Alfresco Security Best Practices
Toni de la Fuente
Alfresco Senior Solutions Engineer
Blog: blyx.com Twitter: @ToniBlyx
Who I am?
• Alfresco Senior Solutions Engineer
• Working with Alfresco for 5 years
• More than 2 years as part of the team
• Always involved with:
• Operating Systems
• Networks
• Security
• Open Source
• Consultant & Auditor: ethical hacking,
penetration tests.
• And writing about that at blyx.com since 2002
Agenda
• Intro
• Project life cycle and security
• Planning
• Installation
• Post-install configuration and hardening
• Maintenance
• Monitoring and auditoring
• Other security-related tasks
• Demo: information leaks and metadata
• Conclusions
• Next steps
The
AlfrescoPlatform
Platform
The Alfresco
A robust, modern ECM platform
focused on scalability & usability
Consumer like UI
Document
Management
drag-and-drop with MS Office intergration
Business Process
Rules and workflow that users can use
Electronic
Records
Management
Team
Collaboration
Social features
content activity feeds & social feedback
Metadata and Security
building rich context around content
Image
Management
Alfresco
Rich Media
Support
Ecosystem of Integrations
CIFS, WebDAV, SharePoint, Exchange,
GoogleDocs, CMIS, SAP, Salesforce,
Kofax, and thousands more.
Process
Management
Web Content
Services
Introduction
Introduction
•
In Alfresco we must take security seriously.
•
•
•
•
•
•
Because we care about contents
If Alfresco stops working and that poses a problem for
your business, security is important.
Security is a process not a product.
Think of protection, integrity and privacy.
Reduce as much as posible the MTBF, to guarantee
minimum MTTR posible.
Taking into account the Security Plan of the
organization, Contingency Plan and Disaster Recovery
Plan.
Project Life Cycle and Security
Planning and previous review
What should I secure? It depends on…
•
•
•
•
•
•
Project needs
Interfaces
Users, applications or both
Customization
Architecture, high availability and scalability
Document
Management
Interfaces?
Collaboration
Web Content
Management
Number of…?
Records
Management
Email
Archive
Customization?
It depends on the network architecture
B
A
Share
Alfresco
DataBase
Index
Content
Store
App Srv
Installation
Best practices and tips 1/2
•
Run Alfresco as a non-root user
•
•
•
•
•
Configure all ports beyond 1024
Authbind on Debian-like OS
IPTables port redirect
Avoid default password (admin, db, jmx).
Change default certificates and keys in SOLR.
•
•
•
Use keytool or your own certificates.
installRoot/alf_data/solr/CreateSSLKeystores.txt
Set permissions for configuration files, content store,
indexes and logs. Only the user running Alfresco must be
able to access this folders.
•
•
chown –R alfresco:alfresco installRoot/
chmod –R 600 installRoot/
Best practices and tips 2/2
•
Before installing run Alfresco Environment Validation Tool in order
to avoid conflictive services and ports.
Keep SSL active when possible:
•
•
•
•
•
Use Apache (or other web server) to protect your application server
and services.
SELinux (review alfresco.sh)
When possible, run bundle installer to keep third party binary files
controlled and avoid rootkits
•
•
•
•
•
•
Do not use self-signed certificates in live environments.
Take care with SSL Strip: force using SSL and teach your users!
Check your certificate strength on:
•
https://www.ssllabs.com/ssldb/analyze.html
If third party applications are installed by OS rpm repository use rpm command
rpm –Vf /path/to/binary
rpm –V <rpm-name>
Check third party vulnerabilities often.
