Open Ports in Karaf

Description

What are these open ports for? Security assessment? Do they need to listen to more than localhost?

Activity

Show:
Basil Brunner
September 24, 2015, 4:27 PM

I've disabled the JMX management tools (commit 1a945ac0dd4ff22c4700009db011acec60d69497) and changed the config of the SSH console to bind to localhost only (b3d24a8a1070dc17fc5c9047ef053e4a65c5fe22).

Lars Kiesow
September 24, 2015, 1:47 PM

We do not have any such docs atm. Also Opencast does not use port 80.
By default, only 8080 is required to be open at all.

ElasticSearch does not require external connections and is only listening to localhost. See netstat output.

Other systems like the database and ActiveMQ may require additional ports in multi-server set-ups. But that is not Opencast.

Basil Brunner
September 24, 2015, 2:06 AM

I agree, the default should be as secure as possible which probably means that we should disable things like SSH, JMX and these folks.

What I was referring to is documentation where we list all ports that an Opencast installation might listens on. That's obviously HTTP (80), which I would assume to be opened to the world. But there are other things like Elasticsearch or ActiveMQ which we definitely need, but still should be protected by the firewall settings.

Lars Kiesow
September 23, 2015, 10:59 PM

What I meant is that I annotated the netstat output at the top of this ticket. As you can see it is Jetty (8080) and ElasticSearch. All other ports are new. I know what the SSH port is for and I know that it is dangerous. My guess is that other ports are for things like the Java Management Extensions, … which are dangerous as well. At least as long as they are unconfigured by the users. In fact, I would bet that 1099 is JXM. I vaguely remember writing th security patch for that problem…

One addition to firewalls: Firewalls help to avoid security problems. But our first priority should be to have a sensible default configuration that does not have these security problems in the firt place.

Basil Brunner
September 23, 2015, 4:16 PM

So where can I find the documentation for the other open ports?

Fixed and reviewed

Assignee

Lars Kiesow

Reporter

Lars Kiesow