7 Replies Latest reply on May 8, 2006 12:24 PM by Jay Glass

    Securing JBoss Mail Server and Sub App. Components

    Jay Glass Novice

      Hey guys,

      Trying to Lockdown secure JBoss Mail Server <br/> <br/>On the Mail Server Main Page, it states there are only two steps to securing jBoss Mail server, i.e. <br/> <br/>SecureTheJmxConsole <br/>[http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole | http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole] <br/> <br/>and <br/> <br/>HowToRunJBossMailServerWithoutSuperuserAccess <br/>[http://wiki.jboss.org/wiki/Wiki.jsp?page=HowToRunJBossMailServerWithoutSuperuserAccess | http://wiki.jboss.org/wiki/Wiki.jsp?page=HowToRunJBossMailServerWithoutSuperuserAccess] <br/> <br/>Is this really all that is involved? <br/> <br/>I noted, or it seems JBoss Mail Server is using these applications also <br/>*Apache <br/>Tomcat <br/>Jakarta* <br/> <br/>Should we not also focus on locking these down? <br/> <br/>I am creating a list, of components, and links to examples of locking the sub components (i.e. Apache, Tomcat, and Jakarta) down. <br/> <br/>Does anyone have anything else to add, recommendations, or better links?



      Apache:</span> <br/>Securing Apache


      [http://www.securityfocus.com/infocus/1694 | http://www.securityfocus.com/infocus/1694]
      [http://www.faqs.org/docs/securing/chap29sec251.html | http://www.faqs.org/docs/securing/chap29sec251.html]

      Jakarta`:
      http://tomcat.apache.org/tomcat-5.0-doc/realm-howto.html

      Tomcat:</span> <br/>Sources: <br/>[http://tomcat.apache.org/faq/security.html | http://tomcat.apache.org/faq/security.html] <br/> <br/>Use latest version <br/>[http://tomcat.apache.org/whichversion.html | http://tomcat.apache.org/whichversion.html] <br/>Get rid of root user/admin for instance of Apache <br/>h[ttp://marc.theaimsgroup.com/?t=104516038700003&r=1&w=2 | ttp://marc.theaimsgroup.com/?t=104516038700003&r=1&w=2] <br/>Force pages to use SSL: <br/>[http://marc.theaimsgroup.com/?t=104516038700003&r=1&w=2 | http://marc.theaimsgroup.com/?t=104516038700003&r=1&w=2] <br/>How do I restrict access by ip address or remote host? <br/>By using the RemoteHostValve or RemoteAddrValve. Warning, these valves rely on accurate incoming ip addresses or hostnames. So they can fall victim to spoofing! Valve Reference Link <br/>How do I use jsvc/procrun to run Tomcat on port 80 securely? <br/>Fairly easily See the Setup page in the docs for your tomcat release, and read this mailing list post  http://marc.theaimsgroup.com/?l=tomcat-user&m=108566020231438&w=2 for a complete setup example with permissions etc. <br/>http://marc.theaimsgroup.com/?l=tomcat-ser&m=108566020231438&w=2
      [http://www.junlu.com/msg/149308.html | http://www.junlu.com/msg/149308.html]


      Jboss AS:
      [http://sourceforge.net/docman/display_doc.php?docid=20143&group_id=22866 | http://sourceforge.net/docman/display_doc.php?docid=20143&group_id=22866]
      SecureJBoss
      [http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss | http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss]
      SecureTheJmxConsole
      [http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole | http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole]

      JBoss MailServer:</span> <br/>HowToRunJBossMailServerWithoutSuperuserAccess <br/>[http://wiki.jboss.org/wiki/Wiki.jsp?page=HowToRunJBossMailServerWithoutSuperuserAccess | http://wiki.jboss.org/wiki/Wiki.jsp?page=HowToRunJBossMailServerWithoutSuperuserAccess] <br/> <br/></p>