You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Eraos <re...@broemeling.org> on 2010/08/24 23:46:44 UTC
Bind only to localhost/private network
Hi, I'm a new ActiveMQ user (ActiveMQ 5.4.0 on Ubuntu Lucid Lynx) and have
been trying to lock-down/secure an ActiveMQ instance for this entire
afternoon without really getting anywhere appreciable. I was hoping someone
here could help me.
Specifically, what I want is for ActiveMQ to:
1) Bind all administrative and miscellaneous sockets to localhost.</li>
2) Bind only the STOMP transport to a private network.</li>
I've achieved #2, but #1 really elludes me badly. The bindings of my
ActiveMQ server currently look like this, according to netstat:
-----SNIP-----
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp6 0 0 10.179.68.234:61617 :::* LISTEN
5119/java
tcp6 0 0 :::33689 :::*
LISTEN 5119/java
tcp6 0 0 :::11099 :::*
LISTEN 5119/java
tcp6 0 0 :::11100 :::*
LISTEN 5119/java
-----SNIP-----
As you can see, the transport binding (port 61617) is correctly on the
private network; but the other three are wildcard bindings that I really
want turned into localhost bindings, but I cannot for the life of me figure
out how to do it.
The command-line that ActiveMQ is currently executed as is:
-----SNIP-----
/usr/bin/java
-Xms256M
-Xmx256M
-Dorg.apache.activemq.UseDedicatedTaskRunner=true
-Djava.util.logging.config.file=logging.properties
-Dcom.sun.management.jmxremote
-Djava.rmi.server.hostname=127.0.0.1
-Dactivemq.classpath=/opt/apache-activemq-5.4.0/conf;
-Dactivemq.home=/opt/apache-activemq-5.4.0
-Dactivemq.base=/opt/apache-activemq-5.4.0
-jar /opt/apache-activemq-5.4.0/bin/run.jar
xbean:file:/etc/activemq.xml
-----SNIP-----
... and my /etc/activemq.xml file looks like this (comments trimmed out):
-----SNIP-----
<beans
xmlns="http://www.springframework.org/schema/beans"
xmlns:amq="http://activemq.apache.org/schema/core"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://activemq.apache.org/schema/core
http://activemq.apache.org/schema/core/activemq-core.xsd">
<bean
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="locations">
<value>file:${activemq.base}/conf/credentials.properties</value>
</property>
</bean>
<broker xmlns="http://activemq.apache.org/schema/core"
brokerName="localhost" dataDirectory="${activemq.base}/data"
persistent="false" useJmx="true">
<destinationPolicy>
<policyMap>
<policyEntries>
<policyEntry topic=">" producerFlowControl="false">
<pendingSubscriberPolicy>
<vmCursor />
</pendingSubscriberPolicy>
</policyEntry>
<policyEntry queue=">" producerFlowControl="false">
</policyEntry>
</policyEntries>
</policyMap>
</destinationPolicy>
<managementContext>
<managementContext connectorPort="11099"
jmxDomainName="org.apache.activemq" rmiServerPort="11100"/>
</managementContext>
<persistenceAdapter>
<kahaDB directory="${activemq.base}/data/kahadb"/>
</persistenceAdapter>
<transportConnectors>
<transportConnector name="stomp"
uri="stomp://10.179.68.234:61617?transport.closeAsync=false"/>
</transportConnectors>
</broker>
</beans>
-----SNIP-----
I am reasonably certain that the "extra" ports (i.e. ports 33689, 11099, and
11100 in the above netstat output) are due to jmx/rmi but I cannot for the
life of me figure out how to secure them by forcing them to bind localhost
instead of binding to the wildcard address. Can anyone point me in the
right direction as to how to achieve this, please?
Thanks.
--
View this message in context: http://old.nabble.com/Bind-only-to-localhost-private-network-tp29526752p29526752.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Bind only to localhost/private network
Posted by Gary Tully <ga...@gmail.com>.
You should be able to specify the complete URI from the
managementContext, have it create the jmx rmi server rather than using
the management services built into the jvm:
<managementContext>
<managementContext createConnector="true"/>
<managementContext connectorPort="X" rmiServerPort="X+y"/>
</managementContext>
To see where these attributes are used peek at:
http://svn.apache.org/viewvc/activemq/trunk/activemq-core/src/main/java/org/apache/activemq/broker/jmx/ManagementContext.java?view=markup
createConnector method.
Also check out the details for jmx with a firewall:
http://blogs.sun.com/jmxetc/entry/connecting_through_firewall_using_jmx
On 24 August 2010 23:38, Eraos <re...@broemeling.org> wrote:
>
>
> Vjaceslavs Klimovs wrote:
>>
>> Hi,
>> Binding JMX to a specified address is unfortunately not trivial. For
>> details see this blog post:
>> http://vafer.org/blog/20061010091658
>>
>> You will probably be better off using firewall to whitelist only your
>> transport socket.
>>
>
> Ouch. That's very unfortunate, particularly as one of the ports that
> ActiveMQ listens on (33689 in the above netstat output) bounces around. If
> there is no way to lock those listens down to localhost (without editing the
> ActiveMQ source, anyway...), then is there any way to lock all of the ports
> down (so that they don't change), so that I can just firewall only those
> ports?
>
> I have nearly all of them locked down, only that 33689 one bounces around
> (it changes with every restart of ActiveMQ) -- can anyone tell me what it is
> and how I can force it to be predictable?
>
> Thanks.