Post Installation Configuration
Which ports should I open? IN
Protocol
HTTP
FTP
SMTP
CIFS
CIFS
IMAP
Share
Point Protocol
Tomcat Admin
Tomcat AJP
SOLR admin
Port
8080
21
25
137,138
139,445
143
7070
TCP/UDP
TCP
TCP
TCP
UDP
TCP
TCP
TCP
IN/OUT
IN
IN
IN
IN
IN
IN
IN
Activated
Yes
Yes
No
Yes
Yes
No
Yes
8005
8009
8443
TCP
TCP
TCP
IN
IN
IN
Yes
Yes
Yes
NFS
Lotus Quickr
RMI
111,2049
TCP/UDP
6060
TCP
50500-50507 TCP
IN
IN
IN
No
No
Yes
JGroups
JGroups
7800
7801-7802
TCP
TCP
IN
IN
No
No
OpenOffice
8100
TCP
IN
Yes
Comments
Including WebDav
Passive mode
Cert installation on the
browser needed
Used by EHCache for
cluster and JMX
management
Cluster discovery
Ehcache RMI
communication between
node cluster
Localhost only, not
needed to open.
Which ports should I open and keep in
mind? OUT
Protocol
SMTP
DB – PostgreSQL
DB – MySQL
DB – MS SQL Server
DB – Oracle
DB – DB2
LDAP
LDAPS
docs.google.com
OpenOffice
Port
25
5432
3306
1433
1521
50000
396
636
443
8100
TCP/UDP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
IN/OUT
OUT
OUT
OUT
OUT
OUT
OUT
OUT
OUT
OUT
OUT
JGroups
NFS
7800-7802 TCP
OUT
111,2049 TCP/UDP OUT
No
No
Kerberos
DNS
NTP
88
53
123
No
Yes
Yes
TCP/UDP OUT
UDP
OUT
UDP
OUT
Activated
No
Yes*
Yes*
Yes*
Yes*
Yes*
No
No
No
No
Comments
To your MTA.
Depending on DB
Depending on DB
Depending on DB
Depending on DB
Depending on DB
For authetication/sync
For authetication/sync
Only for remote OpenOffice or
Alfresco Transformation Server
Between cluster nodes
Only if using remote NFS for
contentstore
If Kerberos SSO is configured
Basic DNS service
Network Time
* Also allow outbound traffic to Facebook, Twitter,
LinkedIn, Slideshare, Youtube, Flickr, Blogs if you are able to use Publishing Framework,
Target Servers for Replication or Cloud Sync.
Control and review
Controls processes and ports used by the system
(Linux):
•
# netstat -tulpn|grep -i java
tcp
0
0 0.0.0.0:50500
tcp
0
0 127.0.0.1:8005
tcp
0
0 0.0.0.0:8009
tcp
0
0 0.0.0.0:139
tcp
0
0 0.0.0.0:8080
tcp
0
0 0.0.0.0:21
tcp
0
0 0.0.0.0:8443
tcp
0
0 0.0.0.0:445
tcp
0
0 0.0.0.0:7070
udp
0
0 0.0.0.0:137
•
•
On Windows OS:
netstat –an | findstr <port #>
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
8591/java
8591/java
8591/java
8591/java
8591/java
8591/java
8591/java
8591/java
8591/java
8591/java
Activate SSL for all services required
HTTP  HTTPS
•
•
•
•
Appliance supporting SSL offloading
Activate HTTPS on a frontal web server (Apache, IIS, etc)
Activate HTTPS on the application server
FTP  FTPS
•
•
Check official documentation
SharePoint (jetty)  SSL
•
•
•
You will avoid MS users related workarounds
Check official documentation
SMTP  SMTPS: IN and OUT
IMAP  IMAP-SSL
•
•
•
•
Greenmail (based) or Perdition or Stunnel
JGroups
•
Stunnel or Proxy
Post installation configuration - 1/5
•
Redirect ports below 1024:
•
•
•
E.g. for FTP and IPTables:
•
iptables -t nat -A PREROUTING -p tcp --dport 21-j
REDIRECT --to-ports 2121
http://wiki.alfresco.com/wiki/File_Server_Configuration
Change JMX credentials and roles
•
•
http://blyx.com/2011/12/20/persistencia-en-las-credencialesjmx-de-alfresco/
Make sure you have control of your logs
•
http://blyx.com/2011/06/02/consejos-sobre-los-logs-enalfresco/
Post installation configuration - 2/5
•
Are you going to use external authentication?
