-
1. Re: Securing JBoss JTA ports
jhalliday Apr 17, 2008 11:12 AM (in response to millerm1)In no particular order see these JIRA issues and the forum discussions linked from them:
http://jira.jboss.com/jira/browse/JBTM-253
http://jira.jboss.com/jira/browse/JBTM-324
http://jira.jboss.com/jira/browse/JBTM-348
Basically the JTA version of JBossTS uses the ports to talk to itself. You can safely firewall them (e.g. with iptables) from remote access, it only needs loopback on localhost. -
2. Re: Securing JBoss JTA ports
millerm1 Apr 17, 2008 11:29 AM (in response to millerm1)How can I configure iptables if the port numbers change everytime it is started? Is there somewhere I can query the port numbers in order to configure iptables or that I can fix all of the ports to specific values. Alternatively, we are running a complete standalone App server with no remote operations, but we are using EJBs internally so I could not just remove the transaction manager, is there a simpler transaction manager I could use since I do not need all of the recovery or remote capabilities.
Thanks for your assistance,
Mark -
3. Re: Securing JBoss JTA ports
jhalliday Apr 18, 2008 8:24 AM (in response to millerm1)> How can I configure iptables if the port numbers change everytime it is started?
You are approaching the problem the wrong way around. As any sufficiently paranoid security administrator will tell you, you start by closing everything, then selectively open the minimum possible set of ports to make things work. -
4. Re: Securing JBoss JTA ports
millerm1 Apr 18, 2008 4:09 PM (in response to millerm1)You are right if this was for a server we are running, but we are bundling this into an appliance where the user can configure additional ports to be open, so if we closed all ports by default we would have to change the ipTables each time the list of port was configured instead of just starting and stopping the listening of those ports. We also need to know the ports that might be opened by JBoss in order to not allow the user to configure those ports for their use.
-
5. Re: Securing JBoss JTA ports
jhalliday Apr 21, 2008 5:04 AM (in response to millerm1)> we are bundling this into an appliance
Hmm, sounds to me like you need a support contract then :-)
https://www.redhat.com/apps/store/jboss/ -
6. Re: Securing JBoss JTA ports
milce.george Apr 9, 2012 7:44 PM (in response to jhalliday)Know that its an old thread, but i too am facing the exact same problem. When I start up our JBoss AS (version 4.2.3) there are three ports that are opened up in the 30000+ range
The problem is when the open ports are scanned on the machine a lot of TCP CLOSE_WAITS are left behind on one of the JTA ports. Is there a way to fix these ports from random to a particular range so that i can create and exception for these ports or make it unavailable remotely.