Blocking AJP13 (port 8009) access

[OG <og...@yahoo.com>]

Hi,

I'm trying to block external access to port 8009 (AJP13), as only my local host really needs to be able to talk to it.
I'm wondering if there are any internal/mod_jk mechanisms for that, or if iptables is the best option.

I have tried iptables, which did block external requests, but it also got me in a situation where I had a few hundred httpd processes in a SYN_SENT state ( netstat | grep 8009 | grep -c SYN_SENT ) and returning 503s instead of 200s:

iptables -A INPUT \
     -p TCP --dport 8009 \
     -m state --state NEW \
     -j DROP
iptables -A INPUT \
     -p UDP --dport 8009 \
     -m state --state NEW \
     -j DROP

iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT  -i lo -j ACCEPT


If anyone has iptables rules that work, I'd appreciate it if you could share them.

I'd also be curious to know whether people use some other mechanisms to prevent evil folks from connecting to your port 8009 from the outsite and consuming your available connections.

Thanks,
Otis


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Blocking AJP13 (port 8009) access

[Antony Riley <cy...@gmail.com>]

Try adding address="127.0.0.1" to the ajp13 <connector> tag in  server.xml,
and configuring apache to connect to 127.0.0.1 if you haven't already.

This should stop the ajp13 port from being visable to other machines.

As far as iptables goes, you probably want -o lo -j ACCEPT at the top of the
ruleset, and I'm really not sure why you're using state flags to attempt to
block external access to port 8009. Mostly you don't want drop rules to
check the state table, though this might be some iptablism, I'm not too
familiar with it past basic NAT / port blocking.

-Antony

On 2/14/06, OG <og...@yahoo.com> wrote:
>
> Hi,
>
> I'm trying to block external access to port 8009 (AJP13), as only my local
> host really needs to be able to talk to it.
> I'm wondering if there are any internal/mod_jk mechanisms for that, or if
> iptables is the best option.
>
> I have tried iptables, which did block external requests, but it also got
> me in a situation where I had a few hundred httpd processes in a SYN_SENT
> state ( netstat | grep 8009 | grep -c SYN_SENT ) and returning 503s instead
> of 200s:
>
> iptables -A INPUT \
>      -p TCP --dport 8009 \
>      -m state --state NEW \
>      -j DROP
> iptables -A INPUT \
>      -p UDP --dport 8009 \
>      -m state --state NEW \
>      -j DROP
>
> iptables -A OUTPUT -o lo -j ACCEPT
> iptables -A INPUT  -i lo -j ACCEPT
>
>
> If anyone has iptables rules that work, I'd appreciate it if you could
> share them.
>
> I'd also be curious to know whether people use some other mechanisms to
> prevent evil folks from connecting to your port 8009 from the outsite and
> consuming your available connections.
>
> Thanks,
> Otis
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Blocking AJP13 (port 8009) access

[Mladen Turk <ml...@jboss.com>]

OG wrote:
> Hi,
> 
> I'm trying to block external access to port 8009 (AJP13), as only my local host really needs to be able to talk to it.
> I'm wondering if there are any internal/mod_jk mechanisms for that, or if iptables is the best option.
> 
> 
> If anyone has iptables rules that work, I'd appreciate it if you could share them.
>

Take a look at:
http://www.linuxguruz.com/iptables/

For example:
http://www.linuxguruz.com/iptables/scripts/rc.firewall.txt
will make a simple firewall allowing only
ports 21,22,80 and 133, etc...

Just adjust you network IP's.

Regards,
Mladen.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org