You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@karaf.apache.org by Graham Leggett <mi...@sharp.fm> on 2013/02/12 10:44:48 UTC
Karaf security hardening
Hi all,
I am currently trying to security harden the default version of karaf. When the default latest version of v2.3.0 is started up with a default configuration, it binds to and listens on the following ports:
[minfrin@localhost bin]$ lsof -p 11151 | grep LISTEN
java 11151 minfrin 15u IPv6 357257 0t0 TCP *:59514 (LISTEN)
java 11151 minfrin 68u IPv6 357493 0t0 TCP localhost:59113 (LISTEN)
java 11151 minfrin 87u IPv6 357859 0t0 TCP *:rmiregistry (LISTEN)
java 11151 minfrin 88u IPv6 357860 0t0 TCP *:44444 (LISTEN)
java 11151 minfrin 99u IPv6 358277 0t0 TCP *:ldoms-migr (LISTEN)
Can anyone confirm what services these ports are exposing, and how they can be controlled, secured, or switched off?
Regards,
Graham
--
Re: Karaf security hardening
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
Hi Graham,
RMI registry (1099) and RMI server (44444) are used by the JMX layer.
You can configure it in etc/org.apache.karaf.management.cfg.
Another port by default is 8101 (used by the SSH layer) that you can
configure in etc/org.apache.karaf.shell.cfg.
I did the same as you (using netstat):
netstat -nlp|grep -i 19801
tcp6 0 0 :::8101 :::*
LISTEN 19801/java
tcp6 0 0 :::1099 :::*
LISTEN 19801/java
tcp6 0 0 :::44444 :::*
LISTEN 19801/java
tcp6 0 0 :::39170 :::*
LISTEN 19801/java
tcp6 0 0 127.0.0.1:39875 :::*
LISTEN 19801/java
The 39170/39875 are created at startup by Karaf (for the RMI JMX
connector AFAIR).
Regards
JB
On 02/12/2013 10:44 AM, Graham Leggett wrote:
> Hi all,
>
> I am currently trying to security harden the default version of karaf. When the default latest version of v2.3.0 is started up with a default configuration, it binds to and listens on the following ports:
>
> [minfrin@localhost bin]$ lsof -p 11151 | grep LISTEN
> java 11151 minfrin 15u IPv6 357257 0t0 TCP *:59514 (LISTEN)
> java 11151 minfrin 68u IPv6 357493 0t0 TCP localhost:59113 (LISTEN)
> java 11151 minfrin 87u IPv6 357859 0t0 TCP *:rmiregistry (LISTEN)
> java 11151 minfrin 88u IPv6 357860 0t0 TCP *:44444 (LISTEN)
> java 11151 minfrin 99u IPv6 358277 0t0 TCP *:ldoms-migr (LISTEN)
>
> Can anyone confirm what services these ports are exposing, and how they can be controlled, secured, or switched off?
>
> Regards,
> Graham
> --
>
--
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com
Re: Karaf security hardening
Posted by Caspar MacRae <ea...@gmail.com>.
Yes completely agree with JB - I was just listing the output of an instance
of one of our customized Karafs, it's the same as maintaining features.xml
- a downstream concern.
IMO the security settings in Karaf are the right balance between
secure-by-default and low adoption/experimention barrier (what sold Karaf
to my boss was the SSH access to the shell, the response was "oooh
cool!"). The onus, as always, is with the developer/deployer to ensure
security.
cheers,
Caspar
On 14 February 2013 12:12, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
> I don't think that ActiveMQ or Derby makes sense in Karaf: it's not
> provided out of the box. As we cannot "control" all features, routes, etc
> deployed in Karaf, we should document the port number/security points for a
> Karaf "from scratch/out of the box".
>
> My $0.02
>
> Regards
> JB
>
>
> On 02/14/2013 12:40 PM, Achim Nierbeck wrote:
>
>> Very nice summary,
>> we should create a documentation for this.
