You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Andrey Kartashov <an...@sonatainc.com> on 2001/05/05 17:13:57 UTC
Re: Tomcat 3.2.2 beta 4 (insecure default settings)
On Fri, May 04, 2001 at 07:58:17PM -0400, Andrey Kartashov wrote:
[skpd]
> > Let's be prudent here. The standard configuration must avoid
> > security hole. Many users will have tomcat in front and we
> > must avoid someone outside shutdown their TC boxes.
>
> Let me clarify this:) I don't ask you guys to change default configuration.
> I ask you to change shutdown code so that if I do change configuration from
> default to something else - the code'll still work.
>
> Also if I'm not mistaken - Tomcat binds to all interfaces by default as I don't
> see inet="" option set to 127.0.0.1 in default server.xml file for Ajp
> connectors. I'll double check that:)
I just did (I mean double checked).
I know it's stupid to reply to my own Email but here it goes:)
I used fresh untarred binary distribution (no modifications at all) of
jakarta-tomcat-3.2.2b4.
Here is a fragment of server.xml:
<Connector className="org.apache.tomcat.service.PoolTcpConnector">
<Parameter name="handler"
value="org.apache.tomcat.service.connector.Ajp12ConnectionHandler"/>
<Parameter name="port" value="8007"/>
</Connector>
Here is the output of netstat:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8007 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 104 199.95.200.19:22 64.24.41.37:1021 ESTABLISHED
tcp 0 0 199.95.200.19:22 64.24.41.37:1022 ESTABLISHED
tcp 0 0 199.95.200.19:22 64.24.41.37:1023 ESTABLISHED
The line containing 8007 is Ajp connector listening on _ALL_ interfaces.
Here is the same test but with slightly modified server.xml:
<Connector className="org.apache.tomcat.service.PoolTcpConnector">
<Parameter name="handler"
value="org.apache.tomcat.service.connector.Ajp12ConnectionHandler"/>
<Parameter name="port" value="8007"/>
<Parameter name="inet" value="127.0.0.1"/>
</Connector>
Please note the presence of "inet" parameter here!
Here is the output of netstat:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8007 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 68 199.95.200.19:22 64.24.41.37:1021 ESTABLISHED
tcp 0 0 199.95.200.19:22 64.24.41.37:1022 ESTABLISHED
tcp 0 0 199.95.200.19:22 64.24.41.37:1023 ESTABLISHED
Please note that port 8007 is bound to 127.0.0.1 interface _ONLY_.
So if security of default settings is of any concern I'd suggest you, guys
modify default server.xml file the way described above.
Hope this helps :)
--
oo Andrey
oo
oOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOo
"All mail clients suck. This one just sucks less."
-- http://www.mutt.org/ Jeremy Blosser
oOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOo