Hacking liferay
Download as PPTX, PDF0 likes2,911 views
The document discusses securing Liferay portal implementations against online threats. It covers securing the operating system, database, Tomcat application server, and Liferay portal itself. Specific recommendations are provided, such as disabling root login, installing a firewall, securing MySQL passwords, disabling anonymous accounts, configuring SSL, and overriding default Liferay portlet settings. The overall message is that following security best practices can help prevent attacks and vulnerabilities when deploying Liferay portals on the public internet.
Hacking liferay
- 1. SECURING AGAINST ONLINE THREATS By Armel Nene – Chief Software Architect
- 2. • Armel Nene – Founder and Chief Software Architect • ETAPIX Global – Founded in 2006 • Key focus on Open Source Software implementation • Over 5 Liferay implementations in the last 3 years • Experienced from Banking, Digital Agencies, Recruitment and Telecom HACKING LIFERAY - ARMEL NENE 05/03/2013 2
- 3. • Introduction • Operating System Hardening • Database Security • Tomcat / Liferay • Conclusion HACKING LIFERAY - ARMEL NENE 05/03/2013 3
- 4. OS Database Tomcat / Hardening Security Liferay HACKING LIFERAY - ARMEL NENE 05/03/2013 4
- 5. HACKING LIFERAY - ARMEL NENE 05/03/2013 5
- 6. Here are 5 key points in securing your OS • Secure all network communication – do not use FTP, Telnet and Rlogin • Disable “ROOT” login – use SUDO to execute root level commands • Install a firewall and block unnecessary ports • Linux Kernel Hardening ( /etc/sysctl.conf) • Disabled unwanted services and uninstall unnecessary software HACKING LIFERAY - ARMEL NENE 05/03/2013 6
- 7. HACKING LIFERAY - ARMEL NENE 05/03/2013 7
- 8. Here are some basic MySQL Security best practices • Set a root password for MySQL • Remove all anonymous accounts • Disable non-local root access • Reload privilege tables to apply changes • Enable SSL connection, the default connection is unencrypted HACKING LIFERAY - ARMEL NENE 05/03/2013 8
- 9. HACKING LIFERAY - ARMEL NENE 05/03/2013 9
- 10. Tomcat has been the most popular application server for Liferay deployment, based on our projects. Here is some guidelines for securing Tomcat • Disable Tomcat shutdown port • HTTP connectors only to designate IP addresses • Disable non-local root access • Configure the “ciphers” attribute used for SSL connections • Serve all contents through HTTPS HACKING LIFERAY - ARMEL NENE 05/03/2013 10
- 11. Liferay popularity is rising very fast and many companies are using it on the open web. On the web, Liferay is vulnerable as any other web sites. Here is some guidelines for securing Liferay • Override all the Admin portlet defaults such user / pass • Set the preferred protocol to HTTPS • Secure all tunnel servlet – JSON and Liferay Tunnel • Secure the Spring Remoting & WebDav Servlets - HTTPS • Choose a strong password encryption algorithm HACKING LIFERAY - ARMEL NENE 05/03/2013 11
- 12. When deploying Liferay in production on the Open Web, attackers can try to gain access: - Operating System vunerabilities - SQL vunerabilities - Tomcat and Liferay ( Web Application) vulnerabilities Make sure to secure your system if you do not want to be a victim. HACKING LIFERAY - ARMEL NENE 05/03/2013 12
- 13. HACKING LIFERAY - ARMEL NENE 05/03/2013 13