Very nice summary, we should create a documentation for this. regards, Achim
2013/2/14 Caspar MacRae <[email protected]> > > Grep the config for the ports returned by lsof: > > egrep '(5005|42862|36495|1099|44444|8181|1527|8101|61616)' > ${KARAF_HOME}/etc > ./activemq.xml: <transportConnector name="openwire" uri="tcp:// > 0.0.0.0:61616?maximumConnections=1000"/> > ./jetty.xml: <Property name="jetty.port" > default="8181"/> > ./org.apache.activemq.webconsole.cfg:webconsole.jms.url=tcp:// > 0.0.0.0:61616 > ./org.apache.karaf.management.cfg:rmiRegistryPort = 9901 > ./org.apache.karaf.management.cfg:rmiServerPort = 44444 > ./org.apache.karaf.shell.cfg:sshPort=8101 > > Or with Karaf shell, try: config:list | grep -i port > > > Some common defaults: > 5005 Karaf debug port > 44444 and 1099 RMI server and registry > 8181 default for PaxWeb > 8101 SSH (shown as ldoms-migr in your listing) > 61616 ActiveMq > 1527 Derby dB > > > ${KARAF_HOME}/data/port contains a port number used to trigger shutdown by > service scripts. In your lsof it looks like the shutdown port is on 59113 > (that's why it's only open on localhost). > > You can always try: telenet localhost PORTNUM to see if the other side > displays any protocol info (enter, ^D or ^C to exit). > > > To make things more secure without disabling services etc, set the host to > localhost / 127.0.0.1 in various config files to ensure the ports are not > exposed to the network: grep -i host ${KARAF_HOME}/etc > > > cheers, > Caspar > > > > > On 14 February 2013 07:00, Christian Schneider <[email protected]>wrote: > >> When looking at the security please be aware that the ssh port allows >> access with a default private key that is publicly available. >> So make sure you remove the line karaf=... in etc/keys.properties and you >> should also change the password of the karaf user in user.properties. >> >> Christian >> >> Am 12.02.2013 10:44, schrieb Graham Leggett: >> >>> Hi all, >>> >>> I am currently trying to security harden the default version of karaf. >>> When the default latest version of v2.3.0 is started up with a default >>> configuration, it binds to and listens on the following ports: >>> >>> [minfrin@localhost bin]$ lsof -p 11151 | grep LISTEN >>> java 11151 minfrin 15u IPv6 357257 0t0 TCP >>> *:59514 (LISTEN) >>> java 11151 minfrin 68u IPv6 357493 0t0 TCP >>> localhost:59113 (LISTEN) >>> java 11151 minfrin 87u IPv6 357859 0t0 TCP >>> *:rmiregistry (LISTEN) >>> java 11151 minfrin 88u IPv6 357860 0t0 TCP >>> *:44444 (LISTEN) >>> java 11151 minfrin 99u IPv6 358277 0t0 TCP >>> *:ldoms-migr (LISTEN) >>> >>> Can anyone confirm what services these ports are exposing, and how they >>> can be controlled, secured, or switched off? >>> >>> Regards, >>> Graham >>> -- >>> >>> >> >> -- >> Christian Schneider >> http://www.liquid-reality.de >> >> Open Source Architect >> Talend Application Integration Division http://www.talend.com >> >> > -- Apache Karaf <http://karaf.apache.org/> Committer & PMC OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer & Project Lead OPS4J Pax for Vaadin <http://team.ops4j.org/wiki/display/PAXVAADIN/Home> Commiter & Project Lead blog <http://notizblog.nierbeck.de/>
