SlideShare a Scribd company logo

Hacking liferay

Download as PPTX, PDF
Armel Nene
Armel Nene
1 of 13
SECURING AGAINST ONLINE THREATS By Armel Nene – Chief Software Architect
• Armel Nene – Founder and Chief Software Architect • ETAPIX Global – Founded in 2006 • Key focus on Open Source Software implementation • Over 5 Liferay implementations in the last 3 years • Experienced from Banking, Digital Agencies, Recruitment and Telecom HACKING LIFERAY - ARMEL NENE 05/03/2013 2
• Introduction • Operating System Hardening • Database Security • Tomcat / Liferay • Conclusion HACKING LIFERAY - ARMEL NENE 05/03/2013 3
OS Database Tomcat / Hardening Security Liferay HACKING LIFERAY - ARMEL NENE 05/03/2013 4
HACKING LIFERAY - ARMEL NENE 05/03/2013 5
Here are 5 key points in securing your OS • Secure all network communication – do not use FTP, Telnet and Rlogin • Disable “ROOT” login – use SUDO to execute root level commands • Install a firewall and block unnecessary ports • Linux Kernel Hardening ( /etc/sysctl.conf) • Disabled unwanted services and uninstall unnecessary software HACKING LIFERAY - ARMEL NENE 05/03/2013 6
HACKING LIFERAY - ARMEL NENE 05/03/2013 7
Here are some basic MySQL Security best practices • Set a root password for MySQL • Remove all anonymous accounts • Disable non-local root access • Reload privilege tables to apply changes • Enable SSL connection, the default connection is unencrypted HACKING LIFERAY - ARMEL NENE 05/03/2013 8
HACKING LIFERAY - ARMEL NENE 05/03/2013 9
Tomcat has been the most popular application server for Liferay deployment, based on our projects. Here is some guidelines for securing Tomcat • Disable Tomcat shutdown port • HTTP connectors only to designate IP addresses • Disable non-local root access • Configure the “ciphers” attribute used for SSL connections • Serve all contents through HTTPS HACKING LIFERAY - ARMEL NENE 05/03/2013 10
Liferay popularity is rising very fast and many companies are using it on the open web. On the web, Liferay is vulnerable as any other web sites. Here is some guidelines for securing Liferay • Override all the Admin portlet defaults such user / pass • Set the preferred protocol to HTTPS • Secure all tunnel servlet – JSON and Liferay Tunnel • Secure the Spring Remoting & WebDav Servlets - HTTPS • Choose a strong password encryption algorithm HACKING LIFERAY - ARMEL NENE 05/03/2013 11
When deploying Liferay in production on the Open Web, attackers can try to gain access: - Operating System vunerabilities - SQL vunerabilities - Tomcat and Liferay ( Web Application) vulnerabilities Make sure to secure your system if you do not want to be a victim. HACKING LIFERAY - ARMEL NENE 05/03/2013 12
HACKING LIFERAY - ARMEL NENE 05/03/2013 13

Recommended

Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
SQL injection
SQL injectionSQL injection
SQL injectionRaj Parmar
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attackRajKumar Rampelli
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationJustin Bui
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Sql injection
Sql injectionSql injection
Sql injectionSasha-Leigh Garret
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)Sam Bowne
 

Recommended

Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
SQL injection
SQL injectionSQL injection
SQL injectionRaj Parmar
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attackRajKumar Rampelli
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationJustin Bui
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Sql injection
Sql injectionSql injection
Sql injectionSasha-Leigh Garret
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)Sam Bowne
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
CloudMonkey
CloudMonkeyCloudMonkey
CloudMonkeySebastien Goasguen
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLFn|u - The Open Security Community
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)vinayh.vaghamshi _
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesPractical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesSam Bowne
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
Metasploit
MetasploitMetasploit
Metasploithenelpj
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
Intro to Pentesting Jenkins
Intro to Pentesting JenkinsIntro to Pentesting Jenkins
Intro to Pentesting JenkinsBrian Hysell
 
Pen-Testing with Metasploit
Pen-Testing with MetasploitPen-Testing with Metasploit
Pen-Testing with MetasploitMohammed Danish Amber
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Frank Boldewin
 
Hadoop vs Java Batch Processing JSR 352
Hadoop vs Java Batch Processing JSR 352Hadoop vs Java Batch Processing JSR 352
Hadoop vs Java Batch Processing JSR 352Armel Nene
 
How I Hacked Your Wireless LAN � And How to Stop Me
How I Hacked Your Wireless LAN � And How to Stop MeHow I Hacked Your Wireless LAN � And How to Stop Me
How I Hacked Your Wireless LAN � And How to Stop Medigitallibrary
 

