Open Ports in Karaf
What are these open ports for? Security assessment? Do they need to listen to more than localhost?
I've disabled the JMX management tools (commit 1a945ac0dd4ff22c4700009db011acec60d69497) and changed the config of the SSH console to bind to localhost only (b3d24a8a1070dc17fc5c9047ef053e4a65c5fe22).
We do not have any such docs atm. Also Opencast does not use port 80.
By default, only 8080 is required to be open at all.
ElasticSearch does not require external connections and is only listening to localhost. See netstat output.
Other systems like the database and ActiveMQ may require additional ports in multi-server set-ups. But that is not Opencast.
I agree, the default should be as secure as possible which probably means that we should disable things like SSH, JMX and these folks.
What I was referring to is documentation where we list all ports that an Opencast installation might listens on. That's obviously HTTP (80), which I would assume to be opened to the world. But there are other things like Elasticsearch or ActiveMQ which we definitely need, but still should be protected by the firewall settings.
What I meant is that I annotated the netstat output at the top of this ticket. As you can see it is Jetty (8080) and ElasticSearch. All other ports are new. I know what the SSH port is for and I know that it is dangerous. My guess is that other ports are for things like the Java Management Extensions, … which are dangerous as well. At least as long as they are unconfigured by the users. In fact, I would bet that 1099 is JXM. I vaguely remember writing th security patch for that problem…
One addition to firewalls: Firewalls help to avoid security problems. But our first priority should be to have a sensible default configuration that does not have these security problems in the firt place.
So where can I find the documentation for the other open ports?