Securing JBoss Mail Server and Sub App. Components
gohip May 4, 2006 6:22 PMHey guys,
Trying to Lockdown secure JBoss Mail Server <br/> <br/>On the Mail Server Main Page, it states there are only two steps to securing jBoss Mail server, i.e. <br/> <br/>SecureTheJmxConsole <br/>[http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole | http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole] <br/> <br/>and <br/> <br/>HowToRunJBossMailServerWithoutSuperuserAccess <br/>[http://wiki.jboss.org/wiki/Wiki.jsp?page=HowToRunJBossMailServerWithoutSuperuserAccess | http://wiki.jboss.org/wiki/Wiki.jsp?page=HowToRunJBossMailServerWithoutSuperuserAccess] <br/> <br/>Is this really all that is involved? <br/> <br/>I noted, or it seems JBoss Mail Server is using these applications also <br/>*Apache <br/>Tomcat <br/>Jakarta* <br/> <br/>Should we not also focus on locking these down? <br/> <br/>I am creating a list, of components, and links to examples of locking the sub components (i.e. Apache, Tomcat, and Jakarta) down. <br/> <br/>Does anyone have anything else to add, recommendations, or better links?
Apache:</span>
<br/>Securing Apache
[http://www.securityfocus.com/infocus/1694 | http://www.securityfocus.com/infocus/1694]
[http://www.faqs.org/docs/securing/chap29sec251.html | http://www.faqs.org/docs/securing/chap29sec251.html]
Jakarta`:
http://tomcat.apache.org/tomcat-5.0-doc/realm-howto.html
Tomcat:</span>
<br/>Sources:
<br/>[http://tomcat.apache.org/faq/security.html | http://tomcat.apache.org/faq/security.html]
<br/>
<br/>Use latest version
<br/>[http://tomcat.apache.org/whichversion.html | http://tomcat.apache.org/whichversion.html]
<br/>Get rid of root user/admin for instance of Apache
<br/>h[ttp://marc.theaimsgroup.com/?t=104516038700003&r=1&w=2 | ttp://marc.theaimsgroup.com/?t=104516038700003&r=1&w=2]
<br/>Force pages to use SSL:
<br/>[http://marc.theaimsgroup.com/?t=104516038700003&r=1&w=2 | http://marc.theaimsgroup.com/?t=104516038700003&r=1&w=2]
<br/>How do I restrict access by ip address or remote host?
<br/>By using the RemoteHostValve or RemoteAddrValve. Warning, these valves rely on accurate incoming ip addresses or hostnames. So they can fall victim to spoofing! Valve Reference Link
<br/>How do I use jsvc/procrun to run Tomcat on port 80 securely?
<br/>Fairly easily See the Setup page in the docs for your tomcat release, and read this mailing list post http://marc.theaimsgroup.com/?l=tomcat-user&m=108566020231438&w=2 for a complete setup example with permissions etc.
<br/>http://marc.theaimsgroup.com/?l=tomcat-ser&m=108566020231438&w=2
[http://www.junlu.com/msg/149308.html | http://www.junlu.com/msg/149308.html]
Jboss AS:
[http://sourceforge.net/docman/display_doc.php?docid=20143&group_id=22866 | http://sourceforge.net/docman/display_doc.php?docid=20143&group_id=22866]
SecureJBoss
[http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss | http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss]
SecureTheJmxConsole
[http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole | http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole]
JBoss MailServer:</span>
<br/>HowToRunJBossMailServerWithoutSuperuserAccess
<br/>[http://wiki.jboss.org/wiki/Wiki.jsp?page=HowToRunJBossMailServerWithoutSuperuserAccess | http://wiki.jboss.org/wiki/Wiki.jsp?page=HowToRunJBossMailServerWithoutSuperuserAccess]
<br/>
<br/></p>