You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by John Freeborg <jf...@softswitch.com> on 2001/11/09 19:49:23 UTC
Hackers shutting down your Tomcat 4.x server?
As I was reading through the server.xml config documentation I noticed
that the shutdown attribute of the server element is described as:
The command string that must be received via a
TCP/IP connection to the specified port number
in order to shut down Tomcat.
<Server port="8005" shutdown="SHUTDOWN" debug="99">
Am I correct in assuming that this would be a great thing to change if
you have a server out in the wild? (and perhaps the port also)
Other than a firewall blocking traffic to this port, what would prevent
some random hacker from connecting to port 8005 and shutting down my
server?
Thanks,
- John
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
Re: Hackers shutting down your Tomcat 4.x server?
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Fri, 9 Nov 2001, John Freeborg wrote:
> Date: Fri, 9 Nov 2001 12:49:23 -0600
> From: John Freeborg <jf...@softswitch.com>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: Tomcat Users List <to...@jakarta.apache.org>
> Subject: Hackers shutting down your Tomcat 4.x server?
>
> As I was reading through the server.xml config documentation I noticed
> that the shutdown attribute of the server element is described as:
>
> The command string that must be received via a
> TCP/IP connection to the specified port number
> in order to shut down Tomcat.
>
> <Server port="8005" shutdown="SHUTDOWN" debug="99">
>
> Am I correct in assuming that this would be a great thing to change if
> you have a server out in the wild? (and perhaps the port also)
>
Yes. Another smart thing to do is to make sure no one can read the Tomcat
configuration files.
> Other than a firewall blocking traffic to this port, what would prevent
> some random hacker from connecting to port 8005 and shutting down my
> server?
>
It only accepts connections from localhost, and the attacker must know the
password.
> Thanks,
> - John
>
Craig
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
RE: Hackers shutting down your Tomcat 4.x server?
Posted by Brian Cochran <li...@bricom.com>.
As I understand it, the way the ServerSocket is constructed using the
InetAddress the server will only accept connections that are sent TO the
loopback port.
Here's a snippet from the javadoc.
public ServerSocket(int port,
int backlog,
InetAddress bindAddr)
throws IOException
Create a server with the specified port, listen backlog, and local IP
address to bind to. The bindAddr argument can be used on a multi-homed host
for a ServerSocket that will only accept connect requests to one of its
addresses. If bindAddr is null, it will default accepting connections on
any/all local addresses. The port must be between 0 and 65535, inclusive.
So tomcat is probably setting up this server with something like
ServerSocket shutdownListener =
new ServerSocket(port,backlog,InetAddress.getLocalHost());
One could probably spoof a return address of 127.0.0.1 but if the "to"
address is 127.0.0.1 there really isn't a way to route it to any box but
yourself (at least on a switched network). Only thing I could think of is on
a non-switched network you are somewhat vulnerable to an internal attack by
faking a mac address (although I may be wrong). However, I would guess that
nearly all production environments in which Tomcat is used are on fully
switched networks.
Hope this helps,
Brian
-----Original Message-----
From: pero [mailto:pero@antaramusic.de]
Sent: Friday, November 09, 2001 2:03 PM
To: Tomcat Users List
Subject: RE: Hackers shutting down your Tomcat 4.x server?
As far as I know the SHUTDOWN command can only be sent from localhost -> so
the hacker has to break into your system first. And if that happens you'll
experience other problems :-)
But I don't know if it is possible to do a "fake-localhost" connect as I am
not that familiar with the hacking stuff...
pero
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
RE: Hackers shutting down your Tomcat 4.x server?
Posted by pero <pe...@antaramusic.de>.
As far as I know the SHUTDOWN command can only be sent from localhost -> so
the hacker has to break into your system first. And if that happens you'll
experience other problems :-)
But I don't know if it is possible to do a "fake-localhost" connect as I am
not that familiar with the hacking stuff...
pero
> -----Original Message-----
> From: John Freeborg [mailto:jfreeborg@softswitch.com]
> Sent: Friday, November 09, 2001 7:49 PM
> To: Tomcat Users List
> Subject: Hackers shutting down your Tomcat 4.x server?
>
>
> As I was reading through the server.xml config documentation I noticed
> that the shutdown attribute of the server element is described as:
>
> The command string that must be received via a
> TCP/IP connection to the specified port number
> in order to shut down Tomcat.
>
> <Server port="8005" shutdown="SHUTDOWN" debug="99">
>
> Am I correct in assuming that this would be a great thing to change if
> you have a server out in the wild? (and perhaps the port also)
>
> Other than a firewall blocking traffic to this port, what would prevent
> some random hacker from connecting to port 8005 and shutting down my
> server?
>
> Thanks,
> - John
>
> --
> To unsubscribe: <ma...@jakarta.apache.org>
> For additional commands: <ma...@jakarta.apache.org>
> Troubles with the list: <ma...@jakarta.apache.org>
>
>
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>