Thursday, 1 November 2018

Securing Glassfish

As written in my previous blogpost, I mentioned securing Glassfish.

Here are the steps I took. I plan to add more steps, if I find them.

change the default passwords
a no-brainer, I think
do not run glassfish as root
I already did that, but I just mention it here. If you need to have it listening to port 80, there are plenty of ways to do that without running glassfish as root.
make sure the user running glassfish has /sbin/nologin as a login shell

so nobody can get shell access, unless you use another account1.

Also means if we need to access the account ourselves, we could run:

sudo -u glassfish /bin/bash
turn off admin console access from outside the server

Go to Configuration -> server-config -> Network Config -> Network Listeners -> admin-listener.

Under the General tab, in the Address: field replace 0.0.0.0 to 127.0.0.1

Restart the server

You can access the admin console using an ssh tunnel6:

[user@localhost ~]$ ssh user@mysite.com -L 4848:localhost:4848 -N

The first 4848 is the port of your homepc. The second 4848 is the remote port. And then connecting your browser to localhost:4848.

make sure only the essentials are accessible from outside the server

an application server has a very high number of open ports, many of them are only required for local access. Verifying this can be done with the following command:

[root ~]# netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name    
tcp        0      0 0.0.0.0:7676            0.0.0.0:*               LISTEN      1002       8518781    14140/java          
tcp        0      0 0.0.0.0:42853           0.0.0.0:*               LISTEN      1002       9560152    14140/java          
tcp        0      0 0.0.0.0:44425           0.0.0.0:*               LISTEN      1002       9560153    14140/java          
tcp        0      0 0.0.0.0:45613           0.0.0.0:*               LISTEN      1002       9560151    14140/java          
tcp        0      0 0.0.0.0:8686            0.0.0.0:*               LISTEN      1002       8518047    14140/java          
tcp        0      0 0.0.0.0:4848            0.0.0.0:*               LISTEN      1002       8517513    14140/java          
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      1002       8516146    14140/java          
tcp        0      0 0.0.0.0:3700            0.0.0.0:*               LISTEN      1002       8516151    14140/java          
tcp        0      0 0.0.0.0:8181            0.0.0.0:*               LISTEN      1002       8516148    14140/java          
tcp        0      0 0.0.0.0:41593           0.0.0.0:*               LISTEN      1002       8517967    14140/javat
porttypecomments
7676Message Queue Port
42853
44425
45613
8686Pure JMX Clients Port
4848the administration consoleset it to localhost, and connect using ssh tunnel
8080the normal http listenerthis should be accessible from outside the server
3700IIOP Port ("ORB listener 1")
8181the normal https listenerthis should be accessible from outside the server
41593

This can be either done by changing the ip address in the configuration of the glassfish server to 127.0.0.1 instead of 0.0.0.0.

But it could also be done by adding firewall rules, disallowing incoming traffic to ports you do not approve.

However, why not do both?

turn off autodeployments2
asadmin set server.admin-service.das-config.autodeploy-enabled=false
dynamic-reload-enabled2 is another useful one to turn on and off in this manner
asadmin set server.admin-service.das-config.dynamic-reload-enabled=false
hide your identity
glassfish response headers contain information on what server you are running, what version, what frameworks, etc. You can turn this option off by following instructions of reference 3. Has some other excellent advice as well.
make sure any database access used by glassfish is as restricted as possible
usually it is enough to create a database user that has only access to one specific database4 5
add a second admin user account for accessing the glassfish admin console
just in case of problems
make sure the user running the glassfish has files with as restricted rights as possible
there is no reason for "other" and "group" to have any access.

References

[1] StackExchange - Unix&Linux - Does /usr/sbin/nologin as a login shell serve a security purpose?
https://unix.stackexchange.com/questions/155139/does-usr-sbin-nologin-as-a-login-shell-serve-a-security-purpose
[2] GlassFish Server Open Source Edition - Application Deployment Guide - Release 5.0
https://javaee.github.io/glassfish/doc/5.0/application-deployment-guide.pdf
[3] Securing your GlassFish. Hardening Guide
http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html
[4] How to create a user in MySQL/MariaDB and grant permissions on a specific database
http://www.daniloaz.com/en/how-to-create-a-user-in-mysql-mariadb-and-grant-permissions-on-a-specific-database/
[5] MariaDB - SET PASSWORD
https://mariadb.com/kb/en/library/set-password/
[6] Frank Wiles - Quick-Tip: SSH Tunneling Made Easy
https://www.revsys.com/writings/quicktips/ssh-tunnel.html
Fine Tuning Payara Server in Production
https://blog.payara.fish/fine-tuning-payara-server-in-production
Bug 1530511 - rocksdb appears under "show databases"
https://bugzilla.redhat.com/show_bug.cgi?id=1530511
Posted by at
Labels: , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)