Filed a new issue for that :) https://issues.apache.org/jira/browse/KARAF-2187
2013/2/14 Achim Nierbeck <[email protected]> > Very nice summary, > we should create a documentation for this. > > regards, Achim > > > 2013/2/14 Caspar MacRae <[email protected]> > >> >> Grep the config for the ports returned by lsof: >> >> egrep '(5005|42862|36495|1099|44444|8181|1527|8101|61616)' >> ${KARAF_HOME}/etc >> ./activemq.xml: <transportConnector name="openwire" uri="tcp:// >> 0.0.0.0:61616?maximumConnections=1000"/> >> ./jetty.xml: <Property name="jetty.port" >> default="8181"/> >> ./org.apache.activemq.webconsole.cfg:webconsole.jms.url=tcp:// >> 0.0.0.0:61616 >> ./org.apache.karaf.management.cfg:rmiRegistryPort = 9901 >> ./org.apache.karaf.management.cfg:rmiServerPort = 44444 >> ./org.apache.karaf.shell.cfg:sshPort=8101 >> >> Or with Karaf shell, try: config:list | grep -i port >> >> >> Some common defaults: >> 5005 Karaf debug port >> 44444 and 1099 RMI server and registry >> 8181 default for PaxWeb >> 8101 SSH (shown as ldoms-migr in your listing) >> 61616 ActiveMq >> 1527 Derby dB >> >> >> ${KARAF_HOME}/data/port contains a port number used to trigger shutdown >> by service scripts. In your lsof it looks like the shutdown port is on >> 59113 (that's why it's only open on localhost). >> >> You can always try: telenet localhost PORTNUM to see if the other side >> displays any protocol info (enter, ^D or ^C to exit). >> >> >> To make things more secure without disabling services etc, set the host >> to localhost / 127.0.0.1 in various config files to ensure the ports are >> not exposed to the network: grep -i host ${KARAF_HOME}/etc >> >> >> cheers, >> Caspar >> >> >> >> >> On 14 February 2013 07:00, Christian Schneider >> <[email protected]>wrote: >> >>> When looking at the security please be aware that the ssh port allows >>> access with a default private key that is publicly available. >>> So make sure you remove the line karaf=... in etc/keys.properties and >>> you should also change the password of the karaf user in user.properties. >>> >>> Christian >>> >>> Am 12.02.2013 10:44, schrieb Graham Leggett: >>> >>>> Hi all, >>>> >>>> I am currently trying to security harden the default version of karaf. >>>> When the default latest version of v2.3.0 is started up with a default >>>> configuration, it binds to and listens on the following ports: >>>> >>>> [minfrin@localhost bin]$ lsof -p 11151 | grep LISTEN >>>> java 11151 minfrin 15u IPv6 357257 0t0 TCP >>>> *:59514 (LISTEN) >>>> java 11151 minfrin 68u IPv6 357493 0t0 TCP >>>> localhost:59113 (LISTEN) >>>> java 11151 minfrin 87u IPv6 357859 0t0 TCP >>>> *:rmiregistry (LISTEN) >>>> java 11151 minfrin 88u IPv6 357860 0t0 TCP >>>> *:44444 (LISTEN) >>>> java 11151 minfrin 99u IPv6 358277 0t0 TCP >>>> *:ldoms-migr (LISTEN) >>>> >>>> Can anyone confirm what services these ports are exposing, and how they >>>> can be controlled, secured, or switched off? >>>> >>>> Regards, >>>> Graham >>>> -- >>>> >>>> >>> >>> -- >>> Christian Schneider >>> http://www.liquid-reality.de >>> >>> Open Source Architect >>> Talend Application Integration Division http://www.talend.com >>> >>> >> > > > -- > > Apache Karaf <http://karaf.apache.org/> Committer & PMC > OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer & > Project Lead > OPS4J Pax for Vaadin <http://team.ops4j.org/wiki/display/PAXVAADIN/Home> > Commiter & Project Lead > blog <http://notizblog.nierbeck.de/> > -- Apache Karaf <http://karaf.apache.org/> Committer & PMC OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer & Project Lead OPS4J Pax for Vaadin <http://team.ops4j.org/wiki/display/PAXVAADIN/Home> Commiter & Project Lead blog <http://notizblog.nierbeck.de/>
