove demo data!
(if exists)

12. APPLICATION – LIFERAY #2
Disable and change default administrative
accounts. Change the username / email /
password
portal.properties ( default value )
default.admin.screen.name=test
default.admin.password=test
default.admin.email.address.prefix=test
portal.properties ( default value )
default.admin.screen.name=test
default.admin.password=test
default.admin.email.address.prefix=test

13. APPLICATION – LIFERAY #3
Keep you Liferay system patched!

14. APPLICATION – LIFERAY #4
Disable create account if registration is not
required!
portal.properties ( default value )
company.security.strangers=true
# Also good to disable open.id auth
open.id.auth.enabled=true
portal.properties ( default value )
company.security.strangers=true
# Also good to disable open.id auth
open.id.auth.enabled=true

15. APPLICATION – LIFERAY #5
Make sure that password are stored securely!
portal.properties ( default value )
passwords.encryption.algorithm=SHA
## SHOULD BE SSHA or better
portal.properties ( default value )
passwords.encryption.algorithm=SHA
## SHOULD BE SSHA or better

16. APPLICATION – LIFERAY #6
Design permission scheme for Portal users!
NEVER
RUN PORTAL USER
WITH
ADMINISTRATION
ROLE

17. APPLICATION – LIFERAY #7
Do not show portlets if user do not have
permission!
portal.properties ( default value )
layout.show.portlet.access.denied=true
portal.properties ( default value )
layout.show.portlet.access.denied=true

18. APPLICATION – LIFERAY #8
Change
authentication token / shared secret
portal.properties ( default value )
auth.token.shared.secret=BAHyWOT9TbPB
portal.properties ( default value )
auth.token.shared.secret=BAHyWOT9TbPB

19. APPLICATION – LIFERAY #9
Do not change touch p_auth and p_p_auth
tokens settings!
portal.properties ( default value )
auth.token.check.enabled=true
portlet.add.default.resource.check.enabled=true
portal.properties ( default value )
auth.token.check.enabled=true
portlet.add.default.resource.check.enabled=true

20. APPLICATION – LIFERAY #10
Disabling autologin functionality that is not required!
portal.properties ( default value )
## SET NOT REQUIRED FALSE
com.liferay.portal.servlet.filters.autologin.AutoLoginFilter=true
com.liferay.portal.servlet.filters.sso.cas.CASFilter=true
com.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter=true
com.liferay.portal.servlet.filters.sso.ntlm.NtlmPostFilter=true
com.liferay.portal.servlet.filters.sso.opensso.OpenSSOFilter=true
com.liferay.portal.sharepoint.SharepointFilter=true
## REMOVE REQUIRED
auto.login.hooks=com.liferay.portal.security.auth.CASAutoLogin...
auto.login.ignore.hosts=
auto.login.ignore.paths=
portal.properties ( default value )
## SET NOT REQUIRED FALSE
com.liferay.portal.servlet.filters.autologin.AutoLoginFilter=true
com.liferay.portal.servlet.filters.sso.cas.CASFilter=true
com.liferay.portal.servlet.filters.sso.ntlm.NtlmFilter=true
com.liferay.portal.servlet.filters.sso.ntlm.NtlmPostFilter=true
com.liferay.portal.servlet.filters.sso.opensso.OpenSSOFilter=true
com.liferay.portal.sharepoint.SharepointFilter=true
## REMOVE REQUIRED
auto.login.hooks=com.liferay.portal.security.auth.CASAutoLogin...
auto.login.ignore.hosts=
auto.login.ignore.paths=

21. APPLICATION – LIFERAY #11
HTTP / HTTPS ?

22. APPLICATION – LIFERAY #12
Disable Liferay remote services that are not used!
portal.properties ( default value )
spring.remoting.servlet.hosts.allowed=127.0.0.1,SERVER_IP
spring.remoting.servlet.https.required=false
tunnel.servlet.hosts.allowed=127.0.0.1,SERVER_IP
tunnel.servlet.https.required=false
axis.servlet.hosts.allowed=127.0.0.1,SERVER_IP
axis.servlet.https.required=false
atom.servlet.hosts.allowed=127.0.0.1,SERVER_IP
atom.servlet.https.required=false
webdav.servlet.hosts.allowed=
webdav.servlet.https.required=false
json.servlet.hosts.allowed=
json.servlet.https.required=false
jsonws.servlet.hosts.allowed=
jsonws.servlet.https.required=false
portal.properties ( default value )
spring.remoting.servlet.hosts.allowed=127.0.0.1,SERVER_IP
spring.remoting.servlet.https.required=false
tunnel.servlet.hosts.allowed=127.0.0.1,SERVER_IP
tunnel.servlet.https.required=false
axis.servlet.hosts.allowed=127.0.0.1,SERVER_IP
axis.servlet.https.required=false
atom.servlet.hosts.allowed=127.0.0.1,SERVER_IP
atom.servlet.https.required=false
webdav.servlet.hosts.allowed=
webdav.servlet.https.required=false
json.servlet.hosts.allowed=
json.servlet.https.required=false
jsonws.servlet.hosts.allowed=
jsonws.servlet.https.required=false

23. APPLICATION – LIFERAY #13
Disable core-portlets or just functionality that you are
not ever going to use!
StrutsActionHooks can be
used to disable functionality
Modify liferay-porlet-ext.xml with Ext-plugin:
StrutsActionHooks can be
used to disable functionality
Modify liferay-porlet-ext.xml with Ext-plugin:
liferay-portlet-ext.xml
<portlet>
<portlet-name>...</portlet-name>
<include>false</include>
</portlet>
liferay-portlet-ext.xml
<portlet>
<portlet-name>...</portlet-name>
<include>false</include>
</portlet>

24. APPLICATION – LIFERAY #14
Change Company encryption key size and
algorithm
portal.properties ( default value )
company.encryption.key.size=56
company.encryption.algorithm=DES
portal.properties ( default value )
company.encryption.key.size=56
company.encryption.algorithm=DES

25. APPLICATION – LIFERAY #15
Security Manager - PACL!
portal.properties
#
# NOTE: This is default setting
#
portal.security.manager.strategy=smart
portal.properties
#
# NOTE: This is default setting
#
portal.security.manager.strategy=smart
liferay-plugin-package.properties
security-manager-enabled=true
# The make work easier
liferay-plugin-package.properties
security-manager-enabled=true
# The make work easier

26. APPLICATION – LIFERAY #16
Antisamy Plugin

27. APPLICATION – LIFERAY #17
Audit Plugin!

28. APPLICATION – LIFERAY #18
Log rotation!

29. PLUGIN DEVELOPMENT
OWASP 10
Use frameworks that helps you to avoid XSS.
Use Liferay API's to escape where ever necessary
HTMLUtil.escape (..) etc.
Liferay tags, make sure that escapeModel=true
Use Lifeay permission framework
ServiceBuilder: Remember to write permission checks in the remote
services
Support Security Manager / PACL!

30. RECOVERING!
Make disaster recovery plan
Step by step instructions to rebuild new system
How to buildup system again from backups?
How long time this will take?
Test the plan!

31. WHAT ELSE?
Liferay portal is only one component of your Liferay installation.
Give a hardening though also to:
Http server
Apache: https://www.google.fi/search?q=hardening+apache2
Application server
Tomcat: https://www.owasp.org/index.php/Securing_tomcat
Database
MySql: https://www.google.fi/search?q=hardening+mysql
Other services

32. Thanks guys!
Questions!