Re: Jboss in a DMZ?

["R. DuFresne" <dufresne () sysinfo com>]

bugtraq'ed today:

================================
Illegalaccess.org Security Alert
================================

Date        : 10/04/2003
Application : JBoss, java server for running J2EE enterprise
              applications
Version     : 3.2.1
Website     : http://www.jboss.org
Problems    : Denial-Of-Service,
              Log Manipulation,
              Manipulation of Process variables,
              Arbitrary Command Injection



Might take alot of lockdown work!


Thanks,


Ron DuFresne


On Tue, 30 Sep 2003, Adam Shostack wrote:

> I'm looking to deploy jboss in a security sensitive (dmz-like)
> situation.  Jboss wants to listen on a lot of ports, and my attempts
> to firewall it (using ipfilter) aren't going well.
>
> Has anyone done this?  Are you willing to share the firewalling rules
> you used?  Allowing all localhost->localhost didn't work.  Will jboss
> respect tcp wrappers?  Is there a way to specify listen on localhost
> only in the attributes?
>
> Naively throwing locahost:8083 in here (service.xml) didn't work:
>
>
>   <mbean code="org.jboss.web.WebService"
>          name="jboss:service=Webserver">
>     <attribute name="Port">8083</attribute>
>
>
> Adam

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards