Alfresco Security Best Practices

martencrushInternet και Εφαρμογές Web

8 Δεκ 2013 (πριν από 3 χρόνια και 8 μήνες)

108 εμφανίσεις

Alfresco Security Best Practices

Toni de la Fuente

Alfresco Senior Solutions Engineer

Blog: blyx.com Twitter: @ToniBlyx

Who I am?



Alfresco Senior Solutions Engineer



Working with Alfresco for 5 years



More than 2 years as part of the team



Always involved with:



Operating Systems



Networks



Security



Open Source



Consultant & Auditor: ethical hacking,
penetration tests.



And writing about that at blyx.com since 2002

Agenda



Intro



Project life cycle and security



Planning



Installation



Post
-
install configuration and hardening



Maintenance



Monitoring and auditoring



Other security
-
related tasks



Demo: information leaks and metadata



Conclusions



Next steps


The Alfresco Platform

A robust, modern ECM platform

focused on scalability & usability

Consumer like UI

drag
-
and
-
drop with MS Office
intergration

Business Process

Rules and workflow that users can use

Social features

content activity feeds & social feedback

Metadata and Security

building rich context around content

Ecosystem of Integrations

CIFS, WebDAV, SharePoint, Exchange,
GoogleDocs
, CMIS, SAP,
Salesforce
,
Kofax
, and thousands more.


Alfresco

Document
Management

Team
Collaboration

Rich Media
Support

Web Content
Services

Process
Management

Image
Management

Electronic
Records
Management

The Alfresco Platform

Introduction

Introduction


In Alfresco
we

must

take

security

seriously
.


Because

we

care

about

contents


If

Alfresco
stops

working

and
that

poses a
problem

for

your

business
,
security

is

important
.


Security
is

a
process

not

a
product
.


Think

of
protection
,
integrity

and
privacy
.


Reduce as
much

as posible
the

MTBF,
to

guarantee

minimum

MTTR posible.


Taking

into

account

the

Security Plan of
the

organization
,
Contingency

Plan and
Disaster

Recovery

Plan.

Project Life Cycle and Security

Planning and previous review


What should I secure? It depends on…


Project needs


Interfaces


Users, applications or both


Customization


Architecture, high availability and scalability


Document

Management

Records

Management

Collaboration

Web Content

Management

Email

Archive

Interfaces?

Customization?

Number of…?

It depends on the network architecture

Share

App Srv

Alfresco

Content

Store

Index

DataBase

A

B

Installation

Best practices and tips 1/2


Run Alfresco as a non
-
root user


Configure all ports beyond 1024


Authbind on Debian
-
like OS


IPTables port redirect


Avoid default password (admin, db, jmx).


Change default certificates and keys in SOLR.


Use keytool or your own certificates.


installRoot/alf_data/solr/CreateSSLKeystores.txt


Set permissions for configuration files, content store,
indexes and logs. Only the user running Alfresco must be
able to access this folders.


chown

R alfresco:alfresco installRoot/


chmod

R 600 installRoot/



Best practices and tips 2/2


Before installing run Alfresco Environment Validation Tool in order
to avoid conflictive services and ports.


Keep SSL active when possible:


Do not use self
-
signed certificates in live environments.


Take care with SSL Strip: force using SSL and teach your users!


Check your certificate strength on:


https://www.ssllabs.com/ssldb/analyze.html


Use Apache (or other web server) to protect your application server
and services.


SELinux (review alfresco.sh)


When possible, run bundle installer to keep third party binary files
controlled and avoid rootkits


If third party applications are installed by OS rpm repository use rpm command


rpm

Vf /path/to/binary


rpm

V <rpm
-
name>


Check third party vulnerabilities often.