> --
> View this message in context: http://old.nabble.com/Bind-only-to-localhost-private-network-tp29526752p29527128.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
>
--
http://blog.garytully.com
Open Source Integration
http://fusesource.com
Re: Bind only to localhost/private network
Posted by Eraos <re...@broemeling.org>.
Vjaceslavs Klimovs wrote:
>
> Hi,
> Binding JMX to a specified address is unfortunately not trivial. For
> details see this blog post:
> http://vafer.org/blog/20061010091658
>
> You will probably be better off using firewall to whitelist only your
> transport socket.
>
Ouch. That's very unfortunate, particularly as one of the ports that
ActiveMQ listens on (33689 in the above netstat output) bounces around. If
there is no way to lock those listens down to localhost (without editing the
ActiveMQ source, anyway...), then is there any way to lock all of the ports
down (so that they don't change), so that I can just firewall only those
ports?
I have nearly all of them locked down, only that 33689 one bounces around
(it changes with every restart of ActiveMQ) -- can anyone tell me what it is
and how I can force it to be predictable?
Thanks.
--
View this message in context: http://old.nabble.com/Bind-only-to-localhost-private-network-tp29526752p29527128.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Bind only to localhost/private network
Posted by Vjaceslavs Klimovs <vk...@gmail.com>.
Hi,
Binding JMX to a specified address is unfortunately not trivial. For
details see this blog post:
http://vafer.org/blog/20061010091658
You will probably be better off using firewall to whitelist only your
transport socket.
On Tue, 24 Aug 2010 14:47:07 -0700 (PDT)
Eraos <re...@broemeling.org> wrote:
>
> Hi, I'm a new ActiveMQ user (ActiveMQ 5.4.0 on Ubuntu Lucid Lynx) and
> have been trying to lock-down/secure an ActiveMQ instance for this
> entire afternoon without really getting anywhere appreciable. I was
> hoping someone here could help me.
>
> Specifically, what I want is for ActiveMQ to:
>
> 1) Bind all administrative and miscellaneous sockets to localhost.
> 2) Bind only the STOMP transport to a private network.
>
> I've achieved #2, but #1 really elludes me badly. The bindings of my
> ActiveMQ server currently look like this, according to netstat:
>
> -----SNIP-----
> Proto Recv-Q Send-Q Local Address Foreign Address
> State PID/Program name
> tcp6 0 0 10.179.68.234:61617 :::*
> LISTEN 5119/java
> tcp6 0
> 0 :::33689 :::* LISTEN 5119/java
> tcp6 0
> 0 :::11099 :::* LISTEN 5119/java
> tcp6 0
> 0 :::11100 :::* LISTEN 5119/java
> -----SNIP-----
>
> As you can see, the transport binding (port 61617) is correctly on the
> private network; but the other three are wildcard bindings that I
> really want turned into localhost bindings, but I cannot for the life
> of me figure out how to do it.
>
> The command-line that ActiveMQ is currently executed as is:
>
> -----SNIP-----
> /usr/bin/java
> -Xms256M
> -Xmx256M
> -Dorg.apache.activemq.UseDedicatedTaskRunner=true
> -Djava.util.logging.config.file=logging.properties
> -Dcom.sun.management.jmxremote
> -Djava.rmi.server.hostname=127.0.0.1
> -Dactivemq.classpath=/opt/apache-activemq-5.4.0/conf;
> -Dactivemq.home=/opt/apache-activemq-5.4.0
> -Dactivemq.base=/opt/apache-activemq-5.4.0
> -jar /opt/apache-activemq-5.4.0/bin/run.jar
> xbean:file:/etc/activemq.xml
> -----SNIP-----
>
> ... and my /etc/activemq.xml file looks like this (comments trimmed
> out):
>
> -----SNIP-----
> <beans
> xmlns="http://www.springframework.org/schema/beans"
> xmlns:amq="http://activemq.apache.org/schema/core"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="
> http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
> http://activemq.apache.org/schema/core
> http://activemq.apache.org/schema/core/activemq-core.xsd">
>
> <bean
> class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
> <property name="locations">
> <value>file:${activemq.base}/conf/credentials.properties</value>
> </property>
> </bean>
> <broker xmlns="http://activemq.apache.org/schema/core"
> brokerName="localhost" dataDirectory="${activemq.base}/data"
> persistent="false" useJmx="true">
> <destinationPolicy>
> <policyMap>
> <policyEntries>
> <policyEntry topic=">" producerFlowControl="false">
> <pendingSubscriberPolicy>
> <vmCursor />
> </pendingSubscriberPolicy>
> </policyEntry>
> <policyEntry queue=">" producerFlowControl="false">
> </policyEntry>
> </policyEntries>
> </policyMap>
> </destinationPolicy>
> <managementContext>
> <managementContext connectorPort="11099"
> jmxDomainName="org.apache.activemq" rmiServerPort="11100"/>
> </managementContext>
> <persistenceAdapter>
> <kahaDB directory="${activemq.base}/data/kahadb"/>
> </persistenceAdapter>
> <transportConnectors>
> <transportConnector name="stomp"
> uri="stomp://10.179.68.234:61617?transport.closeAsync=false"/>
> </transportConnectors>
> </broker>
> </beans>
> -----SNIP-----
>
> I am reasonably certain that the "extra" ports (i.e. ports 33689,
> 11099, and 11100 in the above netstat output) are due to jmx/rmi but
> I cannot for the life of me figure out how to secure them by forcing
> them to bind localhost instead of binding to the wildcard address.
> Can anyone point me in the right direction as to how to achieve this,
> please?
>
> Thanks.