>>
>> regards, Achim
>>
>>
>> 2013/2/14 Caspar MacRae <earcam@gmail.com <ma...@gmail.com>>
>>
>>
>>
>> Grep the config for the ports returned by lsof:
>>
>> egrep '(5005|42862|36495|1099|44444|**8181|1527|8101|61616)'
>> ${KARAF_HOME}/etc
>> ./activemq.xml: <transportConnector name="openwire"
>> uri="tcp://0.0.0.0:61616?**maximumConnections=1000<http://0.0.0.0:61616?maximumConnections=1000>
>> <http://0.0.0.0:61616?**maximumConnections=1000<http://0.0.0.0:61616?maximumConnections=1000>
>> >"/>
>>
>> ./jetty.xml: <Property name="jetty.port"
>> default="8181"/>
>> ./org.apache.activemq.**webconsole.cfg:webconsole.jms.**url=tcp://
>> 0.0.0.0:61616
>> <http://0.0.0.0:61616>
>>
>> ./org.apache.karaf.management.**cfg:rmiRegistryPort = 9901
>> ./org.apache.karaf.management.**cfg:rmiServerPort = 44444
>> ./org.apache.karaf.shell.cfg:**sshPort=8101
>>
>> Or with Karaf shell, try: config:list | grep -i port
>>
>>
>> Some common defaults:
>> 5005 Karaf debug port
>> 44444 and 1099 RMI server and registry
>> 8181 default for PaxWeb
>> 8101 SSH (shown as ldoms-migr in your listing)
>> 61616 ActiveMq
>> 1527 Derby dB
>>
>>
>> ${KARAF_HOME}/data/port contains a port number used to trigger
>> shutdown by service scripts. In your lsof it looks like the
>> shutdown port is on 59113 (that's why it's only open on localhost).
>>
>> You can always try: telenet localhost PORTNUM to see if the other
>> side displays any protocol info (enter, ^D or ^C to exit).
>>
>>
>> To make things more secure without disabling services etc, set the
>> host to localhost / 127.0.0.1 in various config files to ensure the
>> ports are not exposed to the network: grep -i host ${KARAF_HOME}/etc
>>
>>
>> cheers,
>> Caspar
>>
>>
>>
>>
>> On 14 February 2013 07:00, Christian Schneider
>> <chris@die-schneider.net <ma...@die-schneider.net>>>
>> wrote:
>>
>> When looking at the security please be aware that the ssh port
>> allows access with a default private key that is publicly
>> available.
>> So make sure you remove the line karaf=... in
>> etc/keys.properties and you should also change the password of
>> the karaf user in user.properties.
>>
>> Christian
>>
>> Am 12.02.2013 10:44, schrieb Graham Leggett:
>>
>> Hi all,
>>
>> I am currently trying to security harden the default version
>> of karaf. When the default latest version of v2.3.0 is
>> started up with a default configuration, it binds to and
>> listens on the following ports:
>>
>> [minfrin@localhost bin]$ lsof -p 11151 | grep LISTEN
>> java 11151 minfrin 15u IPv6 357257
>> 0t0 TCP *:59514 (LISTEN)
>> java 11151 minfrin 68u IPv6 357493
>> 0t0 TCP localhost:59113 (LISTEN)
>> java 11151 minfrin 87u IPv6 357859
>> 0t0 TCP *:rmiregistry (LISTEN)
>> java 11151 minfrin 88u IPv6 357860
>> 0t0 TCP *:44444 (LISTEN)
>> java 11151 minfrin 99u IPv6 358277
>> 0t0 TCP *:ldoms-migr (LISTEN)
>>
>> Can anyone confirm what services these ports are exposing,
>> and how they can be controlled, secured, or switched off?
>>
>> Regards,
>> Graham
>> --
>>
>>
>>
>> --
>> Christian Schneider
>> http://www.liquid-reality.de
>>
>> Open Source Architect
>> Talend Application Integration Division http://www.talend.com
>>
>>
>>
>>
>>
>> --
>>
>> Apache Karaf <http://karaf.apache.org/> Committer & PMC
>> OPS4J Pax Web <http://wiki.ops4j.org/**display/paxweb/Pax+Web/<http://wiki.ops4j.org/display/paxweb/Pax+Web/>>
>> Committer
>> & Project Lead
>> OPS4J Pax for Vaadin <http://team.ops4j.org/wiki/**display/PAXVAADIN/Home<http://team.ops4j.org/wiki/display/PAXVAADIN/Home>
>> >
>> Commiter & Project Lead
>> blog <http://notizblog.nierbeck.de/**>
>>
>
> --
> Jean-Baptiste Onofré
> jbonofre@apache.org
> http://blog.nanthrax.net
> Talend - http://www.talend.com
>
Re: Karaf security hardening
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
I don't think that ActiveMQ or Derby makes sense in Karaf: it's not
provided out of the box. As we cannot "control" all features, routes,
etc deployed in Karaf, we should document the port number/security
points for a Karaf "from scratch/out of the box".
