下午上班时,发现服务器竟然无法访问,没有停电呀。输入密码,解开x-window的锁定状态,发现jboss确实关闭了,时间是13:23分,发现时间是15:33分。
这是以前没有从未出现过的,查服务器访问日志,原来是有人通过jmx-console远程关闭了服务器,我还从使用过这个功能,倒让人先用了!
我知道,jboss安装默认情况下,jmx-console/web-console不用密码,就可以访问的,但我一直还以为,只能通过
localhost使用这个功能呢,所以就没有想道会有安全问题。我想,Jboss这么专业,这么成熟,这种小问题,自然不用操心,但我错了!
重新启动服务器后,我自己模拟了一下,果然,不到一分钟时间,就找到了jmx-
console/HtmlAdaptor?action=inspectMBean&
name=jboss.system:type=Server这个页面,其中有一个"shutdown",选择右边的invoke,果然服务器就关闭了。
根据日志分析,一个ip地址为218.79.105.121的朋友,在6月20访问过本站,今天上午10点多,通过baidu读了一篇我的关于Jboss的文章,之后访问试验本站完全开放的jmx-console,试验了3个小时,终于找到了远程关闭服务器的方法。
于是,他在上海徐汇的家中(Adsl,应该是家中吧),远程地关闭了我在架北京郊区自己办公室的服务器。
这么大的漏洞被忽视了,真是汗颜。赶紧补课吧。
SecureTheJmxConsole,这可是Jboss官方文档.上面提示的做法,应当可行。但没有必要那么麻烦。
只要进入jmx-console.war/web-console.war这2个包的WEB-INF,编辑jboss-web.xml,
web.xml就可以了。我只是在uncomment相应的部分之后,将jaas
domain替换我用的zhuoda.org,并且将security
role替换为我用的zduAdmin就都搞定了,不需要理会user.properties, roles-properties二个文件。
转:http://www.zhuoda.org/hofman/21129.html
以下的内容来自
SecureTheJmxConsole的链接
Securing the JMX Console and Web Console
Both the jmx-console and web-console are standard servlet 2.3 deployments and can
be secured using J2EE role based security. Both also have a skeleton setup to allow
one to easily enable security using username/password/role mappings found in the
jmx-console.war and web-console.war deployments in the corresponding WEB-INF/classes
users.properties and roles.properties files.
The security setup is based on two pieces, the standard WEB-INF/web.xml servlet URI
to role specification, and the WEB-INF/jboss-web.xml specification of the JAAS configuration which defines how authentication and role mapping is performed.
To secure the JMX Console using a username/password file -
-
Locate the jmx-console.war directory. This will normally be in server/default/deploy in your JBOSS_HOME directory.
-
edit WEB-INF/web.xml and uncomment the security-constraint block
-
edit WEB-INF/classes/jmx-console-users.properties or server/default/conf/props/jmx-console-users.properties (version >=4.0.2) and WEB-INF/classes/jmx-console-roles.properties or server/default/conf/props/jmx-console-roles.properties
(version >=4.0.2) and change the users and passwords to what you
desire. They will need the JBossAdmin role specified in the web.xml
file to run the JMX Console.
-
edit WEB-INF/jboss-web.xml
and uncomment the security-domain block. The security-domain value of
jmx-console maps is declared in the login-config.xml JAAS configuration
file which defines how authentication and authorization is done.
To secure the JMX Console using your own JAAS domain -
-
edit WEB-INF/web.xml
as above, uncommenting the security-constraint block. Change the
role-name value to be the role in your domain that can access the
console
-
edit WEB-INF/jboss-web.xml as above, setting the security domain to be the name of your security domain. For example, if your login-config.xml has an application-policy whose name is MyDomain then your JAAS domain java:/jaas/MyDomain
-
after making all the changes, redeploy the application. The application can be redeployed by touching the web.xml file or by restarting the server
The process to secure the web console is similar. In the deploy directory, locate management/web-console.war and make the same changes as above to to WEB-INF/web.xml,
WEB-INF/jboss-web.xml and the users/groups properties file. The default JAAS domain used by the web-console is java:/jaas/web-console and is defined in login-config.xml
in the conf directory. You can use a custom JAAS domain or custimize
the existing domain in the same way as with the JMX console. Typically
you would just use the same domain (java:/jaas/jmx-console) as the
jmx-console so that you have a single user/role mapping to configurue.