More Related Content

What's hot

OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesPractical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesSam Bowne
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
Metasploit
MetasploitMetasploit
Metasploithenelpj
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
Intro to Pentesting Jenkins
Intro to Pentesting JenkinsIntro to Pentesting Jenkins
Intro to Pentesting JenkinsBrian Hysell
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Frank Boldewin
 

What's hot (20)

OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
CloudMonkey
CloudMonkeyCloudMonkey
CloudMonkey
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesPractical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Metasploit
MetasploitMetasploit
Metasploit
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
 
Intro to Pentesting Jenkins
Intro to Pentesting JenkinsIntro to Pentesting Jenkins
Intro to Pentesting Jenkins
 
Pen-Testing with Metasploit
Pen-Testing with MetasploitPen-Testing with Metasploit
Pen-Testing with Metasploit
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0
 

Viewers also liked

Hadoop vs Java Batch Processing JSR 352
Hadoop vs Java Batch Processing JSR 352Hadoop vs Java Batch Processing JSR 352
Hadoop vs Java Batch Processing JSR 352Armel Nene
 
How I Hacked Your Wireless LAN � And How to Stop Me
How I Hacked Your Wireless LAN � And How to Stop MeHow I Hacked Your Wireless LAN � And How to Stop Me
How I Hacked Your Wireless LAN � And How to Stop Medigitallibrary
 
Design & Develop Batch Applications in Java/JEE
Design & Develop Batch Applications in Java/JEEDesign & Develop Batch Applications in Java/JEE
Design & Develop Batch Applications in Java/JEENaresh Chintalcheru
 
Three Key Concepts for Understanding JSR-352: Batch Programming for the Java ...
Three Key Concepts for Understanding JSR-352: Batch Programming for the Java ...Three Key Concepts for Understanding JSR-352: Batch Programming for the Java ...
Three Key Concepts for Understanding JSR-352: Batch Programming for the Java ...timfanelli
 
Java EE 7 Batch processing in the Real World
Java EE 7 Batch processing in the Real WorldJava EE 7 Batch processing in the Real World
Java EE 7 Batch processing in the Real WorldRoberto Cortez
 
Liferay architecture By Navin Agarwal
Liferay architecture By Navin AgarwalLiferay architecture By Navin Agarwal
Liferay architecture By Navin AgarwalNavin Agarwal
 
Liferay Portal Introduction
Liferay Portal IntroductionLiferay Portal Introduction
Liferay Portal IntroductionNguyen Tung
 

Viewers also liked (8)

Hadoop vs Java Batch Processing JSR 352
Hadoop vs Java Batch Processing JSR 352Hadoop vs Java Batch Processing JSR 352
Hadoop vs Java Batch Processing JSR 352
 
How I Hacked Your Wireless LAN � And How to Stop Me
How I Hacked Your Wireless LAN � And How to Stop MeHow I Hacked Your Wireless LAN � And How to Stop Me
How I Hacked Your Wireless LAN � And How to Stop Me
 
Design & Develop Batch Applications in Java/JEE
Design & Develop Batch Applications in Java/JEEDesign & Develop Batch Applications in Java/JEE
Design & Develop Batch Applications in Java/JEE
 
Three Key Concepts for Understanding JSR-352: Batch Programming for the Java ...
Three Key Concepts for Understanding JSR-352: Batch Programming for the Java ...Three Key Concepts for Understanding JSR-352: Batch Programming for the Java ...
Three Key Concepts for Understanding JSR-352: Batch Programming for the Java ...
 
Java EE 7 Batch processing in the Real World
Java EE 7 Batch processing in the Real WorldJava EE 7 Batch processing in the Real World
Java EE 7 Batch processing in the Real World
 
Liferay architecture By Navin Agarwal
Liferay architecture By Navin AgarwalLiferay architecture By Navin Agarwal
Liferay architecture By Navin Agarwal
 
Liferay Portal Introduction
Liferay Portal IntroductionLiferay Portal Introduction
Liferay Portal Introduction
 
Liferay Digital Experience (DXP): Redefining customers experience
Liferay Digital Experience (DXP): Redefining customers experienceLiferay Digital Experience (DXP): Redefining customers experience
Liferay Digital Experience (DXP): Redefining customers experience
 

Similar to Hacking liferay

Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)Ramesh Nagappan
 
Best Practices for Building an Enterprise SOA Infrastructure on Oracle SOA Suite
Best Practices for Building an Enterprise SOA Infrastructure on Oracle SOA SuiteBest Practices for Building an Enterprise SOA Infrastructure on Oracle SOA Suite
Best Practices for Building an Enterprise SOA Infrastructure on Oracle SOA SuiteMatt Wright
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsOlivier DASINI
 