•
•
Encrypt communication between Alfresco and the LDAP/AD or
SSO system (port 636 TCP for LDAPS)
Disable unneeded services:
•
•
•
•
•
•
•
•
ftp.enabled=false
cifs.enabled=false
imap.server.enabled=false
nfs.enabled=false
transferservice.receiver.enabled=false
audit.enabled=false
webdav: disable on tomcat/webapps/alfresco/WEB-INF/web.xml
SharePoint: do not install VTI module if unneeded.
Post installation configuration - 3/5
• Backup configuration and sequence
• Backup Lucene 2 AM
• installRoot/alf_data/backup-lucene-indexes
• Backup SOLR 2 AM Alfresco core and 4 AM Archive core.
• installRoot/workspace-SpacesStore
• installRoot/archive-SpacesStore
• Backup SQL.
• Backup contentStore, audit, etc.
• Consider using LVM snapshots for the contenstore and snapshot-like
backup for db
• For small amounts of content you may use:
• http://code.google.com/p/share-import-export/
• Try recovery often as a preventive measure
• Add a checked Alfresco recovery procedure to your Contingence Plan
• Consider using Replication Service for disaster recovery plan:
• replication.enabled=true and replication.transfer.readonly=false
Post installation configuration - 4/5
• Disable guest user:
• For NTLM-Default:
• alfresco.authentication.allowGuestLogin=false (default is true)
• For pass-through:
• passthru.authentication.guestAccess=false (default is false)
• For LDAP/AD:
• ldap.authentication.allowGuestLogin=false (default is true)
• Limit number of users and state of the repository:
• server.maxusers=-1 (-1 no limit)
• server.allowedusers=admin,toni,bill (empty for all)
• server.transaction.allow-writes=true (false to turn the whole system
into read only mode)
Post installation configuration - 5/5
• Disable trashcan:
• Create a file like *-context.xml with the following content:
<bean id="storeArchiveMap"
class="org.alfresco.repo.node.StoreArchiveMap">
<property name="archiveMap">
<map>
</map>
</property>
<property name="tenantService">
<ref bean="tenantService" />
</property>
</bean>
Maintenance
Maintenance
•
•
•
Daily review of logs and audit records (if enabled).
Daily review of backup.
Delete orphan files, log rotation and temporary files
cleaning.
•
Use a crontab script, for further information:
•
http://www.fegor.com/2011/08/mantenimiento-diario-dealfresco.html
Monitoring and Auditory
Monitoring and Auditory
•
JMX
•
•
•
Jconsole
VisualVM
Hyperic
•
•
http://blyx.com/2009/11/19/monitoring-alfresco-nagiosicingahyperic-auditsurf-jmx-rocks/
Nagios/Icinga
•
•
http://blyx.com/2009/11/19/monitoring-alfresco-nagiosicingahyperic-auditsurf-jmx-rocks/
Javamelody
•
http://blyx.com/2010/09/13/monitoring-alfresco-conjavamelody/
Nagios/Icinga plugin
•
•
Always monitoring!
Nagios4Alfresco Plugin
Monitoring and Auditory
• Failed logins auditory:
audit.enabled=true
audit.tagging.enabled=true
audit.alfresco-access.enabled=true
audit.alfresco-access.sub-events.enabled=true
audit.cmischangelog.enabled=true
• To know what is being audited:
$ curl -u admin:admin http://localhost:8080/alfresco/service/api/audit/control
• Rename:
tomcat/shared/classes/alfresco/extension/audit/alfresco-auditexample-login.xml.sample
$ curl -u admin:admin
"http://localhost:8080/alfresco/service/api/audit/query/AuditExampleLogin1/auditex
amplelogin1/login/error/user?verbose=true"
{
"count":5,
"entries":
[ { "id":7,
"application":"AuditExampleLogin1",
"user":null,
"time":"2012-03-05T19:20:48.994+01:00",
"values":
{ "\/auditexamplelogin1\/login\/error\/user":"toni"
Other security-related tasks
Other security-related tasks - 1/2
•
Avoid information leaks through metadata (demo)
•
•
•
•
•
•
•
•
•
•
content + metadata in Alfresco DB
vs.
