You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Glenn Nielsen <gl...@voyager.apg.more.net> on 2001/03/05 02:26:58 UTC
Restricting Access to Tomcat 3.x and Tomcat 4.0 Connectors
I have a general question about restricting access from remote hosts
to common connectors used by Tomcat 3.x and Tomcat 4.0.
Tomcat 3.x will use port 8007 for its Apache ajp12 connector, is there anyway
to configure Tomcat 3.x so it will only accept connections on that port
from localhost or a single remote host? What about shutdown, does the
port only accept requests from localhost?
Tomcat 4.0 will use port 8005 as its shutdown port, will this only accept
connections from localhost? Is this configurable?
Tomcat 4.0 will use port 8008 for its Warp Connector. Can this be filtered
using the Request Filter Valve? The docs for the Request Filter refer to
denying HTTP requests.
Regards,
Glenn
----------------------------------------------------------------------
Glenn Nielsen glenn@more.net | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------
Re: Restricting Access to Tomcat 3.x and Tomcat 4.0 Connectors
Posted by "Pier P. Fumagalli" <pi...@betaversion.org>.
Dan Milstein <da...@shore.net> wrote:
>
> The spec for the Ajp2.1 (which was not, AFAIK, ever implemented) has an
> excellent section discussing "Security Hazards". Anyone interested can
> check that out at:
>
> http://java.apache.org/jserv/protocol/AJPv21.html
Hehehe :) I was one of the co-authors of that spec :) (Nice to see when
someone pulls out a work from the past and says it contains "excellent"
pointers)....
To deny DOS attacks, I suggest using kernel-level IP filtering packages
(such as the IPF package for Solaris/*BSD or IPCHAINS for Linux - or
whatever it's name is today). They work pretty well, try to connect to port
8080 on kali.betaversion.org :) :) :) (Tomcat is running with the default
HTTP connector, but its access is restricted to only 127.0.0.1 and
192.168.1.* if it comes from the right Ethernet interface :)
Pier
--
----------------------------------------------------------------------------
Pier Fumagalli <http://www.betaversion.org/> <ma...@betaversion.org>
Re: Restricting Access to Tomcat 3.x and Tomcat 4.0 Connectors
Posted by Dan Milstein <da...@shore.net>.
In 3.x, the Ajp12 and Ajp13 Connectors currently accept connections from
anywhere. People have proposed adding the ability to have an accept/deny
list in the configs, but it hasn't been done (the Java code for this would
be pretty easy, actually), and it would be backward compatible with the
mod_jk C code (which wouldn't need to know about it at all, actually).
As a minimal form of security, both connectors will only accept a shutdown
if it issued from the same host as TC is running on (e.g. if
socket.getLocalAddress and socket.getInetAddress are the same). Costin
recently added an optional 'secret' -- either user-set or randomly generated
by TC. If user-set, it can be added to worker.properties (I think), or if
randomly generated, it can be read from a specific file in the config dir
(the same way that httpd.pid can be read by apachectl). If useSecret is
set, then the shutdown request is only acted on if it is followed by the
secret.
I don't know if Costin has documented this or not -- I haven't looked.
With ajp13, the server is basically proxying requests, so some security
issues don't arise. The biggest gotcha I'm aware of is that TC trusts the
web server to establish the remote_user property (which the user might need
to authenticate to prove). So someone could manufacture an ajp13 connection
which would allow them to access servlets that they should be denied. I
haven't actually created this exploit, but I believe the vulnerability is
there.
The spec for the Ajp2.1 (which was not, AFAIK, ever implemented) has an
excellent section discussing "Security Hazards". Anyone interested can
check that out at:
http://java.apache.org/jserv/protocol/AJPv21.html
-Dan
Glenn Nielsen wrote:
>
> I have a general question about restricting access from remote hosts
> to common connectors used by Tomcat 3.x and Tomcat 4.0.
>
> Tomcat 3.x will use port 8007 for its Apache ajp12 connector, is there anyway
> to configure Tomcat 3.x so it will only accept connections on that port
> from localhost or a single remote host? What about shutdown, does the
> port only accept requests from localhost?
>
> Tomcat 4.0 will use port 8005 as its shutdown port, will this only accept
> connections from localhost? Is this configurable?
>
> Tomcat 4.0 will use port 8008 for its Warp Connector. Can this be filtered
> using the Request Filter Valve? The docs for the Request Filter refer to
> denying HTTP requests.
>
> Regards,
>
> Glenn
>
> ----------------------------------------------------------------------
> Glenn Nielsen glenn@more.net | /* Spelin donut madder |
> MOREnet System Programming | * if iz ina coment. |
> Missouri Research and Education Network | */ |
> ----------------------------------------------------------------------
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, email: tomcat-dev-help@jakarta.apache.org
--
Dan Milstein // danmil@shore.net
Re: Restricting Access to Tomcat 3.x and Tomcat 4.0 Connectors
Posted by "Pier P. Fumagalli" <pi...@betaversion.org>.