Post Installation Configuration

Which ports should I open? IN

P
r
o
t
o
c
o
l

P
o
r
t

T
C
P
/
U
D
P

I
N
/
O
U
T

A
c
t
i
v
a
t
e
d

C
o
m
m
e
n
t
s

H
T
T
P

8
0
8
0

T
C
P

I
N

Y
e
s

I
n
c
l
u
d
i
n
g

W
e
b
D
a
v

F
T
P

2
1

T
C
P

I
N

Y
e
s

P
a
s
s
i
v
e

m
o
d
e

S
M
T
P

2
5

T
C
P

I
N

N
o


C
I
F
S

1
3
7
,
1
3
8

U
D
P

I
N

Y
e
s


C
I
F
S

1
3
9
,
4
4
5

T
C
P

I
N

Y
e
s


I
M
A
P

1
4
3

T
C
P

I
N

N
o


S
h
a
r
e

P
o
i
n
t


P
r
o
t
o
c
o
l

7
0
7
0

T
C
P

I
N

Y
e
s


T
o
m
c
a
t

A
d
m
i
n

8
0
0
5

T
C
P

I
N

Y
e
s


T
o
m
c
a
t

A
J
P

8
0
0
9

T
C
P

I
N

Y
e
s


S
O
L
R

a
d
m
i
n

8
4
4
3

T
C
P

I
N

Y
e
s

C
e
r
t

i
n
s
t
a
l
l
a
t
i
o
n

o
n

t
h
e

b
r
o
w
s
e
r

n
e
e
d
e
d

N
F
S

1
1
1
,
2
0
4
9

T
C
P
/
U
D
P

I
N

N
o


L
o
t
u
s

Q
u
i
c
k
r

6
0
6
0

T
C
P

I
N

N
o


R
M
I

5
0
5
0
0
-
5
0
5
0
7

T
C
P

I
N

Y
e
s

U
s
e
d

b
y

E
H
C
a
c
h
e

f
o
r

c
l
u
s
t
e
r

a
n
d

J
M
X

m
a
n
a
g
e
m
e
n
t

J
G
r
o
u
p
s

7
8
0
0

T
C
P

I
N

N
o

C
l
u
s
t
e
r

d
i
s
c
o
v
e
r
y


J
G
r
o
u
p
s

7
8
0
1
-
7
8
0
2

T
C
P

I
N

N
o

E
h
c
a
c
h
e

R
M
I

c
o
m
m
u
n
i
c
a
t
i
o
n

b
e
t
w
e
e
n

n
o
d
e

c
l
u
s
t
e
r

O
p
e
n
O
f
f
i
c
e

8
1
0
0

T
C
P

I
N

Y
e
s

L
o
c
a
l
h
o
s
t

o
n
l
y
,

n
o
t

n
e
e
d
e
d

t
o

o
p
e
n
.


Which ports should I open and keep in
mind? OUT

P
r
o
t
o
c
o
l

P
o
r
t

T
C
P
/
U
D
P

I
N
/
O
U
T

A
c
t
i
v
a
t
e
d

C
o
m
m
e
n
t
s

S
M
T
P

2
5

T
C
P

O
U
T

N
o

T
o

y
o
u
r

M
T
A
.