(content + metadata) + metadata in Alfresco
Consider using the new type “d:encrypted”
Add checksum to the content (third party development)
User blocking after a certain number of failed
authentications (LDAP or third party)
Change webdav visibility root
Session timeout for Explorer and Webdav
Session timeout for Share
Session timeout for CIFS
Set CIFS and FTP on read only mode if required
Other security-related tasks - 2/2
•
•
•
Consider using a network scanner in order to avoid storing of viruses
and trojans or an internal action like ALFVIRAL (Google Code).
mod_security to limit file size or intercept content (audit purposes).
To filter which applications can access to services or remote API
<Location /alfresco/service/*>
order allow,deny
allow from localhost.localdomain
# Add additional allowed hosts as needed
# allow from .example.com
</Location>
<Location /share/service/*>
order allow,deny
allow from localhost.localdomain
allow from 79.148.213.73
# allow from .example.com
</Location>
Demo: Alfresco for avoid leaks information
Demo Script
•
•
•
•
•
Peparing an atack: gathering information
Google Hacking & Shodan
FOCA (URL)
Exiftool & wget
Publishing/Replication/Sync contents with Alfresco (web
sites, blog, social networks or just contents.)
Backdoors and metadata: yes, we can…
Cleaning contents with Alfresco
•
•
•
•
•
•
cmd-line-action-clean-metadata-1.0.1.amp
Configuration (script + alfresco-global.properties)
Add rule
Test
Tools, References and Links
•
Gathering info tools:
•
•
•
•
•
•
FOCA http://www.informatica64.com/foc
a.aspx
Exiftool http://owl.phy.queensu.ca/~phil/ex
iftool/
Metagoofil - http://www.edgesecurity.com/metagoofil.php
Libextractor http://www.gnu.org/software/libext
ractor/
Shodan http://www.shodanhq.com/
Alfresco Security Toolkit CMD
LINE
•
cmd-line-action-clean-metadata1.0.1.amp
•
Cleaners:
•
•
•
•
•
Exiftool
OOMetaExtractor http://www.codeplex.org/oometae
xtractor
MS Office 2003 & XP
http://www.microsoft.com/downlo
ads/details.aspx?displaylang=en
&FamilyID=144e54edd43e-42cabc7b-5446d34e5360
BatchPurifier - $19
(BatchPurifierCon.exe)
Explanation:
•
•
http://blyx.com – theory
http://blyx.com – practice / POC
Conclusions
Conclusions
•
Working on Security could be sometimes a nightmare but…
Picture from: http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-alonso-palazon-tactical_fingerprinting.pdf
Conclusions
•
•
Trust no one, including users!
Nobody cleans documents.
•
Almost everything can reveal information
•
Currently we have tools and information available to secure
Alfresco, but unfortunately they are not on a single place
and we have to improve some of them.
Remember: security measures have to be taken constantly!
Other topics to be covered in future related to security:
•
•
•
•
•
•
•
•
Security in development
In-depth auditory
Users, roles and permissions.
Authentication subsystems creation (webinar already carried out in Spanish)
SSO with CAS, Siteminder, OpenSSO, JoSSO, ForgeRock, Oracle Identity
Manager, etc.
PKI integration or best practices for digital signatures, content encryption, etc.
Next steps
Lets use “Alfresco Security Toolkit” as main project for
collection of security related docs and tools.
•
•
•
•
•
http://code.google.com/p/alfresco-security-toolkit/
“Hardening Alfresco Guide”.
“Bastille Alfresco” – useful?
Any idea?
Any questions?
# while you=applause; do
echo THANKS!;
done
Toni de la Fuente
Alfresco Senior Solutions Engineer
Blog: blyx.com Twitter: @ToniBlyx