Bug 966160

Summary: Server should only listen to external/public bind addresses when absolutely necessary
Product: [JBoss] JBoss Operations Network Reporter: Marc Shirley <mshirley>
Component: Core ServerAssignee: John Mazzitelli <mazz>
Status: CLOSED CURRENTRELEASE QA Contact: Mike Foley <mfoley>
Severity: high Docs Contact:
Priority: high    
Version: JON 3.1.2CC: ahovsepy, loleary
Target Milestone: ER01   
Target Release: JON 3.2.0   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-02 20:36:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
eap5.1.2.log
none
publicBindAddress none

Description Marc Shirley 2013-05-22 16:35:31 UTC 
Description of problem:
The server listens to all ports on the bind address supplied (default 0.0.0.0) even though this results in security risks.  Instead, the server should only bind to an external public facing interface when needed (such as the port 7080/7443 ports for client/agent connectivity).

Version-Release number of selected component (if applicable):
JBoss ON 3.1.2

How reproducible:
Very

Steps to Reproduce:
1. Install server
2. Start server
3. Review netstat data to see that all ports are listening on all interfaces.

Actual results:
By default the server opens all ports on all interfaces.

Expected results:
The server should be configured to listen only on necessary ports externally (ie, 7080/7443), and the rest should be disabled or configured to the localhost/127.0.0.1 address so that they are not externally accessible.

Additional info:
Reconfigured and tested with only the 7080/7443 ports listening on a public interface by modifying the jboss-server.xml file and did not see any obvious issues with the server functions, so this could possibly be resolved by adding an additional configuration option for an internal service bind address defaulting to 127.0.0.1.
Comment 1 John Mazzitelli 2013-05-28 15:10:32 UTC 
The management interfaces in AS7.1.1.Final and EAP 6.1.x are now, by default, only bound to the local loopback IP (127.0.0.1) so this means they are not available to any remote machine. You can only access it from the local machine.

You can see this in RHQ Server's standalone-full.xml:

    <management>
...
        <management-interfaces>
            <native-interface security-realm="ManagementRealm">
                <socket-binding native="management-native"/>
            </native-interface>
            <http-interface security-realm="ManagementRealm">
                <socket-binding http="management-http"/>
            </http-interface>
        </management-interfaces>
    </management>
...
    <interfaces>
        <interface name="management">
            <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
        </interface>

...
    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
        <socket-binding name="management-native" interface="management" port="${jboss.management.native.port:6999}"/>
        <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:6990}"/>
        <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:6443}"/>
Comment 2 Larry O'Leary 2013-05-28 17:36:11 UTC 
But what about the other miscellaneous ports? In AS 4 we had web services, JMX, JNP, RMI, and XA. Essentially, what this comes down to is what does netstat return:


    netstat -anp | grep LISTEN | grep "<RHQ JMV PID>/java"

All required public services (that needs to be reachable outside of localhost) should be 0.0.0.0:<port> and all required private services (that only need to be reachable from localhost) should be 127.0.0.1:<port>. And no services should be listening that are not required. Furthermore, we should know what all services relate to and their purpose.
Comment 3 John Mazzitelli 2013-05-31 16:42:59 UTC 
This is what I see (host:port from netstat) from my latest master build:

127.0.0.1:2528 (jacorb port - i think we can get rid of this service)
127.0.0.1:6990 (http/rest admin port)
127.0.0.1:6999 (native admin port)
0.0.0.0:4445 (messaging - hornetq netty connector - can probably bind this to 127)
0.0.0.0:4455 (messaging-throughput - hornetq netty connector - can probably bind this to 127)
0.0.0.0:7080 (our public HTTP/non-secure web port)
0.0.0.0:7443 (our public HTTPS/secure web port)
0.0.0.0:3447 (remoting connector - looks used by ejb3 for remote clients AND remote JMX - can probably bind this to 127 since we may need the jmx connector for the plugin)
Comment 4 John Mazzitelli 2013-05-31 16:54:38 UTC 
not sure how easy it will be to remove jacorb - see https://issues.jboss.org/browse/WFLY-1034 and its associated forum thread https://community.jboss.org/message/754423#754423

maybe that we just bind it to 127.0.0.1
Comment 5 John Mazzitelli 2013-05-31 17:15:30 UTC 
according to brian s., jacorb is also used by JTS - since we need transactioning, I don't want to risk blowing up by removing jacorb entirely. Will bind it to 127.0.0.1 instead
Comment 6 John Mazzitelli 2013-05-31 19:20:26 UTC 
with changes that I will commit soon, this is now the bindings - notice that only two are now bound to 0.0.0.0 by default - the http and https web endpoints.

tcp        0      0 127.0.0.1:4445              0.0.0.0:*                   LISTEN      28958/java          
tcp        0      0 127.0.0.1:2528              0.0.0.0:*                   LISTEN      28958/java          
tcp        0      0 127.0.0.1:4455              0.0.0.0:*                   LISTEN      28958/java          
tcp        0      0 0.0.0.0:7080                0.0.0.0:*                   LISTEN      28958/java          
tcp        0      0 127.0.0.1:6990              0.0.0.0:*                   LISTEN      28958/java          
tcp        0      0 0.0.0.0:7443                0.0.0.0:*                   LISTEN      28958/java          
tcp        0      0 127.0.0.1:3447              0.0.0.0:*                   LISTEN      28958/java          
tcp        0      0 127.0.0.1:6999              0.0.0.0:*                   LISTEN      28958/java     

all these services cannot be removed (jacorb required by JTS, messaging needed for JMS/hornetq and remoting needed for managing the server itself via rhq plugins and JMX)

but now all these services are bound to the local loopback so they are not remotely accessible.

will continue to test to make sure this doesn't break anything and will commit when things look good.
Comment 7 John Mazzitelli 2013-05-31 21:05:23 UTC 
git commit to master: cf58fce
Comment 8 Larry O'Leary 2013-09-06 14:32:55 UTC 
As this is MODIFIED or ON_QA, setting milestone to ER1.
Comment 9 Armine Hovsepyan 2013-09-30 14:40:27 UTC 
reassigning

port 4455 is required for EAP5.1.2 - start of eap5.1.2 with offset (Djboss.socket.binding.port-offset=100) doesn't help.

Please get log attached
Comment 10 Armine Hovsepyan 2013-09-30 14:41:12 UTC 
Created attachment 805241 [details]
eap5.1.2.log
Comment 11 Armine Hovsepyan 2013-09-30 14:42:51 UTC 
checked version: JON 3.2 ER1
OS: Linux x86_64
Comment 12 Armine Hovsepyan 2013-10-08 14:48:45 UTC 
Created attachment 809334 [details]
publicBindAddress
Comment 13 Armine Hovsepyan 2013-10-08 14:49:40 UTC 
bz #1016703 filed for comment #9

bind addresses verified
find screen-shot attached