SlideShare a Scribd company logo

Hacking liferay

Download as PPTX, PDF
Armel Nene
Armel Nene
1 of 13
SECURING AGAINST ONLINE THREATS By Armel Nene – Chief Software Architect
• Armel Nene – Founder and Chief Software Architect • ETAPIX Global – Founded in 2006 • Key focus on Open Source Software implementation • Over 5 Liferay implementations in the last 3 years • Experienced from Banking, Digital Agencies, Recruitment and Telecom HACKING LIFERAY - ARMEL NENE 05/03/2013 2
• Introduction • Operating System Hardening • Database Security • Tomcat / Liferay • Conclusion HACKING LIFERAY - ARMEL NENE 05/03/2013 3
OS Database Tomcat / Hardening Security Liferay HACKING LIFERAY - ARMEL NENE 05/03/2013 4
HACKING LIFERAY - ARMEL NENE 05/03/2013 5
Here are 5 key points in securing your OS • Secure all network communication – do not use FTP, Telnet and Rlogin • Disable “ROOT” login – use SUDO to execute root level commands • Install a firewall and block unnecessary ports • Linux Kernel Hardening ( /etc/sysctl.conf) • Disabled unwanted services and uninstall unnecessary software HACKING LIFERAY - ARMEL NENE 05/03/2013 6
HACKING LIFERAY - ARMEL NENE 05/03/2013 7
Here are some basic MySQL Security best practices • Set a root password for MySQL • Remove all anonymous accounts • Disable non-local root access • Reload privilege tables to apply changes • Enable SSL connection, the default connection is unencrypted HACKING LIFERAY - ARMEL NENE 05/03/2013 8
HACKING LIFERAY - ARMEL NENE 05/03/2013 9
Tomcat has been the most popular application server for Liferay deployment, based on our projects. Here is some guidelines for securing Tomcat • Disable Tomcat shutdown port • HTTP connectors only to designate IP addresses • Disable non-local root access • Configure the “ciphers” attribute used for SSL connections • Serve all contents through HTTPS HACKING LIFERAY - ARMEL NENE 05/03/2013 10
Liferay popularity is rising very fast and many companies are using it on the open web. On the web, Liferay is vulnerable as any other web sites. Here is some guidelines for securing Liferay • Override all the Admin portlet defaults such user / pass • Set the preferred protocol to HTTPS • Secure all tunnel servlet – JSON and Liferay Tunnel • Secure the Spring Remoting & WebDav Servlets - HTTPS • Choose a strong password encryption algorithm HACKING LIFERAY - ARMEL NENE 05/03/2013 11
When deploying Liferay in production on the Open Web, attackers can try to gain access: - Operating System vunerabilities - SQL vunerabilities - Tomcat and Liferay ( Web Application) vulnerabilities Make sure to secure your system if you do not want to be a victim. HACKING LIFERAY - ARMEL NENE 05/03/2013 12
HACKING LIFERAY - ARMEL NENE 05/03/2013 13

Recommended

MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPrime Infoserv
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSMike Felch
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyePrime Infoserv
 
Cyber Range - An Open-Source Offensive / Defensive Learning Environment on AWS
Cyber Range - An Open-Source Offensive / Defensive Learning Environment on AWS Cyber Range - An Open-Source Offensive / Defensive Learning Environment on AWS
Cyber Range - An Open-Source Offensive / Defensive Learning Environment on AWS Tom Cappetta
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
 

Recommended

MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPrime Infoserv
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSMike Felch
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyePrime Infoserv
 
Cyber Range - An Open-Source Offensive / Defensive Learning Environment on AWS
Cyber Range - An Open-Source Offensive / Defensive Learning Environment on AWS Cyber Range - An Open-Source Offensive / Defensive Learning Environment on AWS
Cyber Range - An Open-Source Offensive / Defensive Learning Environment on AWS Tom Cappetta
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementResolver Inc.
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Cyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsCyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsSounil Yu
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...JamieWilliams130
 
Cyberark training ppt
Cyberark training pptCyberark training ppt
Cyberark training pptAkhil Kumar
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Cyber ppt
Cyber pptCyber ppt
Cyber pptkarthik menon
 
F5 Web Application Security
F5 Web Application SecurityF5 Web Application Security
F5 Web Application SecurityMarketingArrowECS_CZ
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introductionJimmy Saigon
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application FirewallChandrapal Badshah
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityEryk Budi Pratama
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
Hadoop vs Java Batch Processing JSR 352
Hadoop vs Java Batch Processing JSR 352Hadoop vs Java Batch Processing JSR 352
Hadoop vs Java Batch Processing JSR 352Armel Nene
 