D
B



P
o
s
t
g
r
e
S
Q
L

5
4
3
2

T
C
P

O
U
T

Y
e
s
*

D
e
p
e
n
d
i
n
g

o
n

D
B

D
B



M
y
S
Q
L

3
3
0
6

T
C
P

O
U
T

Y
e
s
*

D
e
p
e
n
d
i
n
g

o
n

D
B

D
B



M
S

S
Q
L

S
e
r
v
e
r

1
4
3
3

T
C
P

O
U
T

Y
e
s
*

D
e
p
e
n
d
i
n
g

o
n

D
B

D
B



O
r
a
c
l
e

1
5
2
1

T
C
P

O
U
T

Y
e
s
*

D
e
p
e
n
d
i
n
g

o
n

D
B

D
B



D
B
2

5
0
0
0
0

T
C
P

O
U
T

Y
e
s
*

D
e
p
e
n
d
i
n
g

o
n

D
B

L
D
A
P

3
9
6

T
C
P

O
U
T

N
o

F
o
r

a
u
t
h
e
t
i
c
a
t
i
o
n
/
s
y
n
c

L
D
A
P
S

6
3
6

T
C
P

O
U
T

N
o

F
o
r

a
u
t
h
e
t
i
c
a
t
i
o
n
/
s
y
n
c

d
o
c
s
.
g
o
o
g
l
e
.
c
o
m

4
4
3

T
C
P

O
U
T

N
o


O
p
e
n
O
f
f
i
c
e

8
1
0
0

T
C
P

O
U
T

N
o

O
n
l
y

f
o
r

r
e
m
o
t
e

O
p
e
n
O
f
f
i
c
e

o
r

A
l
f
r
e
s
c
o

T
r
a
n
s
f
o
r
m
a
t
i
o
n

S
e
r
v
e
r

J
G
r
o
u
p
s

7
8
0
0
-
7
8
0
2

T
C
P

O
U
T

N
o

B
e
t
w
e
e
n

c
l
u
s
t
e
r

n
o
d
e
s

N
F
S

1
1
1
,
2
0
4
9

T
C
P
/
U
D
P

O
U
T

N
o

O
n
l
y

i
f

u
s
i
n
g

r
e
m
o
t
e

N
F
S

f
o
r

c
o
n
t
e
n
t
s
t
o
r
e

K
e
r
b
e
r
o
s

8
8

T
C
P
/
U
D
P

O
U
T

N
o

I
f

K
e
r
b
e
r
o
s

S
S
O

i
s

c
o
n
f
i
g
u
r
e
d

D
N
S

5
3

U
D
P

O
U
T

Y
e
s

B
a
s
i
c

D
N
S

s
e
r
v
i
c
e

N
T
P

1
2
3

U
D
P

O
U
T

Y
e
s

N
e
t
w
o
r
k

T
i
m
e


* Also allow outbound traffic to

Facebook
,

Twitter
,
LinkedIn
,

Slideshare
,

Youtube,

Flickr,

Blogs
if you are able to use
Publishing Framework
,
Target Servers
for
Replication

or
Cloud Sync
.

Control and review


Controls processes and ports used by the system
(Linux):


# netstat
-
tulpn|grep
-
i java

tcp 0 0 0.0.0.0:50500 0.0.0.0:* LISTEN 8591/java

tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN 8591/java

tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN 8591/java

tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 8591/java

tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 8591/java

tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 8591/java

tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 8591/java

tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 8591/java

tcp 0 0 0.0.0.0:7070 0.0.0.0:* LISTEN 8591/java

udp 0 0 0.0.0.0:137 0.0.0.0:* 8591/java






On Windows OS:


netstat

an | findstr <port #>



Activate SSL for all services required


HTTP


HTTPS


Appliance supporting SSL offloading


Activate HTTPS on a frontal web server (Apache, IIS,
etc
)


Activate HTTPS on the application server


FTP


FTPS


Check official documentation


SharePoint (jetty)


SSL


You will avoid MS users related workarounds


Check official documentation


SMTP


SMTPS: IN and OUT


IMAP


IMAP
-
SSL



Greenmail (based) or Perdition

or
Stunnel


JGroups


Stunnel

or Proxy


Post installation configuration
-

1/5


Redirect ports below 1024:


E.g. for FTP and IPTables:


iptables
-
t nat
-
A PREROUTING
-
p tcp
--
dport 21
-
j
REDIRECT
--
to
-
ports 2121


http://wiki.alfresco.com/wiki/File_Server_Configuration


Change JMX credentials and roles


http://blyx.com/2011/12/20/persistencia
-
en
-
las
-
credenciales
-
jmx
-
de
-
alfresco/


Make sure you have control of your logs


http://blyx.com/2011/06/02/consejos
-
sobre
-
los
-
logs
-
en
-
alfresco/




Post installation configuration
-

2/5


Are you going to use external authentication?


Encrypt communication between Alfresco and the LDAP/AD or
SSO system (port 636 TCP for LDAPS)


Disable unneeded services:


ftp.enabled
=false


cifs.enabled
=false


imap.server.enabled
=false


nfs.enabled
=false


transferservice.receiver.enabled
=false


audit.enabled
=false


webdav
: disable on tomcat/
webapps
/alfresco/WEB
-
INF/
web.xml


SharePoint: do not install VTI module if unneeded.

Post installation configuration
-

3/5


Backup configuration and sequence


Backup Lucene 2 AM


installRoot/alf_data/backup
-
lucene
-
indexes


Backup SOLR 2 AM Alfresco core and 4 AM Archive core.


installRoot/workspace
-
SpacesStore


installRoot/archive
-
SpacesStore


Backup SQL.


Backup contentStore, audit, etc.


Consider using LVM snapshots for the contenstore and snapshot
-
like
backup for db


For small amounts of content you may use:


http://code.google.com/p/share
-
import
-
export/


Try recovery often as a preventive measure


Add a checked Alfresco recovery procedure to your Contingence Plan


Consider using Replication Service for disaster recovery plan:


replication.enabled=true and replication.transfer.readonly=false







Post installation configuration
-

4/5


Disable guest user:


For NTLM
-
Default:


alfresco.authentication.allowGuestLogin
=false (default is true)


For pass
-
through:


passthru.authentication.guestAccess
=false (default is false)


For LDAP/AD:


ldap.authentication.allowGuestLogin
=false (default is true)


Limit

number

of
users

and
state

of
the

repository
:


server.maxusers
=
-
1 (
-
1 no
limit
)


server.allowedusers
=
admin,toni,bill

(
empty

for

all
)


server.transaction.allow
-
writes
=true (false
to

turn

the

whole

system

into

read

only

mode
)




Post installation configuration
-

5/5


Disable trashcan
:


Create

a file
like

*
-
context.xml

with

the

following

content
:


<
bean

id="
storeArchiveMap
"
class
="
org.alfresco.repo.node.StoreArchiveMap
">


<
property

name
="
archiveMap
">


<
map
>




</
map
>


</
property
>


<
property

name
="
tenantService
">


<
ref

bean
="
tenantService
" />


</
property
>


</
bean
>



Maintenance

Maintenance


Daily review of logs and audit records (if enabled).


Daily review of backup.


Delete orphan files, log rotation and temporary files
cleaning.


Use a crontab script, for further information:


http://www.fegor.com/2011/08/mantenimiento
-
diario
-
de
-
alfresco.html


Monitoring and Auditory

Monitoring and Auditory


JMX


Jconsole


VisualVM


Hyperic


http://blyx.com/2009/11/19/monitoring
-
alfresco
-
nagiosicinga
-
hyperic
-
auditsurf
-
jmx
-
rocks/


Nagios/Icinga


http://blyx.com/2009/11/19/monitoring
-
alfresco
-
nagiosicinga
-
hyperic
-
auditsurf
-
jmx
-
rocks/


Javamelody


http://blyx.com/2010/09/13/monitoring
-
alfresco
-
con
-
javamelody/



Nagios/Icinga plugin


Always

monitoring
!


Nagios4Alfresco
Plugin




Monitoring and Auditory


Failed logins auditory:

audit.enabled=true

audit.tagging.enabled=true

audit.alfresco
-
access.enabled=true

audit.alfresco
-
access.sub
-
events.enabled=true

audit.cmischangelog.enabled=true




To know what is being audited:

$ curl
-
u admin:admin
http://localhost:8080/alfresco/service/api/audit/control



Rename
:
tomcat/shared/classes/alfresco/extension/audit/alfresco
-
audit
-
example
-
login.xml.sample

$ curl
-
u admin:admin
"http://localhost:8080/alfresco/service/api/audit/query/AuditExampleLogin1/auditex
amplelogin1/login/error/user?verbose=true"

{


"count":5,


"entries":


[ { "id":7,


"application":"AuditExampleLogin1",


"user":null,


"time":"2012
-
03
-
05T19:20:48.994+01:00",


"values":


{

"
\
/auditexamplelogin1
\
/login
\
/error
\
/user":"toni"


} }




Other security
-
related tasks

Other security
-
related tasks
-

1/2


Avoid information leaks through metadata (demo)


content + metadata in Alfresco DB


vs.