10 Razões para Usar MySQL em Startups
10 Razões para Usar MySQL em Startups10 Razões para Usar MySQL em Startups
10 Razões para Usar MySQL em StartupsMySQL Brasil
 
High Performance Security With SPARC T4 Hardware Assisted Cryptography
High Performance Security With SPARC T4 Hardware Assisted CryptographyHigh Performance Security With SPARC T4 Hardware Assisted Cryptography
High Performance Security With SPARC T4 Hardware Assisted CryptographyRamesh Nagappan
 
Eliz seminar
Eliz seminar Eliz seminar
Eliz seminar henelpj
 
5 razões estratégicas para usar MySQL
5 razões estratégicas para usar MySQL5 razões estratégicas para usar MySQL
5 razões estratégicas para usar MySQLMySQL Brasil
 
Troubleshooting Anypoint Platform
Troubleshooting Anypoint PlatformTroubleshooting Anypoint Platform
Troubleshooting Anypoint PlatformMuleSoft
 
Mysql repos testing.odp
Mysql repos testing.odpMysql repos testing.odp
Mysql repos testing.odpRamana Yeruva
 
My sql fabric webinar v1.1
My sql fabric webinar v1.1My sql fabric webinar v1.1
My sql fabric webinar v1.1Ricky Setyawan
 
Alta Disponibilidade no MySQL 5.7
Alta Disponibilidade no MySQL 5.7Alta Disponibilidade no MySQL 5.7
Alta Disponibilidade no MySQL 5.7MySQL Brasil
 
MySQL High Availibility Solutions
MySQL High Availibility SolutionsMySQL High Availibility Solutions
MySQL High Availibility SolutionsMark Swarbrick
 
AV/DF Advanced Security Option
AV/DF Advanced Security OptionAV/DF Advanced Security Option
AV/DF Advanced Security OptionDLT Solutions
 
MySQL Tech Tour 2015 - 5.7 Connector/J/Net
MySQL Tech Tour 2015 - 5.7 Connector/J/NetMySQL Tech Tour 2015 - 5.7 Connector/J/Net
MySQL Tech Tour 2015 - 5.7 Connector/J/NetMark Swarbrick
 
What's new in MySQL Cluster 7.4 webinar charts
What's new in MySQL Cluster 7.4 webinar chartsWhat's new in MySQL Cluster 7.4 webinar charts
What's new in MySQL Cluster 7.4 webinar chartsAndrew Morgan
 
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate CloudEngineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate CloudMarketingArrowECS_CZ
 
Pegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowPegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowSkycure
 
pegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdfpegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdf064ChetanWani
 
Solaris11 Desayunos Tecnicos Oracle (Solaris)
Solaris11 Desayunos Tecnicos Oracle (Solaris)Solaris11 Desayunos Tecnicos Oracle (Solaris)
Solaris11 Desayunos Tecnicos Oracle (Solaris)Fran Navarro
 

Similar to Hacking liferay (20)

Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
 
Best Practices for Building an Enterprise SOA Infrastructure on Oracle SOA Suite
Best Practices for Building an Enterprise SOA Infrastructure on Oracle SOA SuiteBest Practices for Building an Enterprise SOA Infrastructure on Oracle SOA Suite
Best Practices for Building an Enterprise SOA Infrastructure on Oracle SOA Suite
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
 
10 Razões para Usar MySQL em Startups
10 Razões para Usar MySQL em Startups10 Razões para Usar MySQL em Startups
10 Razões para Usar MySQL em Startups
 
High Performance Security With SPARC T4 Hardware Assisted Cryptography
High Performance Security With SPARC T4 Hardware Assisted CryptographyHigh Performance Security With SPARC T4 Hardware Assisted Cryptography
High Performance Security With SPARC T4 Hardware Assisted Cryptography
 
Eliz seminar
Eliz seminar Eliz seminar
Eliz seminar
 
5 razões estratégicas para usar MySQL
5 razões estratégicas para usar MySQL5 razões estratégicas para usar MySQL
5 razões estratégicas para usar MySQL
 
Troubleshooting Anypoint Platform
Troubleshooting Anypoint PlatformTroubleshooting Anypoint Platform
Troubleshooting Anypoint Platform
 
Mysql repos testing.odp
Mysql repos testing.odpMysql repos testing.odp
Mysql repos testing.odp
 
My sql fabric webinar v1.1
My sql fabric webinar v1.1My sql fabric webinar v1.1
My sql fabric webinar v1.1
 