If
you find as I did with 3.2.5 that I couldn't log in, another
users.properties is most likely being picked up. Change the web-console
login-config.xml entry so that that properties files are uniquely named
to avoid ambiguity with which resource is picked up. You also would
need to rename the web-console properties files. (see http://www.jboss.org/index.html?module=bb&op=viewtopic&t=53346 )
As an extra level of security you may also want to LimitAccessToCertainClients in a particular IP address range.
-
Update for 4.0.2
The jmx-console-roles.properties and jmx-console-users.properties files have been moved to server"default"conf"props.
This is because of the change to use the servlet 2.3 class loading
model and these properties files would not be visible to the other
deployments using the jmx-console security domain. You can move the
files from conf"props to WEB-INF"classes, or leave them in place and edit the password for admin.
Similarly for the web console, please note that the web console is unpacked already in the default server configuration as deploy/management/console-mgr.sar/web-console.war. Proceed to edit the WEB-INF/web.xml and jboss-web.xml files as per securing the JMX console, and either edit the WEB-INF/classes/web-console-roles.properties and web-console-users.properties, or move those files to server"default"conf"props and edit them there.
For the impatient
vi $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/web.xml
uncomment the security-constraint block
and add a <login-config> block after the end of the <security-constraint> block:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JMXConsole</realm-name>
</login-config>
vi $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/jboss-web.xml
Uncomment the security-domain block. Make sure the JNDI name maps to the realm name (i.e. JMXConsole)
vi $JBOSS_HOME/server/default/conf/props/jmx-console-users.properties
change the password for admin
vi $JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml
uncomment the security-constraint block
and add a <login-config> block after the end of the <security-constraint> block:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JMXConsole</realm-name>
</login-config>
vi $JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml
Uncomment the security-domain block. Make sure the JNDI name maps to the realm name (e.g. JMXConsole)
vi $JBOSS_HOME/server/default/conf/login-config.xml
Change
the path to the web-console-users.properties and the
web-console-roles.properties as follows (add props/ to the front of the
path)
<module-option name="usersProperties">props/web-console-users.properties</module-option>
<module-option name="rolesProperties">props/web-console-roles.properties</module-option>
cp
$JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-.properties
$JBOSS_HOME/server/default/conf/props
edit as needed
cp
$JBOSS_HOME/server/default/conf/props/jmx-console-roles.properties
$JBOSS_HOME/server/default/conf/props/web-console-roles.properties
edit as needed
edit
$JBOSS_HOME/server/default/conf/login-config.xml, find the jmx-console
and web-console applicaiton-policy, and set the name to jmx-console and
web-console, respectively. That is make sure that the application
policy name maps to the realm name (i.e. JMXConsole)
restart jboss
Additional to secure jmx-console and web-console authentication via SSL
the following steps below will redirect jboss admin pages to https://localhost:8443
<security-constraint>
...
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
(@see creating SSL keystore using the java keytool - http://www.informit.com/articles/article.asp?p=407886)
or quick setup and verify via
$ keytool -genkey -keystore /data01/jboss/server/xxx/conf/keystore -alias jbossAdmin
$ keytool -list -keystore /data01/jboss/server/xxx/conf/keystore
$vi /data01/jboss/server/xxx/deploy/jbossweb-tomcat50.sar/server.xml
-
secure file permission via chmod 600 server.xml
-
uncomment section "SSL/TLS Connector" to enable Connector port="8443"
-
replace keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
with keystoreFile="${jboss.server.home.dir}/conf/keystore"
with keystorePass="