Glenn Nielsen <gl...@voyager.apg.more.net> wrote:
> Ok, so if you want to restrict network access from remote Apache servers
> using the mod_jserv, mod_jk, or mod_webapp connectors to Tomcat; you can't
> do it with either Tomcat 3.2 or Tomcat 4.0, correct?
>
> Sure would be nice if network access allow/deny for Connectors could be
> configured for those who don't put Tomcat behind a firewall.
I don't know about mod_jserv/mod_jk (in mod_jserv it was possible with
Jserv, but I don't know about the Tomcat implementation of AJP).
With mod_webapp, or better, the WARP connector for Tomcat 4.0 (we're not
dealing with the Apache side of things, but with it's counterpart in the
Java Virtual Machine) is not implemented, but it's feasible. Maybe in the
next release? Who knows... :) :) :)
Pier
--
----------------------------------------------------------------------------
Pier Fumagalli <http://www.betaversion.org/> <ma...@betaversion.org>
Re: Restricting Access to Tomcat 3.x and Tomcat 4.0 Connectors
Posted by Glenn Nielsen <gl...@voyager.apg.more.net>.
Ok, so if you want to restrict network access from remote Apache servers
using the mod_jserv, mod_jk, or mod_webapp connectors to Tomcat; you can't
do it with either Tomcat 3.2 or Tomcat 4.0, correct?
Sure would be nice if network access allow/deny for Connectors could be
configured for those who don't put Tomcat behind a firewall.
Regards,
Glenn
"Pier P. Fumagalli" wrote:
>
> Craig R. McClanahan <Cr...@eng.sun.com> wrote:
> >>
> >> Tomcat 4.0 will use port 8005 as its shutdown port, will this only accept
> >> connections from localhost?
> >
> > Yes, in effect. The connection is accepted no matter where it comes from, but
> > attempts to shut down Tomcat are refused unless they are from localhost.
> >
> > AFAIK, there is no way through standard Java I/O to restrict where the
> > connection comes from at the socket accept level.
>
> BARF, Craig :) :) :) Bind your serversocket to the 127.0.0.1 address only,
> and the trick is done... (if it doesn't work, it's a JVM/OS problem)
>
> >> Is this configurable?
> >
> > Not currently, although this would be relatively easily to add.
>
> I wouldn't bother, but rather wait for the outcomes of JSR-096 (Java
> Daemons)... Even if maybe it will not make it for our final release, we can
> always incorporate their code (should come out with a BSD license), change
> the packages from javax.daemon to org.apache and keep the two in sync. When
> it finally comes out, we can simply incorporate it and change back to
> javax.daemon.
>
> >> Tomcat 4.0 will use port 8008 for its Warp Connector. Can this be filtered
> >> using the Request Filter Valve? The docs for the Request Filter refer to
> >> denying HTTP requests.
> >
> > As long as the Warp connector properly identifies where the request originated
> > (which I am pretty sure it does), you can indeed use request filters to accept
> > only requests from matching clients. However, this cannot be used to control
> > where the connection from Apache comes from -- that would require code in the
> > connector itself.
>
> Actually, that's all the way around... GetRemoteHost() and addr() return the
> Apache client, not the WARP client... Filtering at WARP level is a feature
> that can be integrated in the connector...
>
> Pier
>
> --
> ----------------------------------------------------------------------------
> Pier Fumagalli <http://www.betaversion.org/> <ma...@betaversion.org>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, email: tomcat-dev-help@jakarta.apache.org
--
----------------------------------------------------------------------
Glenn Nielsen glenn@more.net | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------
Re: Restricting Access to Tomcat 3.x and Tomcat 4.0 Connectors
Posted by "Pier P. Fumagalli" <pi...@betaversion.org>.
Craig R. McClanahan <Cr...@eng.sun.com> wrote:
>>
>> BARF, Craig :) :) :) Bind your serversocket to the 127.0.0.1 address only,
>> and the trick is done... (if it doesn't work, it's a JVM/OS problem)
>
> That controls where the *destination* of the client connection can go,
> but not the *origin*. Look again and find me the appropriate JDK
> methods to call to say "only accept connections from IP address
> a.b.c.d", which was the original question.
But if your concern is to have connections coming ONLY from the localhost
interface (127.0.0.1), that by definition of any TCP-IP stack I've seen so
far can accept connections only from itself... I know, if you want to accept
or reject connections from Ips different from 127.0.0.1, you always have to
open the socket, but if you bind only to 127.0.0.1 you're guaranteed that
all connections can only come from the same interface...
(AFAIK!) :) :) :)
Pier
--
----------------------------------------------------------------------------
Pier Fumagalli <http://www.betaversion.org/> <ma...@betaversion.org>
Re: Restricting Access to Tomcat 3.x and Tomcat 4.0 Connectors
Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.
"Pier P. Fumagalli" wrote:
> Craig R. McClanahan <Cr...@eng.sun.com> wrote:
> >>
> >> Tomcat 4.0 will use port 8005 as its shutdown port, will this only accept
> >> connections from localhost?
