4. WHAT IS HARDENING?
“Hardening refers to providing various means of protection in a computer system.
Protection is provided in various layers and is often referred to as defense in depth.
Protecting in layers means to protect at the host level, the application level, the
operating system level, the user level, the physical level and all the sublevels in
between. Each level requires a unique method of security.”
- http://www.techopedia.com/definition/24833/hardening
“In computing, hardening is usually the process of securing a system by reducing its
surface of vulnerability. A system has a larger vulnerability surface the more that it does;
in principle a single-function system is more secure than a multipurpose one. Reducing
available vectors of attack typically includes the removal of unnecessary software,
unnecessary usernames or logins and the disabling or removal of unnecessary services.”
- http://en.wikipedia.org/wiki/Hardening_(computing)
7. NETWORK - HARDENING
Think which connections are
needed?
Allow Liferay server should
access only servers that is
required. Database, Solr, Disk-
share, Web-services, staging live
server..
Liferay Portal should not have direct
Internet connection
Connections through HTTP server
Connecting to internet through
Proxy
Image: wikipedia.org
9. SERVER - HARDENING
Server administration (Unix, Linux)
No root level access, only SUDO
Administrators should use own personal user id's to administer
Block unnecessary ports with Firewall
Disable unwanted services
All the applications and services should run with their respective operating
system user account.
Separate disk spaces for the system, application, data, logs and temp files
chroot the Application server installation
14. APPLICATION – LIFERAY #4
Disable create account if registration is not
required!
portal.properties ( default value )
company.security.strangers=true
# Also good to disable open.id auth
open.id.auth.enabled=true
portal.properties ( default value )
company.security.strangers=true
# Also good to disable open.id auth
open.id.auth.enabled=true
15. APPLICATION – LIFERAY #5
Make sure that password are stored securely!
portal.properties ( default value )
passwords.encryption.algorithm=SHA
## SHOULD BE SSHA or better
portal.properties ( default value )
passwords.encryption.algorithm=SHA
## SHOULD BE SSHA or better
16. APPLICATION – LIFERAY #6
Design permission scheme for Portal users!
NEVER
RUN PORTAL USER
WITH
ADMINISTRATION
ROLE
17. APPLICATION – LIFERAY #7
Do not show portlets if user do not have
permission!
portal.properties ( default value )
layout.show.portlet.access.denied=true
portal.properties ( default value )
layout.show.portlet.access.denied=true
23. APPLICATION – LIFERAY #13
Disable core-portlets or just functionality that you are
not ever going to use!
StrutsActionHooks can be
used to disable functionality
Modify liferay-porlet-ext.xml with Ext-plugin:
StrutsActionHooks can be
used to disable functionality
Modify liferay-porlet-ext.xml with Ext-plugin:
liferay-portlet-ext.xml
<portlet>
<portlet-name>...</portlet-name>
<include>false</include>
</portlet>
liferay-portlet-ext.xml
<portlet>
<portlet-name>...</portlet-name>
<include>false</include>
</portlet>
24. APPLICATION – LIFERAY #14
Change Company encryption key size and
algorithm
portal.properties ( default value )
company.encryption.key.size=56
company.encryption.algorithm=DES
portal.properties ( default value )
company.encryption.key.size=56
company.encryption.algorithm=DES
25. APPLICATION – LIFERAY #15
Security Manager - PACL!
portal.properties
#
# NOTE: This is default setting
#
portal.security.manager.strategy=smart
portal.properties
#
# NOTE: This is default setting
#
portal.security.manager.strategy=smart
liferay-plugin-package.properties
security-manager-enabled=true
# The make work easier
liferay-plugin-package.properties
security-manager-enabled=true
# The make work easier
29. PLUGIN DEVELOPMENT
OWASP 10
Use frameworks that helps you to avoid XSS.
Use Liferay API's to escape where ever necessary
HTMLUtil.escape (..) etc.
Liferay tags, make sure that escapeModel=true
Use Lifeay permission framework
ServiceBuilder: Remember to write permission checks in the remote
services
Support Security Manager / PACL!
30. RECOVERING!
Make disaster recovery plan
Step by step instructions to rebuild new system
How to buildup system again from backups?
How long time this will take?
Test the plan!
31. WHAT ELSE?
Liferay portal is only one component of your Liferay installation.
Give a hardening though also to:
Http server
Apache: https://www.google.fi/search?q=hardening+apache2
Application server
Tomcat: https://www.owasp.org/index.php/Securing_tomcat
Database
MySql: https://www.google.fi/search?q=hardening+mysql
Other services