I don't think that ActiveMQ or Derby makes sense in Karaf: it's not
provided out of the box. As we cannot "control" all features, routes,
etc deployed in Karaf, we should document the port number/security
points for a Karaf "from scratch/out of the box".
My $0.02
Regards
JB
On 02/14/2013 12:40 PM, Achim Nierbeck wrote:
Very nice summary,
we should create a documentation for this.
regards, Achim
2013/2/14 Caspar MacRae <[email protected] <mailto:[email protected]>>
Grep the config for the ports returned by lsof:
egrep '(5005|42862|36495|1099|44444|8181|1527|8101|61616)'
${KARAF_HOME}/etc
./activemq.xml: <transportConnector name="openwire"
uri="tcp://0.0.0.0:61616?maximumConnections=1000
<http://0.0.0.0:61616?maximumConnections=1000>"/>
./jetty.xml: <Property name="jetty.port"
default="8181"/>
./org.apache.activemq.webconsole.cfg:webconsole.jms.url=tcp://0.0.0.0:61616
<http://0.0.0.0:61616>
./org.apache.karaf.management.cfg:rmiRegistryPort = 9901
./org.apache.karaf.management.cfg:rmiServerPort = 44444
./org.apache.karaf.shell.cfg:sshPort=8101
Or with Karaf shell, try: config:list | grep -i port
Some common defaults:
5005 Karaf debug port
44444 and 1099 RMI server and registry
8181 default for PaxWeb
8101 SSH (shown as ldoms-migr in your listing)
61616 ActiveMq
1527 Derby dB
${KARAF_HOME}/data/port contains a port number used to trigger
shutdown by service scripts. In your lsof it looks like the
shutdown port is on 59113 (that's why it's only open on localhost).
You can always try: telenet localhost PORTNUM to see if the other
side displays any protocol info (enter, ^D or ^C to exit).
To make things more secure without disabling services etc, set the
host to localhost / 127.0.0.1 in various config files to ensure the
ports are not exposed to the network: grep -i host ${KARAF_HOME}/etc
cheers,
Caspar
On 14 February 2013 07:00, Christian Schneider
<[email protected] <mailto:[email protected]>> wrote:
When looking at the security please be aware that the ssh port
allows access with a default private key that is publicly available.
So make sure you remove the line karaf=... in
etc/keys.properties and you should also change the password of
the karaf user in user.properties.
Christian
Am 12.02.2013 10:44, schrieb Graham Leggett:
Hi all,
I am currently trying to security harden the default version
of karaf. When the default latest version of v2.3.0 is
started up with a default configuration, it binds to and
listens on the following ports:
[minfrin@localhost bin]$ lsof -p 11151 | grep LISTEN
java 11151 minfrin 15u IPv6 357257
0t0 TCP *:59514 (LISTEN)
java 11151 minfrin 68u IPv6 357493
0t0 TCP localhost:59113 (LISTEN)
java 11151 minfrin 87u IPv6 357859
0t0 TCP *:rmiregistry (LISTEN)
java 11151 minfrin 88u IPv6 357860
0t0 TCP *:44444 (LISTEN)
java 11151 minfrin 99u IPv6 358277
0t0 TCP *:ldoms-migr (LISTEN)
Can anyone confirm what services these ports are exposing,
and how they can be controlled, secured, or switched off?
Regards,
Graham
--
--
Christian Schneider
http://www.liquid-reality.de
Open Source Architect
Talend Application Integration Division http://www.talend.com
--
Apache Karaf <http://karaf.apache.org/> Committer & PMC
OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer
& Project Lead
OPS4J Pax for Vaadin <http://team.ops4j.org/wiki/display/PAXVAADIN/Home>
Commiter & Project Lead
blog <http://notizblog.nierbeck.de/>
--
Jean-Baptiste Onofré
[email protected]
http://blog.nanthrax.net
Talend - http://www.talend.com
