how to disable TRACE method on port 61614

[edsn <ed...@gmail.com>]

Hi mates,

I got a problem with security scan on machine with apache-activemq-5.9.0
running.

The security dept ask me to disable "TRACE method" on this port 61614.

I saw that it's disable for default on port 8161 where are the webapps
admin, hawtio, etc.
( at org/eclipse/jetty/webapp/webdefault.xml for jetty webserver there is a
<security-constraint> )


Is possible disable it on port  61614 too ? 

Please could someone tell me how to do that ...


The only conf that I found with this port was in conf/activemq.xml:            
<transportConnector name="ws"
uri="ws://0.0.0.0:61614?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>


Follow below the tests for methods alloweds.

edsn@edsn:~/apache-activemq-5.9.0$ telnet edsn 61614
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
OPTIONS / HTTP/1.1
host:edsn
.
HTTP/1.1 200 OK
Allow: GET, HEAD, TRACE, OPTIONS
Content-Length: 0
Server: Jetty(7.6.9.v20130131)


On port 8161 its oK !

edsn@edsn:~/apache-activemq-5.9.0$ telnet edsn 8161
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
OPTIONS / HTTP/1.1
host:edsn
.
HTTP/1.1 404 Not Found
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 1267
Server: Jetty(7.6.9.v20130131)

<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 404 Not Found</title>
</head>
<body>
HTTP ERROR: 404

<p>Problem accessing /. Reason:
<pre>    Not Found</pre></p>
<hr />/<small>Powered by Jetty://</small>/





--
View this message in context: http://activemq.2283324.n4.nabble.com/how-to-disable-TRACE-method-on-port-61614-tp4680056.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: how to disable TRACE method on port 61614

[edsn <ed...@gmail.com>]

Hi Artnaseef ,

thank's for reply. I read the
post<http://jetty.4.x6.nabble.com/Disable-HTTP-TRACE-in-Jetty-5-x-td12964.html>
at
jetty's forum before fall back on this forum. And seems like jetty 4.x/5.x
needs you put the security constraint to disable TRACE while the 6.x and
latest it's come by default.

In my case with apache-activemq-5.9.0 the jetty's version is
"7.6.9.v20130131".

Looking in conf/activemq.xml as reference all the connectors ( openwire,
amqp, stomp, mqtt ) had TRACE disabled as a expected, maybe because those
even ins't  a HTTP over protocol.

The  ' <import resource="jetty.xml"/> ' line is explicit in 'activemq.xml'.

But the "WS" (WebSocket) connector has a different behavior, its appear not
importing the constraint from webdefault.xml file in Jetty.

The point is Why except WebSocket port "61614' all the others protocols
including those HTTP overs have TRACE method disabled correctly ? ... or at
last they don't appears to vulnerability scans ...

conf/activemq.xml:
*<transportConnectors>*
*            <!-- DOS protection, limit concurrent connections to 1000 and
frame size to 100MB -->*
*            <transportConnector name="openwire"
uri="tcp://0.0.0.0:61616?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600
<http://0.0.0.0:61616?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600>"/>*

*            <transportConnector name="amqp"
uri="amqp://0.0.0.0:5672?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600
<http://0.0.0.0:5672?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600>"/>*

*            <transportConnector name="stomp"
uri="stomp://0.0.0.0:61613?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600
<http://0.0.0.0:61613?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600>"/>*

*            <transportConnector name="mqtt"
uri="mqtt://0.0.0.0:1883?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600
<http://0.0.0.0:1883?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600>"/>*

*            <transportConnector name="ws" uri="ws://0.0.0.0:61614
<http://0.0.0.0:61614>?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>*
*        </transportConnectors>*

    *<import resource="jetty.xml"/>*


Remembering that for the Security Area doesn't matter what is the real
porpouse of this WebSocket port. They only can see the security issue and I
can't argue against in effective manner.



