Description of problem: The server listens to all ports on the bind address supplied (default 0.0.0.0) even though this results in security risks. Instead, the server should only bind to an external public facing interface when needed (such as the port 7080/7443 ports for client/agent connectivity). Version-Release number of selected component (if applicable): JBoss ON 3.1.2 How reproducible: Very Steps to Reproduce: 1. Install server 2. Start server 3. Review netstat data to see that all ports are listening on all interfaces. Actual results: By default the server opens all ports on all interfaces. Expected results: The server should be configured to listen only on necessary ports externally (ie, 7080/7443), and the rest should be disabled or configured to the localhost/127.0.0.1 address so that they are not externally accessible. Additional info: Reconfigured and tested with only the 7080/7443 ports listening on a public interface by modifying the jboss-server.xml file and did not see any obvious issues with the server functions, so this could possibly be resolved by adding an additional configuration option for an internal service bind address defaulting to 127.0.0.1.
The management interfaces in AS7.1.1.Final and EAP 6.1.x are now, by default, only bound to the local loopback IP (127.0.0.1) so this means they are not available to any remote machine. You can only access it from the local machine. You can see this in RHQ Server's standalone-full.xml: <management> ... <management-interfaces> <native-interface security-realm="ManagementRealm"> <socket-binding native="management-native"/> </native-interface> <http-interface security-realm="ManagementRealm"> <socket-binding http="management-http"/> </http-interface> </management-interfaces> </management> ... <interfaces> <interface name="management"> <inet-address value="${jboss.bind.address.management:127.0.0.1}"/> </interface> ... <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}"> <socket-binding name="management-native" interface="management" port="${jboss.management.native.port:6999}"/> <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:6990}"/> <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:6443}"/>
But what about the other miscellaneous ports? In AS 4 we had web services, JMX, JNP, RMI, and XA. Essentially, what this comes down to is what does netstat return: netstat -anp | grep LISTEN | grep "<RHQ JMV PID>/java" All required public services (that needs to be reachable outside of localhost) should be 0.0.0.0:<port> and all required private services (that only need to be reachable from localhost) should be 127.0.0.1:<port>. And no services should be listening that are not required. Furthermore, we should know what all services relate to and their purpose.
This is what I see (host:port from netstat) from my latest master build: 127.0.0.1:2528 (jacorb port - i think we can get rid of this service) 127.0.0.1:6990 (http/rest admin port) 127.0.0.1:6999 (native admin port) 0.0.0.0:4445 (messaging - hornetq netty connector - can probably bind this to 127) 0.0.0.0:4455 (messaging-throughput - hornetq netty connector - can probably bind this to 127) 0.0.0.0:7080 (our public HTTP/non-secure web port) 0.0.0.0:7443 (our public HTTPS/secure web port) 0.0.0.0:3447 (remoting connector - looks used by ejb3 for remote clients AND remote JMX - can probably bind this to 127 since we may need the jmx connector for the plugin)
not sure how easy it will be to remove jacorb - see https://issues.jboss.org/browse/WFLY-1034 and its associated forum thread https://community.jboss.org/message/754423#754423 maybe that we just bind it to 127.0.0.1
according to brian s., jacorb is also used by JTS - since we need transactioning, I don't want to risk blowing up by removing jacorb entirely. Will bind it to 127.0.0.1 instead
with changes that I will commit soon, this is now the bindings - notice that only two are now bound to 0.0.0.0 by default - the http and https web endpoints. tcp 0 0 127.0.0.1:4445 0.0.0.0:* LISTEN 28958/java tcp 0 0 127.0.0.1:2528 0.0.0.0:* LISTEN 28958/java tcp 0 0 127.0.0.1:4455 0.0.0.0:* LISTEN 28958/java tcp 0 0 0.0.0.0:7080 0.0.0.0:* LISTEN 28958/java tcp 0 0 127.0.0.1:6990 0.0.0.0:* LISTEN 28958/java tcp 0 0 0.0.0.0:7443 0.0.0.0:* LISTEN 28958/java tcp 0 0 127.0.0.1:3447 0.0.0.0:* LISTEN 28958/java tcp 0 0 127.0.0.1:6999 0.0.0.0:* LISTEN 28958/java all these services cannot be removed (jacorb required by JTS, messaging needed for JMS/hornetq and remoting needed for managing the server itself via rhq plugins and JMX) but now all these services are bound to the local loopback so they are not remotely accessible. will continue to test to make sure this doesn't break anything and will commit when things look good.
git commit to master: cf58fce
As this is MODIFIED or ON_QA, setting milestone to ER1.
reassigning port 4455 is required for EAP5.1.2 - start of eap5.1.2 with offset (Djboss.socket.binding.port-offset=100) doesn't help. Please get log attached
Created attachment 805241 [details] eap5.1.2.log
checked version: JON 3.2 ER1 OS: Linux x86_64
Created attachment 809334 [details] publicBindAddress
bz #1016703 filed for comment #9 bind addresses verified find screen-shot attached