3 Replies Latest reply on Dec 23, 2005 11:15 AM by Andy Nguyen

    Limit AJP to only select webservers

    Dan Mazzella Newbie

      We have a Jboss/Tomcat server behind a firewall, with an Apache box in a DMZ.

      Our security group is concerned about an attacker gaining access to another box behind the firewall, and attaching directly to the ajp port from a comprimised box.

      Is there a way to limit access to the ajp port to only a specific IP address? (AJP/8009 only responds to requests from IP X)

        • 1. Re: Limit AJP to only select webservers
          Andy Nguyen Newbie

          How about running a firewall on the JBoss/Tomcat server machine? That would be the most secure way to handle it, IMO.

          • 2. Re: Limit AJP to only select webservers
            Dan Mazzella Newbie

             

            "anguyen" wrote:
            How about running a firewall on the JBoss/Tomcat server machine? That would be the most secure way to handle it, IMO.


            That is already in place, but security is still concerned about someone attempting to attach to ajp from within the firewall. (It is a government agency with fairly strict security)

            • 3. Re: Limit AJP to only select webservers
              Andy Nguyen Newbie

              It's not clear from your post whether the firewall you have in fron of JBoss/Tomcat is a separate piece of hardware or is a software firewall running as part of the OS on the same machine.

              My suggestion was to use a software firewall that is part of the OS. There is no way to attach to AJP from "within" a software firewall. Any connections destined for JBoss/Tomcat must go through the OS's NIC driver and TCP/IP stack before getting to the socket in JBoss/Tomcat. The software firewall sits somewhere between the OS's NIC driver and the application's socket, checking each packet that comes into the machine.