Hackers shutting down your Tomcat 4.x server?

[John Freeborg <jf...@softswitch.com>]

As I was reading through the server.xml config documentation I noticed
that the shutdown attribute of the server element is described as:

      The command string that must be received via a
      TCP/IP connection to the specified port number
      in order to shut down Tomcat.

      <Server port="8005" shutdown="SHUTDOWN" debug="99">

Am I correct in assuming that this would be a great thing to change if
you have a server out in the wild? (and perhaps the port also)

Other than a firewall blocking traffic to this port, what would prevent
some random hacker from connecting to port 8005 and shutting down my
server?

Thanks,
 - John

--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>

Re: Hackers shutting down your Tomcat 4.x server?

["Craig R. McClanahan" <cr...@apache.org>]

On Fri, 9 Nov 2001, John Freeborg wrote:

> Date: Fri, 9 Nov 2001 12:49:23 -0600
> From: John Freeborg <jf...@softswitch.com>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: Tomcat Users List <to...@jakarta.apache.org>
> Subject: Hackers shutting down your Tomcat 4.x server?
>
> As I was reading through the server.xml config documentation I noticed
> that the shutdown attribute of the server element is described as:
>
>       The command string that must be received via a
>       TCP/IP connection to the specified port number
>       in order to shut down Tomcat.
>
>       <Server port="8005" shutdown="SHUTDOWN" debug="99">
>
> Am I correct in assuming that this would be a great thing to change if
> you have a server out in the wild? (and perhaps the port also)
>

Yes.  Another smart thing to do is to make sure no one can read the Tomcat
configuration files.

> Other than a firewall blocking traffic to this port, what would prevent
> some random hacker from connecting to port 8005 and shutting down my
> server?
>

It only accepts connections from localhost, and the attacker must know the
password.

> Thanks,
>  - John
>

Craig


--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>

RE: Hackers shutting down your Tomcat 4.x server?

[Brian Cochran <li...@bricom.com>]

As I understand it, the way the ServerSocket is constructed using the
InetAddress the server will only accept connections that are sent TO the
loopback port.

Here's a snippet from the javadoc.

public ServerSocket(int port,
                    int backlog,
                    InetAddress bindAddr)
             throws IOException

Create a server with the specified port, listen backlog, and local IP
address to bind to. The bindAddr argument can be used on a multi-homed host
for a ServerSocket that will only accept connect requests to one of its
addresses. If bindAddr is null, it will default accepting connections on
any/all local addresses. The port must be between 0 and 65535, inclusive.

So tomcat is probably setting up this server with something like
  ServerSocket shutdownListener =
      new ServerSocket(port,backlog,InetAddress.getLocalHost());

One could probably spoof a return address of 127.0.0.1 but if the "to"
address is 127.0.0.1 there really isn't a way to route it to any box but
yourself (at least on a switched network). Only thing I could think of is on
a non-switched network you are somewhat vulnerable to an internal attack by
faking a mac address (although I may be wrong). However, I would guess that
nearly all production environments in which Tomcat is used are on fully
switched networks.

Hope this helps,
Brian




-----Original Message-----
From: pero [mailto:pero@antaramusic.de]
Sent: Friday, November 09, 2001 2:03 PM
To: Tomcat Users List
Subject: RE: Hackers shutting down your Tomcat 4.x server?


As far as I know the SHUTDOWN command can only be sent from localhost -> so
the hacker has to break into your system first. And if that happens you'll
experience other problems :-)
But I don't know if it is possible to do a "fake-localhost" connect as I am
not that familiar with the hacking stuff...

pero



--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>

RE: Hackers shutting down your Tomcat 4.x server?

[pero <pe...@antaramusic.de>]

As far as I know the SHUTDOWN command can only be sent from localhost -> so
the hacker has to break into your system first. And if that happens you'll
experience other problems :-)
But I don't know if it is possible to do a "fake-localhost" connect as I am
not that familiar with the hacking stuff...

pero


> -----Original Message-----
> From: John Freeborg [mailto:jfreeborg@softswitch.com]
> Sent: Friday, November 09, 2001 7:49 PM
> To: Tomcat Users List
> Subject: Hackers shutting down your Tomcat 4.x server?
>
>
> As I was reading through the server.xml config documentation I noticed
> that the shutdown attribute of the server element is described as:
>
>       The command string that must be received via a
>       TCP/IP connection to the specified port number
>       in order to shut down Tomcat.
>
>       <Server port="8005" shutdown="SHUTDOWN" debug="99">
>
> Am I correct in assuming that this would be a great thing to change if
> you have a server out in the wild? (and perhaps the port also)
>
> Other than a firewall blocking traffic to this port, what would prevent
> some random hacker from connecting to port 8005 and shutting down my
> server?
>
> Thanks,
>  - John
>
> --
> To unsubscribe:   <ma...@jakarta.apache.org>
> For additional commands: <ma...@jakarta.apache.org>
> Troubles with the list: <ma...@jakarta.apache.org>
>
>


--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>