6 Replies Latest reply on May 17, 2002 4:39 PM by ubellur

    What ports need to be open?

    shayman

      Hi All,

      I want to close all unnecessary ports on my server machines, for improved security. What ports must stay open?
      I am using Tomcat+IIS+JBoss. For tomcat and IIS I opened 80,8007 (ajp12), and 8080 (I guess I can close this one).
      For RMI I opened 1099, and 4444,4443 as I saw that my beans are deployed on these ports.

      But after all this, I keep on getting this exception:
      Can't execute method: getApiNames, Got the following Exception:
      javax.naming.CommunicationException. Root exception is java.rmi.ConnectException: Connection refused to host: 199.203.139.182; nested exception is:
      java.net.ConnectException: Connection refused: no further information
      java.net.ConnectException: Connection refused: no further information
      at java.net.PlainSocketImpl.socketConnect(Native Method)
      at java.net.PlainSocketImpl.doConnect(Unknown Source)
      at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
      at java.net.PlainSocketImpl.connect(Unknown Source)
      at java.net.Socket.(Unknown Source)
      at java.net.Socket.(Unknown Source)
      at sun.rmi.transport.proxy.RMIDirectSocketFactory.createSocket(Unknown Source)
      at sun.rmi.transport.proxy.RMIMasterSocketFactory.createSocket(Unknown Source)
      at sun.rmi.transport.tcp.TCPEndpoint.newSocket(Unknown Source)
      at sun.rmi.transport.tcp.TCPChannel.createConnection(Unknown Source)
      at sun.rmi.transport.tcp.TCPChannel.newConnection(Unknown Source)
      at sun.rmi.server.UnicastRef.invoke(Unknown Source)
      at org.jnp.server.NamingServer_Stub.lookup(Unknown Source)
      at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:295)
      at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:279)
      at javax.naming.InitialContext.lookup(Unknown Source)

      What am I missing? does RMI uses random port? is there a way to restrict it to use only a fixed set of ports?

      TIA.

      Shay.

        • 1. Re: What ports need to be open?

          > What am I missing? does RMI uses random port? is
          > there a way to restrict it to use only a fixed set of
          > ports?

          conf//jnp.properties:

          # The port the RMI NamingServer is exported on,
          # 0 = bind any available port
          jnp.rmiPort=0

          Check that.

          -- Juha

          • 2. Re: What ports need to be open?
            starksm64

            Use the RmiPort mbean attribute rather than jnp.properties.


             <mbean code="org.jboss.naming.NamingService" name="DefaultDomain:service=Naming">
             <attribute name="Port">1099</attribute>
             <attribute name="RmiPort">10990</attribute>
             </mbean>
            
            


            • 3. Re: What ports need to be open?
              shayman

              Thanks for the answers.
              Is one port enough for all the communication? can I declare more than one?

              Shay.

              • 4. Re: What ports need to be open?
                jwkaltz

                It seems to me what you really want for security, is that only the webserver port(s) are accessible from other machines. So,
                - either you can specify in JBoss that connections to its naming service etc. are only allowed from a specific IP address (in your case, localhost)
                - or you have a firewall which allows only calls to port 80 & 443 to your machine

                I have no idea whether in JBoss you can restrict from which IP address calls are allowed. But it would nice if you could, you can do this in many Internet services like ftp, postgresql database, ...

                • 5. Re: What ports need to be open?
                  shayman

                  My question is regarding both security and performance. If I want to close all unneccesary ports, I want to know what ports need to be open. So I restricted the RMI Port to be 10990. Now I get to the other side, which is performance. If I open only one port, and use around 30 beans, will this affect the performance of the system, e.g. will the single port become a bottleneck in the system.
                  If so, can I declared more than one RMI Port ?

                  TIA,

                  Shay.

                  • 6. 3851441
                    ubellur

                    I'm unable to get a final answer to the question of fixing the RMI port in order to be able to get through a firewall:

                    a. Does JBOSS use transient ports for every RMI object or is it on a per client basis? What kind of multiplexing is done, if any? If it does use transient ports, what is the limit on the number of objects that can exist in a single VM?

                    b. How do I fix this? I dont see a file called jnp.properties. Should I fix one port for the JNDI service and one for the rest of the objects?

                    c. What are the performance implications of fixing the RMI port?