You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Andrey Kartashov <an...@sonatainc.com> on 2001/05/05 17:13:57 UTC

Re: Tomcat 3.2.2 beta 4 (insecure default settings)

On Fri, May 04, 2001 at 07:58:17PM -0400, Andrey Kartashov wrote:
[skpd]
> > Let's be prudent here. The standard configuration must avoid 
> > security hole. Many users will have tomcat in front and we
> > must avoid someone outside shutdown their TC boxes. 
> 
> Let me clarify this:) I don't ask you guys to change default configuration.
> I ask you to change shutdown code so that if I do change configuration from
> default to something else - the code'll still work.
> 
> Also if I'm not mistaken - Tomcat binds to all interfaces by default as I don't
> see inet="" option set to 127.0.0.1 in default server.xml file for Ajp
> connectors.  I'll double check that:)

I just did (I mean double checked).
I know it's stupid to reply to my own Email but here it goes:)
I used fresh untarred binary distribution (no modifications at all) of
jakarta-tomcat-3.2.2b4.

Here is a fragment of server.xml:
<Connector className="org.apache.tomcat.service.PoolTcpConnector">
	<Parameter name="handler"
	value="org.apache.tomcat.service.connector.Ajp12ConnectionHandler"/>
	<Parameter name="port" value="8007"/>
</Connector>

Here is the output of netstat:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:515             0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:8007            0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      
tcp        0    104 199.95.200.19:22        64.24.41.37:1021        ESTABLISHED 
tcp        0      0 199.95.200.19:22        64.24.41.37:1022        ESTABLISHED 
tcp        0      0 199.95.200.19:22        64.24.41.37:1023        ESTABLISHED 

The line containing 8007 is Ajp connector listening on _ALL_ interfaces.

Here is the same test but with slightly modified server.xml:
<Connector className="org.apache.tomcat.service.PoolTcpConnector">
	<Parameter name="handler"
	value="org.apache.tomcat.service.connector.Ajp12ConnectionHandler"/>
	<Parameter name="port" value="8007"/>
	<Parameter name="inet" value="127.0.0.1"/>
</Connector>

Please note the presence of "inet" parameter here!

Here is the output of netstat:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:515             0.0.0.0:*               LISTEN      
tcp        0      0 127.0.0.1:8007          0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      
tcp        0     68 199.95.200.19:22        64.24.41.37:1021        ESTABLISHED 
tcp        0      0 199.95.200.19:22        64.24.41.37:1022        ESTABLISHED 
tcp        0      0 199.95.200.19:22        64.24.41.37:1023        ESTABLISHED 

Please note that port 8007 is bound to 127.0.0.1 interface _ONLY_.

So if security of default settings is of any concern I'd suggest you, guys
modify default server.xml file the way described above.

Hope this helps :)


-- 
oo Andrey
oo
oOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOo
"All mail clients suck. This one just sucks less."
           -- http://www.mutt.org/  Jeremy Blosser
oOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOo