This is a brief post on securing Liferay on Tomcat and MySQL.
Liferay CE is stable enterprise portal, as more companies
start to adopt it, therefore security becomes a very important aspect of the
deployment. I am not sure if Liferay has been officially tested by a 3rd
party security firm but based on my simple security test against OWASP Top 10 vulnerabilities, I can say that it looks good in that aspect. Some of the recommendations are taken from their
respective sites while others are based on our testing. We tested the following
on Linux Ubuntu 12.04 LTS.
start to adopt it, therefore security becomes a very important aspect of the
deployment. I am not sure if Liferay has been officially tested by a 3rd
party security firm but based on my simple security test against OWASP Top 10 vulnerabilities, I can say that it looks good in that aspect. Some of the recommendations are taken from their
respective sites while others are based on our testing. We tested the following
on Linux Ubuntu 12.04 LTS.
Here is what I did for a quick test (using default
installation of liferay-portal-tomcat-6.1.1-ce-ga2-20120731132656558) :
installation of liferay-portal-tomcat-6.1.1-ce-ga2-20120731132656558) :
1-
Download the Zed Attack Proxy (ZAP) from OWASP
Download the Zed Attack Proxy (ZAP) from OWASP
2-
Make ZAP is set to run the following attacks:
Make ZAP is set to run the following attacks:
a.
Path traversal
Path traversal
b.
Remote file Inclusion
Remote file Inclusion
c.
URL Redirector Abuse
URL Redirector Abuse
d.
Server Side Include
Server Side Include
e.
Cross Site Scripting
Cross Site Scripting
f.
SQL Injection
SQL Injection
g.
Directory Browsing
Directory Browsing
h.
Session ID in URL rewrite
Session ID in URL rewrite
i.
Secure page browser cache
Secure page browser cache
j.
External redirect
External redirect
k.
CRLF injection
CRLF injection
l.
Parameter tampering
Parameter tampering
3-
Run Liferay with default settings
Run Liferay with default settings
4-
Now sit back and watch Liferay logs go “CRAZY”
Now sit back and watch Liferay logs go “CRAZY”
Passing the OSWAP Top 10 vulnerabilities doesn’t mean that
you are out of the water yet. This test just focuses on browser based
penetration tests.
you are out of the water yet. This test just focuses on browser based
penetration tests.
Here some steps to have an even more secured Liferay
deployment on Tomcat.
deployment on Tomcat.
–
Make sure that you do not run Tomcat as “root”
user
Make sure that you do not run Tomcat as “root”
user
o
Tomcat user should not have remote access to the
server
Tomcat user should not have remote access to the
server
–
Disable auto-deployment of web applications
Disable auto-deployment of web applications
–
Change the file permissions on the Tomcat folder;
all Tomcat files should be owned by “root” user with group Tomcat and
whilst owner has read/write privileges, group only has read and world has no
permissions. The exceptions are the logs, temp and work directory that are
owned by the Tomcat user rather than root. This means that even if an attacker
compromises the Tomcat process, they can’t change the Tomcat configuration,
deploy new web applications or modify existing web applications. The Tomcat
process runs with a umask of 007 to maintain these permissions.
Change the file permissions on the Tomcat folder;
all Tomcat files should be owned by “root” user with group Tomcat and
whilst owner has read/write privileges, group only has read and world has no
permissions. The exceptions are the logs, temp and work directory that are
owned by the Tomcat user rather than root. This means that even if an attacker
compromises the Tomcat process, they can’t change the Tomcat configuration,
deploy new web applications or modify existing web applications. The Tomcat
process runs with a umask of 007 to maintain these permissions.
–
Enable
Tomcat Security Manager, this causes web application to be run in a sandbox
Enable
Tomcat Security Manager, this causes web application to be run in a sandbox
–
In Server.xml
do the following:
In Server.xml
do the following:
o
Disable the
shutdown port by setting its attribute to -1
Disable the
shutdown port by setting its attribute to -1
o
Make
sure that Tomcat HTTP connectors only to designated IP address; by default the
connectors listen to all configured IP addresses
Make
sure that Tomcat HTTP connectors only to designated IP address; by default the
connectors listen to all configured IP addresses
o
Configure
the “ciphers” attribute used for SSL connections. By default, Tomcat uses the
default ciphers for the JVM which contains weak export grade ciphers
Configure
the “ciphers” attribute used for SSL connections. By default, Tomcat uses the
default ciphers for the JVM which contains weak export grade ciphers
There are more
Tomcat settings which is available online.
