下午上班時,發現服務器竟然無法訪問,沒有停電呀。輸入密碼,解開x-window的鎖定狀態,發現jboss確實關閉了,時間是13:23分,發現時間是15:33分。
這是以前沒有從未出現過的,查服務器訪問日志,原來是有人通過jmx-console遠程關閉了服務器,我還從使用過這個功能,倒讓人先用了!
我知道,jboss安裝默認情況下,jmx-console/web-console不用密碼,就可以訪問的,但我一直還以為,只能通過
localhost使用這個功能呢,所以就沒有想道會有安全問題。我想,Jboss這么專業,這么成熟,這種小問題,自然不用操心,但我錯了!
重新啟動服務器后,我自己模擬了一下,果然,不到一分鐘時間,就找到了jmx-
console/HtmlAdaptor?action=inspectMBean&
name=jboss.system:type=Server這個頁面,其中有一個"shutdown",選擇右邊的invoke,果然服務器就關閉了。
根據日志分析,一個ip地址為218.79.105.121的朋友,在6月20訪問過本站,今天上午10點多,通過baidu讀了一篇我的關于Jboss的文章,之后訪問試驗本站完全開放的jmx-console,試驗了3個小時,終于找到了遠程關閉服務器的方法。
于是,他在上海徐匯的家中(Adsl,應該是家中吧),遠程地關閉了我在架北京郊區自己辦公室的服務器。
這么大的漏洞被忽視了,真是汗顏。趕緊補課吧。
SecureTheJmxConsole,這可是Jboss官方文檔.上面提示的做法,應當可行。但沒有必要那么麻煩。
只要進入jmx-console.war/web-console.war這2個包的WEB-INF,編輯jboss-web.xml,
web.xml就可以了。我只是在uncomment相應的部分之后,將jaas
domain替換我用的zhuoda.org,并且將security
role替換為我用的zduAdmin就都搞定了,不需要理會user.properties, roles-properties二個文件。
轉:http://www.zhuoda.org/hofman/21129.html
以下的內容來自
SecureTheJmxConsole的鏈接
Securing the JMX Console and Web Console
Both the jmx-console and web-console are standard servlet 2.3 deployments and can
be secured using J2EE role based security. Both also have a skeleton setup to allow
one to easily enable security using username/password/role mappings found in the
jmx-console.war and web-console.war deployments in the corresponding WEB-INF/classes
users.properties and roles.properties files.
The security setup is based on two pieces, the standard WEB-INF/web.xml servlet URI
to role specification, and the WEB-INF/jboss-web.xml specification of the JAAS configuration which defines how authentication and role mapping is performed.
To secure the JMX Console using a username/password file -
-
Locate the jmx-console.war directory. This will normally be in server/default/deploy in your JBOSS_HOME directory.
-
edit WEB-INF/web.xml and uncomment the security-constraint block
-
edit WEB-INF/classes/jmx-console-users.properties or server/default/conf/props/jmx-console-users.properties (version >=4.0.2) and WEB-INF/classes/jmx-console-roles.properties or server/default/conf/props/jmx-console-roles.properties
(version >=4.0.2) and change the users and passwords to what you
desire. They will need the JBossAdmin role specified in the web.xml
file to run the JMX Console.
-
edit WEB-INF/jboss-web.xml
and uncomment the security-domain block. The security-domain value of
jmx-console maps is declared in the login-config.xml JAAS configuration
file which defines how authentication and authorization is done.
To secure the JMX Console using your own JAAS domain -
-
edit WEB-INF/web.xml
as above, uncommenting the security-constraint block. Change the
role-name value to be the role in your domain that can access the
console
-
edit WEB-INF/jboss-web.xml as above, setting the security domain to be the name of your security domain. For example, if your login-config.xml has an application-policy whose name is MyDomain then your JAAS domain java:/jaas/MyDomain
-
after making all the changes, redeploy the application. The application can be redeployed by touching the web.xml file or by restarting the server
The process to secure the web console is similar. In the deploy directory, locate management/web-console.war and make the same changes as above to to WEB-INF/web.xml,
WEB-INF/jboss-web.xml and the users/groups properties file. The default JAAS domain used by the web-console is java:/jaas/web-console and is defined in login-config.xml
in the conf directory. You can use a custom JAAS domain or custimize
the existing domain in the same way as with the JMX console. Typically
you would just use the same domain (java:/jaas/jmx-console) as the
jmx-console so that you have a single user/role mapping to configurue.