My $0.02
Regards
JB
On 02/14/2013 12:40 PM, Achim Nierbeck wrote:
> Very nice summary,
> we should create a documentation for this.
>
> regards, Achim
>
>
> 2013/2/14 Caspar MacRae <earcam@gmail.com <ma...@gmail.com>>
>
>
> Grep the config for the ports returned by lsof:
>
> egrep '(5005|42862|36495|1099|44444|8181|1527|8101|61616)'
> ${KARAF_HOME}/etc
> ./activemq.xml: <transportConnector name="openwire"
> uri="tcp://0.0.0.0:61616?maximumConnections=1000
> <http://0.0.0.0:61616?maximumConnections=1000>"/>
> ./jetty.xml: <Property name="jetty.port"
> default="8181"/>
> ./org.apache.activemq.webconsole.cfg:webconsole.jms.url=tcp://0.0.0.0:61616
> <http://0.0.0.0:61616>
> ./org.apache.karaf.management.cfg:rmiRegistryPort = 9901
> ./org.apache.karaf.management.cfg:rmiServerPort = 44444
> ./org.apache.karaf.shell.cfg:sshPort=8101
>
> Or with Karaf shell, try: config:list | grep -i port
>
>
> Some common defaults:
> 5005 Karaf debug port
> 44444 and 1099 RMI server and registry
> 8181 default for PaxWeb
> 8101 SSH (shown as ldoms-migr in your listing)
> 61616 ActiveMq
> 1527 Derby dB
>
>
> ${KARAF_HOME}/data/port contains a port number used to trigger
> shutdown by service scripts. In your lsof it looks like the
> shutdown port is on 59113 (that's why it's only open on localhost).
>
> You can always try: telenet localhost PORTNUM to see if the other
> side displays any protocol info (enter, ^D or ^C to exit).
>
>
> To make things more secure without disabling services etc, set the
> host to localhost / 127.0.0.1 in various config files to ensure the
> ports are not exposed to the network: grep -i host ${KARAF_HOME}/etc
>
>
> cheers,
> Caspar
>
>
>
>
> On 14 February 2013 07:00, Christian Schneider
> <chris@die-schneider.net <ma...@die-schneider.net>> wrote:
>
> When looking at the security please be aware that the ssh port
> allows access with a default private key that is publicly available.
> So make sure you remove the line karaf=... in
> etc/keys.properties and you should also change the password of
> the karaf user in user.properties.
>
> Christian
>
> Am 12.02.2013 10:44, schrieb Graham Leggett:
>
> Hi all,
>
> I am currently trying to security harden the default version
> of karaf. When the default latest version of v2.3.0 is
> started up with a default configuration, it binds to and
> listens on the following ports:
>
> [minfrin@localhost bin]$ lsof -p 11151 | grep LISTEN
> java 11151 minfrin 15u IPv6 357257
> 0t0 TCP *:59514 (LISTEN)
> java 11151 minfrin 68u IPv6 357493
> 0t0 TCP localhost:59113 (LISTEN)
> java 11151 minfrin 87u IPv6 357859
> 0t0 TCP *:rmiregistry (LISTEN)
> java 11151 minfrin 88u IPv6 357860
> 0t0 TCP *:44444 (LISTEN)
> java 11151 minfrin 99u IPv6 358277
> 0t0 TCP *:ldoms-migr (LISTEN)
>
> Can anyone confirm what services these ports are exposing,
> and how they can be controlled, secured, or switched off?
>
> Regards,
> Graham
> --
>
>
>
> --
> Christian Schneider
> http://www.liquid-reality.de
>
> Open Source Architect
> Talend Application Integration Division http://www.talend.com
>
>
>
>
>
> --
>
> Apache Karaf <http://karaf.apache.org/> Committer & PMC
> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer
> & Project Lead
> OPS4J Pax for Vaadin <http://team.ops4j.org/wiki/display/PAXVAADIN/Home>
> Commiter & Project Lead
> blog <http://notizblog.nierbeck.de/>
--
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com
Re: Karaf security hardening
Posted by Achim Nierbeck <bc...@googlemail.com>.