Here you are what is really happen in my tests for all ports opened by
apache-activemq:

---------------------------------------------------------------------------------------------
( Not OK )
-sh-4.1$ telnet localhost 61614
Trying ::1...
Connected to localhost.
Escape character is '^]'.
TRACE / HTTP/1.0
TEST
TEST

HTTP/1.1 200 OK
Content-Type: message/http
Content-Length: 26
Server: Jetty(7.6.9.v20130131)

TRACE / HTTP/1.0
TEST:
Connection closed by foreign host.
---------------------------------------------------------------------------------------------
( OK ! )
-sh-4.1$ telnet localhost 8161
Trying ::1...
Connected to localhost.
Escape character is '^]'.
TRACE / HTTP/1.0
TEST
TEST

HTTP/1.1 404 Not Found
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 1267
Server: Jetty(7.6.9.v20130131)

<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 404 Not Found</title>
</head>
<body>
<h2>HTTP ERROR: 404</h2>
<p>Problem accessing /. Reason:
<pre>    Not Found</pre></p>
<hr /><i><small>Powered by Jetty://</small></i>

</body>
</html>
Connection closed by foreign host.

---------------------------------------------------------------------------------------------

( OK ! )
-sh-4.1$ telnet localhost 61616
Trying ::1...
Connected to localhost.
Escape character is '^]'.
�
ActiveMQ

�
        MaxFrameSize@ CacheSize
                                  CacheEnabled

SizePrefixDisabled

MaxInactivityDurationInitalDelay'TcpNoDelayEnabled

MaxInactivityDurationu0TightEncodingEnabled

StackTraceEnabled



Connection closed by foreign host.

---------------------------------------------------------------------------------------------
( OK ! but it's locked my shell )
-sh-4.1$ telnet localhost 5672
Trying ::1...
Connected to localhost.
Escape character is '^]'.
TRACE / HTTP/1.0
host:localhost
.

TEST
TEST

.^C
---------------------------------------------------------------------------------------------
( OK ! but it's locked my shell too)

-sh-4.1$ telnet localhost 61613
Trying ::1...
Connected to localhost.
Escape character is '^]'.
TRACE / HTTP/1.0
host:localhost
TEST
TEST
.
^X^C
---------------------------------------------------------------------------------------------
( OK ! but it's locked my shell too)
-sh-4.1$ telnet localhost 1883
Trying ::1...
Connected to localhost.
Escape character is '^]'.
TRACE / HTTP/1.0
host:localhost
TEST
TEST


.

^C
---------------------------------------------------------------------------------------------

Best regards,

Edson M. Barbosa




On Sat, Apr 5, 2014 at 11:52 AM, artnaseef [via ActiveMQ] <
ml-node+s2283324n4680088h58@n4.nabble.com> wrote:

> Poking around the code, it looks like there is no way to configure this
> without a code change.
>
> Reading the following post,
> http://jetty.4.x6.nabble.com/Disable-HTTP-TRACE-in-Jetty-5-x-td12964.html,
> it seems it may not be necessary though. The TRACE method by default, while
> enabled, does not return content.
>
> Can you test and see if that satisfies the security issue?
>
> If disabling TRACE is needed, and my analysis of the need for a code
> change is correct, then a jira entry would be the next best step.
>
> ------------------------------
>  If you reply to this email, your message will be added to the discussion
> below:
>
> http://activemq.2283324.n4.nabble.com/how-to-disable-TRACE-method-on-port-61614-tp4680056p4680088.html
>  To unsubscribe from how to disable TRACE method on port 61614, click here<http://activemq.2283324.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4680056&code=ZWRzb24ubWJhcmJvc2FAZ21haWwuY29tfDQ2ODAwNTZ8NTA3NzYwNTI3>
> .
> NAML<http://activemq.2283324.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>




--
View this message in context: http://activemq.2283324.n4.nabble.com/how-to-disable-TRACE-method-on-port-61614-tp4680056p4680129.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: how to disable TRACE method on port 61614

[artnaseef <ar...@artnaseef.com>]

Poking around the code, it looks like there is no way to configure this
without a code change.

Reading the following post,
http://jetty.4.x6.nabble.com/Disable-HTTP-TRACE-in-Jetty-5-x-td12964.html,
it seems it may not be necessary though. The TRACE method by default, while
enabled, does not return content.

Can you test and see if that satisfies the security issue?

If disabling TRACE is needed, and my analysis of the need for a code change
is correct, then a jira entry would be the next best step.



--
View this message in context: http://activemq.2283324.n4.nabble.com/how-to-disable-TRACE-method-on-port-61614-tp4680056p4680088.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.