If
you find as I did with 3.2.5 that I couldn't log in, another
users.properties is most likely being picked up. Change the web-console
login-config.xml entry so that that properties files are uniquely named
to avoid ambiguity with which resource is picked up. You also would
need to rename the web-console properties files. (see http://www.jboss.org/index.html?module=bb&op=viewtopic&t=53346 )
As an extra level of security you may also want to LimitAccessToCertainClients in a particular IP address range.
-
Update for 4.0.2
The jmx-console-roles.properties and jmx-console-users.properties files have been moved to server"default"conf"props.
This is because of the change to use the servlet 2.3 class loading
model and these properties files would not be visible to the other
deployments using the jmx-console security domain. You can move the
files from conf"props to WEB-INF"classes, or leave them in place and edit the password for admin.
Similarly for the web console, please note that the web console is unpacked already in the default server configuration as deploy/management/console-mgr.sar/web-console.war. Proceed to edit the WEB-INF/web.xml and jboss-web.xml files as per securing the JMX console, and either edit the WEB-INF/classes/web-console-roles.properties and web-console-users.properties, or move those files to server"default"conf"props and edit them there.
For the impatient
vi $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/web.xml
uncomment the security-constraint block
and add a <login-config> block after the end of the <security-constraint> block:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JMXConsole</realm-name>
</login-config>
vi $JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/jboss-web.xml
Uncomment the security-domain block. Make sure the JNDI name maps to the realm name (i.e. JMXConsole)
vi $JBOSS_HOME/server/default/conf/props/jmx-console-users.properties
change the password for admin
vi $JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml
uncomment the security-constraint block
and add a <login-config> block after the end of the <security-constraint> block:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JMXConsole</realm-name>
</login-config>
vi $JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml
Uncomment the security-domain block. Make sure the JNDI name maps to the realm name (e.g. JMXConsole)
vi $JBOSS_HOME/server/default/conf/login-config.xml
Change
the path to the web-console-users.properties and the
web-console-roles.properties as follows (add props/ to the front of the
path)
<module-option name="usersProperties">props/web-console-users.properties</module-option>
<module-option name="rolesProperties">props/web-console-roles.properties</module-option>
cp
$JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-.properties
$JBOSS_HOME/server/default/conf/props
edit as needed
cp
$JBOSS_HOME/server/default/conf/props/jmx-console-roles.properties
$JBOSS_HOME/server/default/conf/props/web-console-roles.properties
edit as needed
edit
$JBOSS_HOME/server/default/conf/login-config.xml, find the jmx-console
and web-console applicaiton-policy, and set the name to jmx-console and
web-console, respectively. That is make sure that the application
policy name maps to the realm name (i.e. JMXConsole)
restart jboss
Additional to secure jmx-console and web-console authentication via SSL
the following steps below will redirect jboss admin pages to https://localhost:8443
<security-constraint>
...
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
(@see creating SSL keystore using the java keytool - http://www.informit.com/articles/article.asp?p=407886)
or quick setup and verify via
$ keytool -genkey -keystore /data01/jboss/server/xxx/conf/keystore -alias jbossAdmin
$ keytool -list -keystore /data01/jboss/server/xxx/conf/keystore
$vi /data01/jboss/server/xxx/deploy/jbossweb-tomcat50.sar/server.xml
-
secure file permission via chmod 600 server.xml
-
uncomment section "SSL/TLS Connector" to enable Connector port="8443"
-
replace keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
with keystoreFile="${jboss.server.home.dir}/conf/keystore"
with keystorePass="