Filed a new issue for that :)
https://issues.apache.org/jira/browse/KARAF-2187
2013/2/14 Achim Nierbeck <bc...@googlemail.com>
> Very nice summary,
> we should create a documentation for this.
>
> regards, Achim
>
>
> 2013/2/14 Caspar MacRae <ea...@gmail.com>
>
>>
>> Grep the config for the ports returned by lsof:
>>
>> egrep '(5005|42862|36495|1099|44444|8181|1527|8101|61616)'
>> ${KARAF_HOME}/etc
>> ./activemq.xml: <transportConnector name="openwire" uri="tcp://
>> 0.0.0.0:61616?maximumConnections=1000"/>
>> ./jetty.xml: <Property name="jetty.port"
>> default="8181"/>
>> ./org.apache.activemq.webconsole.cfg:webconsole.jms.url=tcp://
>> 0.0.0.0:61616
>> ./org.apache.karaf.management.cfg:rmiRegistryPort = 9901
>> ./org.apache.karaf.management.cfg:rmiServerPort = 44444
>> ./org.apache.karaf.shell.cfg:sshPort=8101
>>
>> Or with Karaf shell, try: config:list | grep -i port
>>
>>
>> Some common defaults:
>> 5005 Karaf debug port
>> 44444 and 1099 RMI server and registry
>> 8181 default for PaxWeb
>> 8101 SSH (shown as ldoms-migr in your listing)
>> 61616 ActiveMq
>> 1527 Derby dB
>>
>>
>> ${KARAF_HOME}/data/port contains a port number used to trigger shutdown
>> by service scripts. In your lsof it looks like the shutdown port is on
>> 59113 (that's why it's only open on localhost).
>>
>> You can always try: telenet localhost PORTNUM to see if the other side
>> displays any protocol info (enter, ^D or ^C to exit).
>>
>>
>> To make things more secure without disabling services etc, set the host
>> to localhost / 127.0.0.1 in various config files to ensure the ports are
>> not exposed to the network: grep -i host ${KARAF_HOME}/etc
>>
>>
>> cheers,
>> Caspar
>>
>>
>>
>>
>> On 14 February 2013 07:00, Christian Schneider <ch...@die-schneider.net>wrote:
>>
>>> When looking at the security please be aware that the ssh port allows
>>> access with a default private key that is publicly available.
>>> So make sure you remove the line karaf=... in etc/keys.properties and
>>> you should also change the password of the karaf user in user.properties.
>>>
>>> Christian
>>>
>>> Am 12.02.2013 10:44, schrieb Graham Leggett:
>>>
>>>> Hi all,
>>>>
>>>> I am currently trying to security harden the default version of karaf.
>>>> When the default latest version of v2.3.0 is started up with a default
>>>> configuration, it binds to and listens on the following ports:
>>>>
>>>> [minfrin@localhost bin]$ lsof -p 11151 | grep LISTEN
>>>> java 11151 minfrin 15u IPv6 357257 0t0 TCP
>>>> *:59514 (LISTEN)
>>>> java 11151 minfrin 68u IPv6 357493 0t0 TCP
>>>> localhost:59113 (LISTEN)
>>>> java 11151 minfrin 87u IPv6 357859 0t0 TCP
>>>> *:rmiregistry (LISTEN)
>>>> java 11151 minfrin 88u IPv6 357860 0t0 TCP
>>>> *:44444 (LISTEN)
>>>> java 11151 minfrin 99u IPv6 358277 0t0 TCP
>>>> *:ldoms-migr (LISTEN)
>>>>
>>>> Can anyone confirm what services these ports are exposing, and how they
>>>> can be controlled, secured, or switched off?
>>>>
>>>> Regards,
>>>> Graham
>>>> --
>>>>
>>>>
>>>
>>> --
>>> Christian Schneider
>>> http://www.liquid-reality.de
>>>
>>> Open Source Architect
>>> Talend Application Integration Division http://www.talend.com
>>>
>>>
>>
>
>
> --
>
> Apache Karaf <http://karaf.apache.org/> Committer & PMC
> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
> Project Lead
> OPS4J Pax for Vaadin <http://team.ops4j.org/wiki/display/PAXVAADIN/Home>
> Commiter & Project Lead
> blog <http://notizblog.nierbeck.de/>
>
--
Apache Karaf <http://karaf.apache.org/> Committer & PMC
OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
Project Lead
OPS4J Pax for Vaadin <http://team.ops4j.org/wiki/display/PAXVAADIN/Home>
Commiter & Project Lead
blog <http://notizblog.nierbeck.de/>
Re: Karaf security hardening
Posted by Achim Nierbeck <bc...@googlemail.com>.