Alta Disponibilidade no MySQL 5.7
Alta Disponibilidade no MySQL 5.7Alta Disponibilidade no MySQL 5.7
Alta Disponibilidade no MySQL 5.7
 
MySQL High Availibility Solutions
MySQL High Availibility SolutionsMySQL High Availibility Solutions
MySQL High Availibility Solutions
 
AV/DF Advanced Security Option
AV/DF Advanced Security OptionAV/DF Advanced Security Option
AV/DF Advanced Security Option
 
MySQL Tech Tour 2015 - 5.7 Connector/J/Net
MySQL Tech Tour 2015 - 5.7 Connector/J/NetMySQL Tech Tour 2015 - 5.7 Connector/J/Net
MySQL Tech Tour 2015 - 5.7 Connector/J/Net
 
What's new in MySQL Cluster 7.4 webinar charts
What's new in MySQL Cluster 7.4 webinar chartsWhat's new in MySQL Cluster 7.4 webinar charts
What's new in MySQL Cluster 7.4 webinar charts
 
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate CloudEngineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud
 
Pegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowPegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to Know
 
MySQL cluster 7.4
MySQL cluster 7.4 MySQL cluster 7.4
MySQL cluster 7.4
 
pegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdfpegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdf
 
Solaris11 Desayunos Tecnicos Oracle (Solaris)
Solaris11 Desayunos Tecnicos Oracle (Solaris)Solaris11 Desayunos Tecnicos Oracle (Solaris)
Solaris11 Desayunos Tecnicos Oracle (Solaris)
 

Hacking liferay

  • 1. SECURING AGAINST ONLINE THREATS By Armel Nene – Chief Software Architect
  • 2. • Armel Nene – Founder and Chief Software Architect • ETAPIX Global – Founded in 2006 • Key focus on Open Source Software implementation • Over 5 Liferay implementations in the last 3 years • Experienced from Banking, Digital Agencies, Recruitment and Telecom HACKING LIFERAY - ARMEL NENE 05/03/2013 2
  • 3. • Introduction • Operating System Hardening • Database Security • Tomcat / Liferay • Conclusion HACKING LIFERAY - ARMEL NENE 05/03/2013 3
  • 4. OS Database Tomcat / Hardening Security Liferay HACKING LIFERAY - ARMEL NENE 05/03/2013 4
  • 5. HACKING LIFERAY - ARMEL NENE 05/03/2013 5
  • 6. Here are 5 key points in securing your OS • Secure all network communication – do not use FTP, Telnet and Rlogin • Disable “ROOT” login – use SUDO to execute root level commands • Install a firewall and block unnecessary ports • Linux Kernel Hardening ( /etc/sysctl.conf) • Disabled unwanted services and uninstall unnecessary software HACKING LIFERAY - ARMEL NENE 05/03/2013 6
  • 7. HACKING LIFERAY - ARMEL NENE 05/03/2013 7
  • 8. Here are some basic MySQL Security best practices • Set a root password for MySQL • Remove all anonymous accounts • Disable non-local root access • Reload privilege tables to apply changes • Enable SSL connection, the default connection is unencrypted HACKING LIFERAY - ARMEL NENE 05/03/2013 8
  • 9. HACKING LIFERAY - ARMEL NENE 05/03/2013 9
  • 10. Tomcat has been the most popular application server for Liferay deployment, based on our projects. Here is some guidelines for securing Tomcat • Disable Tomcat shutdown port • HTTP connectors only to designate IP addresses • Disable non-local root access • Configure the “ciphers” attribute used for SSL connections • Serve all contents through HTTPS HACKING LIFERAY - ARMEL NENE 05/03/2013 10
  • 11. Liferay popularity is rising very fast and many companies are using it on the open web. On the web, Liferay is vulnerable as any other web sites. Here is some guidelines for securing Liferay • Override all the Admin portlet defaults such user / pass • Set the preferred protocol to HTTPS • Secure all tunnel servlet – JSON and Liferay Tunnel • Secure the Spring Remoting & WebDav Servlets - HTTPS • Choose a strong password encryption algorithm HACKING LIFERAY - ARMEL NENE 05/03/2013 11
  • 12. When deploying Liferay in production on the Open Web, attackers can try to gain access: - Operating System vunerabilities - SQL vunerabilities - Tomcat and Liferay ( Web Application) vulnerabilities Make sure to secure your system if you do not want to be a victim. HACKING LIFERAY - ARMEL NENE 05/03/2013 12
  • 13. HACKING LIFERAY - ARMEL NENE 05/03/2013 13