Tomcat settings which is available online.
You also need to
make sure that you secure your Operating System and Network. Now that we have
some basic security in place for Tomcat, let’s now tackle the our database. In
this test, we used MySQL 5.
make sure that you secure your Operating System and Network. Now that we have
some basic security in place for Tomcat, let’s now tackle the our database. In
this test, we used MySQL 5.
Here is some basic
MySQL security:
MySQL security:
–
Set a
root password for MySQL
Set a
root password for MySQL
–
Remove
all anonymous accounts
Remove
all anonymous accounts
–
Disable
non-local root access
Disable
non-local root access
–
Remove
all test databases and any access rules related to them
Remove
all test databases and any access rules related to them
–
Reload privilege
tables to apply the changes
Reload privilege
tables to apply the changes
Now to conclude, let’s
secure our Liferay instance. Liferay is configured through portal.properties
and you should override those settings in portal-ext.properties. Create the
file if it doesn’t exist:
secure our Liferay instance. Liferay is configured through portal.properties
and you should override those settings in portal-ext.properties. Create the
file if it doesn’t exist:
–
Set web.server.host=MY-HOST-NAME
so that it is not dynamically set
Set web.server.host=MY-HOST-NAME
so that it is not dynamically set
–
Set the preferred
protocol to web.server.protocol=https
Set the preferred
protocol to web.server.protocol=https
–
If you
want Liferay to be only accessible from certain IP addresses, set
main.servlet.hosts.allowed=,,
If you
want Liferay to be only accessible from certain IP addresses, set
main.servlet.hosts.allowed=,,
–
To make
Liferay only accessible through HTTPS, set main.servlet.https.required=true
To make
Liferay only accessible through HTTPS, set main.servlet.https.required=true
–
Secure the
Axis servlet as follow:
Secure the
Axis servlet as follow:
o
axis.servlet.hosts.allowed=127.0.0.1,SERVER_IP
axis.servlet.https.required=true
axis.servlet.hosts.allowed=127.0.0.1,SERVER_IP
axis.servlet.https.required=true
–
Secure
the JSON Tunnel Servlet as follow:
Secure
the JSON Tunnel Servlet as follow:
o
json.servlet.hosts.allowed=
json.servlet.https.required=true
json.servlet.hosts.allowed=
json.servlet.https.required=true
–
Secure Liferay Tunnel Servlet as follow:
Secure Liferay Tunnel Servlet as follow:
o
tunnel.servlet.hosts.allowed=127.0.0.1,SERVER_IP
tunnel.servlet.https.required=true
tunnel.servlet.hosts.allowed=127.0.0.1,SERVER_IP
tunnel.servlet.https.required=true
–
Secure Spring Remoting Servlet
Secure Spring Remoting Servlet
o
spring.remoting.servlet.hosts.allowed=127.0.0.1,SERVER_IP
spring.remoting.servlet.https.required=true
spring.remoting.servlet.hosts.allowed=127.0.0.1,SERVER_IP
spring.remoting.servlet.https.required=true
–
Securing the Webdav Servlet
Securing the Webdav Servlet
o
webdav.servlet.hosts.allowed=
webdav.servlet.https.required=true
webdav.servlet.hosts.allowed=
webdav.servlet.https.required=true
–
Make sure you have configured the Admin
portlet by overriding all the default values
Make sure you have configured the Admin
portlet by overriding all the default values
–
The IFrame Portlet, when used in a high
security environment, should have the following properties set
The IFrame Portlet, when used in a high
security environment, should have the following properties set
o
iframe.password.token.role=
iframe.password.token.role=
–
JAAS security need to have properties set:
JAAS security need to have properties set:
o
To stop user from passing in encrypted
password: portal.jaas.strict.password=true
To stop user from passing in encrypted
password: portal.jaas.strict.password=true
–
Passwords: Choose a strong password
encryption algorithm to encrypt passwords by setting the following:
Passwords: Choose a strong password
encryption algorithm to encrypt passwords by setting the following:
o
passwords.encryption.algorithm=
passwords.encryption.algorithm=
I am sure that many
other security settings are left out so feel free to share in the comments. I
hope this helps someone to secure their Liferay environment.
other security settings are left out so feel free to share in the comments. I
hope this helps someone to secure their Liferay environment.