Limit AJP to only select webservers

dmazzella Dec 22, 2005 11:04 PM

We have a Jboss/Tomcat server behind a firewall, with an Apache box in a DMZ.

Our security group is concerned about an attacker gaining access to another box behind the firewall, and attaching directly to the ajp port from a comprimised box.

Is there a way to limit access to the ajp port to only a specific IP address? (AJP/8009 only responds to requests from IP X)

1. Re: Limit AJP to only select webservers

anguyen Dec 23, 2005 10:39 AM (in response to dmazzella)

How about running a firewall on the JBoss/Tomcat server machine? That would be the most secure way to handle it, IMO.
Actions
2. Re: Limit AJP to only select webservers

dmazzella Dec 23, 2005 10:50 AM (in response to dmazzella)

"anguyen" wrote:
How about running a firewall on the JBoss/Tomcat server machine? That would be the most secure way to handle it, IMO.

That is already in place, but security is still concerned about someone attempting to attach to ajp from within the firewall. (It is a government agency with fairly strict security)
Actions
3. Re: Limit AJP to only select webservers

anguyen Dec 23, 2005 11:15 AM (in response to dmazzella)

It's not clear from your post whether the firewall you have in fron of JBoss/Tomcat is a separate piece of hardware or is a software firewall running as part of the OS on the same machine.

My suggestion was to use a software firewall that is part of the OS. There is no way to attach to AJP from "within" a software firewall. Any connections destined for JBoss/Tomcat must go through the OS's NIC driver and TCP/IP stack before getting to the socket in JBoss/Tomcat. The software firewall sits somewhere between the OS's NIC driver and the application's socket, checking each packet that comes into the machine.
Actions

Go to original post