(content + metadata) + metadata in Alfresco


Consider using the new type “
d:encrypted



Add checksum to the content (third party development)


User blocking after a certain number of failed
authentications (LDAP or third party)


Change webdav visibility root


Session timeout for Explorer and Webdav


Session timeout for Share


Session timeout for CIFS


Set CIFS and FTP on read only mode if required




Other security
-
related tasks
-

2/2


Consider

using

a
network

scanner in
order

to

avoid

storing

of
viruses

and
trojans

or

an

internal

action

like

ALFVIRAL (Google
Code
).


mod_security

to

limit

file
size

or

intercept

content

(
audit

purposes
).


To

filter

which

applications

can
access

to

services

or

remote

API


<
Location

/
alfresco
/
service
/*>


order

allow,deny


allow

from

localhost.localdomain


#
Add

additional

allowed

hosts as
needed


#
allow

from

.
example.com

</
Location
>


<
Location

/share/
service
/*>




order

allow,deny




allow

from

localhost.localdomain




allow

from

79.148.213.73



#
allow

from

.
example.com

</
Location
>




Demo: Alfresco for avoid leaks information

Demo Script


Peparing an atack: gathering information


Google Hacking & Shodan


FOCA (URL)


Exiftool & wget


Publishing/Replication/Sync contents with Alfresco (web
sites, blog, social networks or just contents.)


Backdoors and metadata: yes, we can…


Cleaning contents with Alfresco


cmd
-
line
-
action
-
clean
-
metadata
-
1.0.1.amp


Configuration (script + alfresco
-
global.properties)


Add rule


Test





Tools, References and Links


Gathering info tools:


FOCA
-

http://www.informatica64.com/foc
a.aspx


Exiftool
-

http://owl.phy.queensu.ca/~phil/ex
iftool/



Metagoofil
-

http://www.edge
-
security.com/metagoofil.php


Libextractor
-

http://www.gnu.org/software/libext
ractor/


Shodan
-

http://www.shodanhq.com/


Alfresco Security Toolkit CMD
LINE


cmd
-
line
-
action
-
clean
-
metadata
-
1.0.1.amp







Cleaners:


Exiftool


OOMetaExtractor
-

http://www.codeplex.org/oometae
xtractor


MS Office 2003 & XP
http://www.microsoft.com/downlo
ads/details.aspx?displaylang=en
&FamilyID=144e54edd43e
-
42ca
-
bc7b
-
5446d34e5360


BatchPurifier
-

$19
(
BatchPurifierCon.exe)


Explanation:


http://blyx.com


theory


http://blyx.com


practice / POC







Conclusions

Conclusions


Working on Security could be sometimes a nightmare but…




Picture from: http://www.defcon.org/images/defcon
-
17/dc
-
17
-
presentations/defcon
-
17
-
alonso
-
palazon
-
tactical_fingerprinting.pdf

Conclusions


Trust no one, including users!


Nobody cleans documents.


Almost everything can reveal information


Currently we have tools and information available to secure
Alfresco, but unfortunately they are not on a single place
and we have to improve some of them.


Remember: security measures have to be taken constantly!


Other topics to be covered in future related to security:


Security in development


In
-
depth auditory


Users, roles and permissions.


Authentication subsystems creation (webinar already carried out in Spanish)


SSO with CAS,
Siteminder
,
OpenSSO
,
JoSSO
,
ForgeRock
, Oracle Identity
Manager, etc.


PKI integration or best practices for digital signatures, content encryption, etc.





Next steps


Lets use “Alfresco Security Toolkit” as main project for
collection of security related docs and tools.


http://code.google.com/p/alfresco
-
security
-
toolkit/


“Hardening Alfresco Guide”
.


“Bastille Alfresco”


useful?


Any idea?

Any questions?

# while you=applause; do

echo
THANKS!
;

done

Toni de la Fuente

Alfresco Senior Solutions Engineer

Blog: blyx.com Twitter: @ToniBlyx