7 Replies Latest reply on May 8, 2006 12:24 PM by gohip

    Securing JBoss Mail Server and Sub App. Components

    gohip
    gohip May 4, 2006 6:22 PM

      Hey guys,

      Trying to Lockdown secure JBoss Mail Server <br/> <br/>On the Mail Server Main Page, it states there are only two steps to securing jBoss Mail server, i.e. <br/> <br/>SecureTheJmxConsole <br/>[http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole | http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole] <br/> <br/>and <br/> <br/>HowToRunJBossMailServerWithoutSuperuserAccess <br/>[http://wiki.jboss.org/wiki/Wiki.jsp?page=HowToRunJBossMailServerWithoutSuperuserAccess | http://wiki.jboss.org/wiki/Wiki.jsp?page=HowToRunJBossMailServerWithoutSuperuserAccess] <br/> <br/>Is this really all that is involved? <br/> <br/>I noted, or it seems JBoss Mail Server is using these applications also <br/>*Apache <br/>Tomcat <br/>Jakarta* <br/> <br/>Should we not also focus on locking these down? <br/> <br/>I am creating a list, of components, and links to examples of locking the sub components (i.e. Apache, Tomcat, and Jakarta) down. <br/> <br/>Does anyone have anything else to add, recommendations, or better links?



      Apache:</span> <br/>Securing Apache


      [http://www.securityfocus.com/infocus/1694 | http://www.securityfocus.com/infocus/1694]
      [http://www.faqs.org/docs/securing/chap29sec251.html | http://www.faqs.org/docs/securing/chap29sec251.html]

      Jakarta`:
      http://tomcat.apache.org/tomcat-5.0-doc/realm-howto.html

      Tomcat:</span> <br/>Sources: <br/>[http://tomcat.apache.org/faq/security.html | http://tomcat.apache.org/faq/security.html] <br/> <br/>Use latest version <br/>[http://tomcat.apache.org/whichversion.html | http://tomcat.apache.org/whichversion.html] <br/>Get rid of root user/admin for instance of Apache <br/>h[ttp://marc.theaimsgroup.com/?t=104516038700003&r=1&w=2 | ttp://marc.theaimsgroup.com/?t=104516038700003&r=1&w=2] <br/>Force pages to use SSL: <br/>[http://marc.theaimsgroup.com/?t=104516038700003&r=1&w=2 | http://marc.theaimsgroup.com/?t=104516038700003&r=1&w=2] <br/>How do I restrict access by ip address or remote host? <br/>By using the RemoteHostValve or RemoteAddrValve. Warning, these valves rely on accurate incoming ip addresses or hostnames. So they can fall victim to spoofing! Valve Reference Link <br/>How do I use jsvc/procrun to run Tomcat on port 80 securely? <br/>Fairly easily See the Setup page in the docs for your tomcat release, and read this mailing list post  http://marc.theaimsgroup.com/?l=tomcat-user&m=108566020231438&w=2 for a complete setup example with permissions etc. <br/>http://marc.theaimsgroup.com/?l=tomcat-ser&m=108566020231438&w=2
      [http://www.junlu.com/msg/149308.html | http://www.junlu.com/msg/149308.html]


      Jboss AS:
      [http://sourceforge.net/docman/display_doc.php?docid=20143&group_id=22866 | http://sourceforge.net/docman/display_doc.php?docid=20143&group_id=22866]
      SecureJBoss
      [http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss | http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss]
      SecureTheJmxConsole
      [http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole | http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole]

      JBoss MailServer:</span> <br/>HowToRunJBossMailServerWithoutSuperuserAccess <br/>[http://wiki.jboss.org/wiki/Wiki.jsp?page=HowToRunJBossMailServerWithoutSuperuserAccess | http://wiki.jboss.org/wiki/Wiki.jsp?page=HowToRunJBossMailServerWithoutSuperuserAccess] <br/> <br/></p>

      • 3214 Views
      • Tags:
        • 1. Re: Securing JBoss Mail Server and Sub App. Components
          acoliver
          acoliver May 5, 2006 8:54 AM (in response to gohip)

          Also: get your own certificate (not the one that we generate, a real one from thawte or similar). Use TLS and require TLS for Authentication. Don't run JBMS as root, run it as its own chrooted user and set up port forwarding. I do not recommend front ending tomcat with apache.

            • Actions
          • 2. Re: Securing JBoss Mail Server and Sub App. Components
            gohip
            gohip May 6, 2006 12:55 AM (in response to gohip)

            Damn, so it does seem like I have to go through all that...thanks for insight!

            with regards to ..."dont recommend fronting tomcat with apache"

            what do you mean andrew?

            as i said, i am a little new, i.e. i am a MS iis brat, but do you mean, just dont want to allow outside access to tomcat from apache through the public web, which I dont think i was planning on, or something diff., I am not planning on having anyone administer JBoss MS from the web, if thats what you meant, but as stated, I am a little new and inadept at the whole apache/tomcat/jakarta side so dont mid the feedback!

            we technically, do use all of those subcomponent apps dont we, in JBoss MS or is it just tomcat and jakarta?



              • Actions
            • 3. Re: Securing JBoss Mail Server and Sub App. Components
              acoliver
              acoliver May 6, 2006 3:12 PM (in response to gohip)

              Meaning the only thing you need tomcat for is administration or our new webmail. Regardless, tomcat is secure "enough" and fast "enough" that you don't need "Apache" at all. Fronting with apache is based largely on myth. However if this isn't about JBCS or tomcat as it applies to JBCS then we're leaving the scope of this forum and getting into boring things :-)

                • Actions
              • 4. Re: Securing JBoss Mail Server and Sub App. Components
                sappenin
                sappenin May 8, 2006 9:34 AM (in response to gohip)

                Here's a semi-decent discussion about the differences between the two (Apache/Tomcat).

                http://saloon.javaranch.com/cgi-bin/ubb/ultimatebb.cgi?ubb=get_topic&f=56&t=004273

                I only post this because it seems that Apache is necessary to front multiple instances of Tomcat (i.e., in a clustered situation), although, admittedly, that's in a pure Apache+Tomcat environment (no Jboss).

                I don't know enough about JBAS clustering, and how that would apply to clustering JBMS, but it seems like if we were running a cluster of JBMS servers, we could either purchase a hardware ip-based load balancer that round-robbins requests to various Tomcat+JBoss JBMS servers....(that all, incidentally share the same clustered database), or use Apache as the load balancer with Tomcat+JBMS+clustered dbase.

                Does that cluster scenario sound right?

                David

                  • Actions
                • 5. Re: Securing JBoss Mail Server and Sub App. Components
                  pilhuhn
                  pilhuhn May 8, 2006 11:59 AM (in response to gohip)

                  You (nearly) never want to round robin requests. Only do this for new sessions. I you don't know why come to a cluster training (or invite me to give it to you :-)

                    • Actions
                  • 6. Re: Securing JBoss Mail Server and Sub App. Components
                    acoliver
                    acoliver May 8, 2006 12:12 PM (in response to gohip)

                    Hardware load balancing is good. Software load balancing is bad. Sticky session are good. Round robin is bad.

                    -Andy

                      • Actions
                    • 7. Re: Securing JBoss Mail Server and Sub App. Components
                      gohip
                      gohip May 8, 2006 12:24 PM (in response to gohip)

                      Thank you all much for the information, it was very beneficial!

                        • Actions