> >
> > Yes, in effect. The connection is accepted no matter where it comes from, but
> > attempts to shut down Tomcat are refused unless they are from localhost.
> >
> > AFAIK, there is no way through standard Java I/O to restrict where the
> > connection comes from at the socket accept level.
>
> BARF, Craig :) :) :) Bind your serversocket to the 127.0.0.1 address only,
> and the trick is done... (if it doesn't work, it's a JVM/OS problem)
>
That controls where the *destination* of the client connection can go,
but not the *origin*. Look again and find me the appropriate JDK
methods to call to say "only accept connections from IP address
a.b.c.d", which was the original question.
>
> >> Is this configurable?
> >
> > Not currently, although this would be relatively easily to add.
>
> I wouldn't bother, but rather wait for the outcomes of JSR-096 (Java
> Daemons)... Even if maybe it will not make it for our final release, we can
> always incorporate their code (should come out with a BSD license), change
> the packages from javax.daemon to org.apache and keep the two in sync. When
> it finally comes out, we can simply incorporate it and change back to
> javax.daemon.
>
> >> Tomcat 4.0 will use port 8008 for its Warp Connector. Can this be filtered
> >> using the Request Filter Valve? The docs for the Request Filter refer to
> >> denying HTTP requests.
> >
> > As long as the Warp connector properly identifies where the request originated
> > (which I am pretty sure it does), you can indeed use request filters to accept
> > only requests from matching clients. However, this cannot be used to control
> > where the connection from Apache comes from -- that would require code in the
> > connector itself.
>
> Actually, that's all the way around... GetRemoteHost() and addr() return the
> Apache client, not the WARP client... Filtering at WARP level is a feature
> that can be integrated in the connector...
>
> Pier
>
Craig
Re: Restricting Access to Tomcat 3.x and Tomcat 4.0 Connectors
Posted by "Pier P. Fumagalli" <pi...@betaversion.org>.
Craig R. McClanahan <Cr...@eng.sun.com> wrote:
>>
>> Tomcat 4.0 will use port 8005 as its shutdown port, will this only accept
>> connections from localhost?
>
> Yes, in effect. The connection is accepted no matter where it comes from, but
> attempts to shut down Tomcat are refused unless they are from localhost.
>
> AFAIK, there is no way through standard Java I/O to restrict where the
> connection comes from at the socket accept level.
BARF, Craig :) :) :) Bind your serversocket to the 127.0.0.1 address only,
and the trick is done... (if it doesn't work, it's a JVM/OS problem)
>> Is this configurable?
>
> Not currently, although this would be relatively easily to add.
I wouldn't bother, but rather wait for the outcomes of JSR-096 (Java
Daemons)... Even if maybe it will not make it for our final release, we can
always incorporate their code (should come out with a BSD license), change
the packages from javax.daemon to org.apache and keep the two in sync. When
it finally comes out, we can simply incorporate it and change back to
javax.daemon.
>> Tomcat 4.0 will use port 8008 for its Warp Connector. Can this be filtered
>> using the Request Filter Valve? The docs for the Request Filter refer to
>> denying HTTP requests.
>
> As long as the Warp connector properly identifies where the request originated
> (which I am pretty sure it does), you can indeed use request filters to accept
> only requests from matching clients. However, this cannot be used to control
> where the connection from Apache comes from -- that would require code in the
> connector itself.
Actually, that's all the way around... GetRemoteHost() and addr() return the
Apache client, not the WARP client... Filtering at WARP level is a feature
that can be integrated in the connector...
Pier
--
----------------------------------------------------------------------------
Pier Fumagalli <http://www.betaversion.org/> <ma...@betaversion.org>
Re: Restricting Access to Tomcat 3.x and Tomcat 4.0 Connectors
Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.
Glenn Nielsen wrote:
> I have a general question about restricting access from remote hosts
> to common connectors used by Tomcat 3.x and Tomcat 4.0.
>
> Tomcat 3.x will use port 8007 for its Apache ajp12 connector, is there anyway
> to configure Tomcat 3.x so it will only accept connections on that port
> from localhost or a single remote host? What about shutdown, does the
> port only accept requests from localhost?
>
> Tomcat 4.0 will use port 8005 as its shutdown port, will this only accept
> connections from localhost?
Yes, in effect. The connection is accepted no matter where it comes from, but
attempts to shut down Tomcat are refused unless they are from localhost.
AFAIK, there is no way through standard Java I/O to restrict where the connection
comes from at the socket accept level.
> Is this configurable?
>
Not currently, although this would be relatively easily to add.
>
> Tomcat 4.0 will use port 8008 for its Warp Connector. Can this be filtered
> using the Request Filter Valve? The docs for the Request Filter refer to
> denying HTTP requests.
>
As long as the Warp connector properly identifies where the request originated
(which I am pretty sure it does), you can indeed use request filters to accept
only requests from matching clients. However, this cannot be used to control
where the connection from Apache comes from -- that would require code in the
connector itself.
>
> Regards,
>
> Glenn
>
Craig