How I Hacked Your Wireless LAN � And How to Stop Me
How I Hacked Your Wireless LAN � And How to Stop MeHow I Hacked Your Wireless LAN � And How to Stop Me
How I Hacked Your Wireless LAN � And How to Stop Medigitallibrary
 

More Related Content

What's hot

Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementResolver Inc.
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Cyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsCyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsSounil Yu
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...JamieWilliams130
 
Cyberark training ppt
Cyberark training pptCyberark training ppt
Cyberark training pptAkhil Kumar
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introductionJimmy Saigon
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityEryk Budi Pratama
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 

What's hot (20)

Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability Management
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
Cyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsCyber Defense Matrix: Revolutions
Cyber Defense Matrix: Revolutions
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
 
Cyberark training ppt
Cyberark training pptCyberark training ppt
Cyberark training ppt
 
Application Security
Application SecurityApplication Security
Application Security
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
F5 Web Application Security
F5 Web Application SecurityF5 Web Application Security
F5 Web Application Security
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introduction
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application Firewall
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information Security
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 

Viewers also liked

Hadoop vs Java Batch Processing JSR 352
Hadoop vs Java Batch Processing JSR 352Hadoop vs Java Batch Processing JSR 352
Hadoop vs Java Batch Processing JSR 352Armel Nene
 
How I Hacked Your Wireless LAN � And How to Stop Me
How I Hacked Your Wireless LAN � And How to Stop MeHow I Hacked Your Wireless LAN � And How to Stop Me
How I Hacked Your Wireless LAN � And How to Stop Medigitallibrary
 
Design & Develop Batch Applications in Java/JEE
Design & Develop Batch Applications in Java/JEEDesign & Develop Batch Applications in Java/JEE
Design & Develop Batch Applications in Java/JEENaresh Chintalcheru
 
Three Key Concepts for Understanding JSR-352: Batch Programming for the Java ...
Three Key Concepts for Understanding JSR-352: Batch Programming for the Java ...Three Key Concepts for Understanding JSR-352: Batch Programming for the Java ...
Three Key Concepts for Understanding JSR-352: Batch Programming for the Java ...timfanelli
 
Java EE 7 Batch processing in the Real World
Java EE 7 Batch processing in the Real WorldJava EE 7 Batch processing in the Real World
Java EE 7 Batch processing in the Real WorldRoberto Cortez
 
Liferay architecture By Navin Agarwal
Liferay architecture By Navin AgarwalLiferay architecture By Navin Agarwal
Liferay architecture By Navin AgarwalNavin Agarwal
 
Liferay Portal Introduction
Liferay Portal IntroductionLiferay Portal Introduction
Liferay Portal IntroductionNguyen Tung
 

Viewers also liked (8)

Hadoop vs Java Batch Processing JSR 352
Hadoop vs Java Batch Processing JSR 352Hadoop vs Java Batch Processing JSR 352
Hadoop vs Java Batch Processing JSR 352
 
How I Hacked Your Wireless LAN � And How to Stop Me
How I Hacked Your Wireless LAN � And How to Stop MeHow I Hacked Your Wireless LAN � And How to Stop Me
How I Hacked Your Wireless LAN � And How to Stop Me
 
Design & Develop Batch Applications in Java/JEE
Design & Develop Batch Applications in Java/JEEDesign & Develop Batch Applications in Java/JEE
Design & Develop Batch Applications in Java/JEE
 
Three Key Concepts for Understanding JSR-352: Batch Programming for the Java ...
Three Key Concepts for Understanding JSR-352: Batch Programming for the Java ...Three Key Concepts for Understanding JSR-352: Batch Programming for the Java ...
Three Key Concepts for Understanding JSR-352: Batch Programming for the Java ...
 
Java EE 7 Batch processing in the Real World
Java EE 7 Batch processing in the Real WorldJava EE 7 Batch processing in the Real World
Java EE 7 Batch processing in the Real World
 
Liferay architecture By Navin Agarwal
Liferay architecture By Navin AgarwalLiferay architecture By Navin Agarwal
Liferay architecture By Navin Agarwal
 
Liferay Portal Introduction
Liferay Portal IntroductionLiferay Portal Introduction
Liferay Portal Introduction
 
Liferay Digital Experience (DXP): Redefining customers experience
Liferay Digital Experience (DXP): Redefining customers experienceLiferay Digital Experience (DXP): Redefining customers experience
Liferay Digital Experience (DXP): Redefining customers experience
 

Similar to Hacking liferay

Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)Ramesh Nagappan
 
Best Practices for Building an Enterprise SOA Infrastructure on Oracle SOA Suite
Best Practices for Building an Enterprise SOA Infrastructure on Oracle SOA SuiteBest Practices for Building an Enterprise SOA Infrastructure on Oracle SOA Suite
Best Practices for Building an Enterprise SOA Infrastructure on Oracle SOA SuiteMatt Wright
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsOlivier DASINI
 
10 Razões para Usar MySQL em Startups
10 Razões para Usar MySQL em Startups10 Razões para Usar MySQL em Startups
10 Razões para Usar MySQL em StartupsMySQL Brasil
 
High Performance Security With SPARC T4 Hardware Assisted Cryptography
High Performance Security With SPARC T4 Hardware Assisted CryptographyHigh Performance Security With SPARC T4 Hardware Assisted Cryptography
High Performance Security With SPARC T4 Hardware Assisted CryptographyRamesh Nagappan
 
Eliz seminar
Eliz seminar Eliz seminar
Eliz seminar henelpj
 
5 razões estratégicas para usar MySQL
5 razões estratégicas para usar MySQL5 razões estratégicas para usar MySQL
5 razões estratégicas para usar MySQLMySQL Brasil
 
Troubleshooting Anypoint Platform
Troubleshooting Anypoint PlatformTroubleshooting Anypoint Platform
Troubleshooting Anypoint PlatformMuleSoft
 
Mysql repos testing.odp
Mysql repos testing.odpMysql repos testing.odp
Mysql repos testing.odpRamana Yeruva
 
My sql fabric webinar v1.1
My sql fabric webinar v1.1My sql fabric webinar v1.1
My sql fabric webinar v1.1Ricky Setyawan
 
Alta Disponibilidade no MySQL 5.7
Alta Disponibilidade no MySQL 5.7Alta Disponibilidade no MySQL 5.7
Alta Disponibilidade no MySQL 5.7MySQL Brasil
 
MySQL High Availibility Solutions
MySQL High Availibility SolutionsMySQL High Availibility Solutions
MySQL High Availibility SolutionsMark Swarbrick
 
AV/DF Advanced Security Option
AV/DF Advanced Security OptionAV/DF Advanced Security Option
AV/DF Advanced Security OptionDLT Solutions
 
MySQL Tech Tour 2015 - 5.7 Connector/J/Net
MySQL Tech Tour 2015 - 5.7 Connector/J/NetMySQL Tech Tour 2015 - 5.7 Connector/J/Net
MySQL Tech Tour 2015 - 5.7 Connector/J/NetMark Swarbrick
 
What's new in MySQL Cluster 7.4 webinar charts
What's new in MySQL Cluster 7.4 webinar chartsWhat's new in MySQL Cluster 7.4 webinar charts
What's new in MySQL Cluster 7.4 webinar chartsAndrew Morgan
 
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate CloudEngineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate CloudMarketingArrowECS_CZ
 
Pegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowPegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowSkycure
 
pegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdfpegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdf064ChetanWani
 
Solaris11 Desayunos Tecnicos Oracle (Solaris)
Solaris11 Desayunos Tecnicos Oracle (Solaris)Solaris11 Desayunos Tecnicos Oracle (Solaris)
Solaris11 Desayunos Tecnicos Oracle (Solaris)Fran Navarro
 

Similar to Hacking liferay (20)

Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
 
Best Practices for Building an Enterprise SOA Infrastructure on Oracle SOA Suite
Best Practices for Building an Enterprise SOA Infrastructure on Oracle SOA SuiteBest Practices for Building an Enterprise SOA Infrastructure on Oracle SOA Suite
Best Practices for Building an Enterprise SOA Infrastructure on Oracle SOA Suite
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
 
10 Razões para Usar MySQL em Startups
10 Razões para Usar MySQL em Startups10 Razões para Usar MySQL em Startups
10 Razões para Usar MySQL em Startups
 
High Performance Security With SPARC T4 Hardware Assisted Cryptography
High Performance Security With SPARC T4 Hardware Assisted CryptographyHigh Performance Security With SPARC T4 Hardware Assisted Cryptography
High Performance Security With SPARC T4 Hardware Assisted Cryptography
 
Eliz seminar
Eliz seminar Eliz seminar
Eliz seminar
 
5 razões estratégicas para usar MySQL
5 razões estratégicas para usar MySQL5 razões estratégicas para usar MySQL
5 razões estratégicas para usar MySQL
 
Troubleshooting Anypoint Platform
Troubleshooting Anypoint PlatformTroubleshooting Anypoint Platform
Troubleshooting Anypoint Platform
 
Mysql repos testing.odp
Mysql repos testing.odpMysql repos testing.odp
Mysql repos testing.odp
 
My sql fabric webinar v1.1
My sql fabric webinar v1.1My sql fabric webinar v1.1
My sql fabric webinar v1.1
 
Alta Disponibilidade no MySQL 5.7
Alta Disponibilidade no MySQL 5.7Alta Disponibilidade no MySQL 5.7
Alta Disponibilidade no MySQL 5.7
 
MySQL High Availibility Solutions
MySQL High Availibility SolutionsMySQL High Availibility Solutions
MySQL High Availibility Solutions
 
AV/DF Advanced Security Option
AV/DF Advanced Security OptionAV/DF Advanced Security Option
AV/DF Advanced Security Option
 
MySQL Tech Tour 2015 - 5.7 Connector/J/Net
MySQL Tech Tour 2015 - 5.7 Connector/J/NetMySQL Tech Tour 2015 - 5.7 Connector/J/Net
MySQL Tech Tour 2015 - 5.7 Connector/J/Net
 
What's new in MySQL Cluster 7.4 webinar charts
What's new in MySQL Cluster 7.4 webinar chartsWhat's new in MySQL Cluster 7.4 webinar charts
What's new in MySQL Cluster 7.4 webinar charts
 
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate CloudEngineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud
 
Pegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowPegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to Know
 
MySQL cluster 7.4
MySQL cluster 7.4 MySQL cluster 7.4
MySQL cluster 7.4
 
pegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdfpegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdf
 
Solaris11 Desayunos Tecnicos Oracle (Solaris)
Solaris11 Desayunos Tecnicos Oracle (Solaris)Solaris11 Desayunos Tecnicos Oracle (Solaris)
Solaris11 Desayunos Tecnicos Oracle (Solaris)
 

Hacking liferay

  • 1. SECURING AGAINST ONLINE THREATS By Armel Nene – Chief Software Architect
  • 2. • Armel Nene – Founder and Chief Software Architect • ETAPIX Global – Founded in 2006 • Key focus on Open Source Software implementation • Over 5 Liferay implementations in the last 3 years • Experienced from Banking, Digital Agencies, Recruitment and Telecom HACKING LIFERAY - ARMEL NENE 05/03/2013 2
  • 3. • Introduction • Operating System Hardening • Database Security • Tomcat / Liferay • Conclusion HACKING LIFERAY - ARMEL NENE 05/03/2013 3
  • 4. OS Database Tomcat / Hardening Security Liferay HACKING LIFERAY - ARMEL NENE 05/03/2013 4
  • 5. HACKING LIFERAY - ARMEL NENE 05/03/2013 5
  • 6. Here are 5 key points in securing your OS • Secure all network communication – do not use FTP, Telnet and Rlogin • Disable “ROOT” login – use SUDO to execute root level commands • Install a firewall and block unnecessary ports • Linux Kernel Hardening ( /etc/sysctl.conf) • Disabled unwanted services and uninstall unnecessary software HACKING LIFERAY - ARMEL NENE 05/03/2013 6
  • 7. HACKING LIFERAY - ARMEL NENE 05/03/2013 7
  • 8. Here are some basic MySQL Security best practices • Set a root password for MySQL • Remove all anonymous accounts • Disable non-local root access • Reload privilege tables to apply changes • Enable SSL connection, the default connection is unencrypted HACKING LIFERAY - ARMEL NENE 05/03/2013 8
  • 9. HACKING LIFERAY - ARMEL NENE 05/03/2013 9
  • 10. Tomcat has been the most popular application server for Liferay deployment, based on our projects. Here is some guidelines for securing Tomcat • Disable Tomcat shutdown port • HTTP connectors only to designate IP addresses • Disable non-local root access • Configure the “ciphers” attribute used for SSL connections • Serve all contents through HTTPS HACKING LIFERAY - ARMEL NENE 05/03/2013 10
  • 11. Liferay popularity is rising very fast and many companies are using it on the open web. On the web, Liferay is vulnerable as any other web sites. Here is some guidelines for securing Liferay • Override all the Admin portlet defaults such user / pass • Set the preferred protocol to HTTPS • Secure all tunnel servlet – JSON and Liferay Tunnel • Secure the Spring Remoting & WebDav Servlets - HTTPS • Choose a strong password encryption algorithm HACKING LIFERAY - ARMEL NENE 05/03/2013 11
  • 12. When deploying Liferay in production on the Open Web, attackers can try to gain access: - Operating System vunerabilities - SQL vunerabilities - Tomcat and Liferay ( Web Application) vulnerabilities Make sure to secure your system if you do not want to be a victim. HACKING LIFERAY - ARMEL NENE 05/03/2013 12
  • 13. HACKING LIFERAY - ARMEL NENE 05/03/2013 13