Very nice summary,
we should create a documentation for this.
regards, Achim
2013/2/14 Caspar MacRae <ea...@gmail.com>
>
> Grep the config for the ports returned by lsof:
>
> egrep '(5005|42862|36495|1099|44444|8181|1527|8101|61616)'
> ${KARAF_HOME}/etc
> ./activemq.xml: <transportConnector name="openwire" uri="tcp://
> 0.0.0.0:61616?maximumConnections=1000"/>
> ./jetty.xml: <Property name="jetty.port"
> default="8181"/>
> ./org.apache.activemq.webconsole.cfg:webconsole.jms.url=tcp://
> 0.0.0.0:61616
> ./org.apache.karaf.management.cfg:rmiRegistryPort = 9901
> ./org.apache.karaf.management.cfg:rmiServerPort = 44444
> ./org.apache.karaf.shell.cfg:sshPort=8101
>
> Or with Karaf shell, try: config:list | grep -i port
>
>
> Some common defaults:
> 5005 Karaf debug port
> 44444 and 1099 RMI server and registry
> 8181 default for PaxWeb
> 8101 SSH (shown as ldoms-migr in your listing)
> 61616 ActiveMq
> 1527 Derby dB
>
>
> ${KARAF_HOME}/data/port contains a port number used to trigger shutdown by
> service scripts. In your lsof it looks like the shutdown port is on 59113
> (that's why it's only open on localhost).
>
> You can always try: telenet localhost PORTNUM to see if the other side
> displays any protocol info (enter, ^D or ^C to exit).
>
>
> To make things more secure without disabling services etc, set the host to
> localhost / 127.0.0.1 in various config files to ensure the ports are not
> exposed to the network: grep -i host ${KARAF_HOME}/etc
>
>
> cheers,
> Caspar
>
>
>
>
> On 14 February 2013 07:00, Christian Schneider <ch...@die-schneider.net>wrote:
>
>> When looking at the security please be aware that the ssh port allows
>> access with a default private key that is publicly available.
>> So make sure you remove the line karaf=... in etc/keys.properties and you
>> should also change the password of the karaf user in user.properties.
>>
>> Christian
>>
>> Am 12.02.2013 10:44, schrieb Graham Leggett:
>>
>>> Hi all,
>>>
>>> I am currently trying to security harden the default version of karaf.
>>> When the default latest version of v2.3.0 is started up with a default
>>> configuration, it binds to and listens on the following ports:
>>>
>>> [minfrin@localhost bin]$ lsof -p 11151 | grep LISTEN
>>> java 11151 minfrin 15u IPv6 357257 0t0 TCP
>>> *:59514 (LISTEN)
>>> java 11151 minfrin 68u IPv6 357493 0t0 TCP
>>> localhost:59113 (LISTEN)
>>> java 11151 minfrin 87u IPv6 357859 0t0 TCP
>>> *:rmiregistry (LISTEN)
>>> java 11151 minfrin 88u IPv6 357860 0t0 TCP
>>> *:44444 (LISTEN)
>>> java 11151 minfrin 99u IPv6 358277 0t0 TCP
>>> *:ldoms-migr (LISTEN)
>>>
>>> Can anyone confirm what services these ports are exposing, and how they
>>> can be controlled, secured, or switched off?
>>>
>>> Regards,
>>> Graham
>>> --
>>>
>>>
>>
>> --
>> Christian Schneider
>> http://www.liquid-reality.de
>>
>> Open Source Architect
>> Talend Application Integration Division http://www.talend.com
>>
>>
>
--
Apache Karaf <http://karaf.apache.org/> Committer & PMC
OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
Project Lead
OPS4J Pax for Vaadin <http://team.ops4j.org/wiki/display/PAXVAADIN/Home>
Commiter & Project Lead
blog <http://notizblog.nierbeck.de/>
Re: Karaf security hardening
Posted by Caspar MacRae <ea...@gmail.com>.
Grep the config for the ports returned by lsof:
egrep '(5005|42862|36495|1099|44444|8181|1527|8101|61616)' ${KARAF_HOME}/etc
./activemq.xml: <transportConnector name="openwire" uri="tcp://
0.0.0.0:61616?maximumConnections=1000"/>
./jetty.xml: <Property name="jetty.port" default="8181"/>
./org.apache.activemq.webconsole.cfg:webconsole.jms.url=tcp://0.0.0.0:61616
./org.apache.karaf.management.cfg:rmiRegistryPort = 9901
./org.apache.karaf.management.cfg:rmiServerPort = 44444
./org.apache.karaf.shell.cfg:sshPort=8101
Or with Karaf shell, try: config:list | grep -i port
Some common defaults:
5005 Karaf debug port
44444 and 1099 RMI server and registry
8181 default for PaxWeb
8101 SSH (shown as ldoms-migr in your listing)
61616 ActiveMq
1527 Derby dB
${KARAF_HOME}/data/port contains a port number used to trigger shutdown by
service scripts. In your lsof it looks like the shutdown port is on 59113
(that's why it's only open on localhost).
You can always try: telenet localhost PORTNUM to see if the other side
displays any protocol info (enter, ^D or ^C to exit).
To make things more secure without disabling services etc, set the host to
localhost / 127.0.0.1 in various config files to ensure the ports are not
exposed to the network: grep -i host ${KARAF_HOME}/etc
cheers,
Caspar
On 14 February 2013 07:00, Christian Schneider <ch...@die-schneider.net>wrote:
> When looking at the security please be aware that the ssh port allows
> access with a default private key that is publicly available.
> So make sure you remove the line karaf=... in etc/keys.properties and you
> should also change the password of the karaf user in user.properties.
>
> Christian
>
> Am 12.02.2013 10:44, schrieb Graham Leggett:
>
>> Hi all,
>>
>> I am currently trying to security harden the default version of karaf.
>> When the default latest version of v2.3.0 is started up with a default
>> configuration, it binds to and listens on the following ports:
>>
>> [minfrin@localhost bin]$ lsof -p 11151 | grep LISTEN
>> java 11151 minfrin 15u IPv6 357257 0t0 TCP
>> *:59514 (LISTEN)
>> java 11151 minfrin 68u IPv6 357493 0t0 TCP
>> localhost:59113 (LISTEN)
>> java 11151 minfrin 87u IPv6 357859 0t0 TCP
>> *:rmiregistry (LISTEN)
>> java 11151 minfrin 88u IPv6 357860 0t0 TCP
>> *:44444 (LISTEN)
>> java 11151 minfrin 99u IPv6 358277 0t0 TCP
>> *:ldoms-migr (LISTEN)
>>
>> Can anyone confirm what services these ports are exposing, and how they
>> can be controlled, secured, or switched off?
>>
>> Regards,
>> Graham
>> --
>>
>>
>
> --
> Christian Schneider
> http://www.liquid-reality.de
>
> Open Source Architect
> Talend Application Integration Division http://www.talend.com
>
>
Re: Karaf security hardening
Posted by Christian Schneider <ch...@die-schneider.net>.
When looking at the security please be aware that the ssh port allows
access with a default private key that is publicly available.
So make sure you remove the line karaf=... in etc/keys.properties and
you should also change the password of the karaf user in user.properties.
Christian
Am 12.02.2013 10:44, schrieb Graham Leggett:
> Hi all,
>
> I am currently trying to security harden the default version of karaf. When the default latest version of v2.3.0 is started up with a default configuration, it binds to and listens on the following ports:
>
> [minfrin@localhost bin]$ lsof -p 11151 | grep LISTEN
> java 11151 minfrin 15u IPv6 357257 0t0 TCP *:59514 (LISTEN)
> java 11151 minfrin 68u IPv6 357493 0t0 TCP localhost:59113 (LISTEN)
> java 11151 minfrin 87u IPv6 357859 0t0 TCP *:rmiregistry (LISTEN)
> java 11151 minfrin 88u IPv6 357860 0t0 TCP *:44444 (LISTEN)
> java 11151 minfrin 99u IPv6 358277 0t0 TCP *:ldoms-migr (LISTEN)
>
> Can anyone confirm what services these ports are exposing, and how they can be controlled, secured, or switched off?
>
> Regards,
> Graham
> --
>
--
Christian Schneider
http://www.liquid-reality.de
Open Source Architect
Talend Application Integration Division http://www.talend.com