Yes completely agree with JB - I was just listing the output of an instance of one of our customized Karafs, it's the same as maintaining features.xml - a downstream concern.
IMO the security settings in Karaf are the right balance between secure-by-default and low adoption/experimention barrier (what sold Karaf to my boss was the SSH access to the shell, the response was "oooh cool!"). The onus, as always, is with the developer/deployer to ensure security. cheers, Caspar On 14 February 2013 12:12, Jean-Baptiste Onofré <[email protected]> wrote: > I don't think that ActiveMQ or Derby makes sense in Karaf: it's not > provided out of the box. As we cannot "control" all features, routes, etc > deployed in Karaf, we should document the port number/security points for a > Karaf "from scratch/out of the box". > > My $0.02 > > Regards > JB > > > On 02/14/2013 12:40 PM, Achim Nierbeck wrote: > >> Very nice summary, >> we should create a documentation for this. >> >> regards, Achim >> >> >> 2013/2/14 Caspar MacRae <[email protected] <mailto:[email protected]>> >> >> >> >> Grep the config for the ports returned by lsof: >> >> egrep '(5005|42862|36495|1099|44444|**8181|1527|8101|61616)' >> ${KARAF_HOME}/etc >> ./activemq.xml: <transportConnector name="openwire" >> >> uri="tcp://0.0.0.0:61616?**maximumConnections=1000<http://0.0.0.0:61616?maximumConnections=1000> >> >> <http://0.0.0.0:61616?**maximumConnections=1000<http://0.0.0.0:61616?maximumConnections=1000> >> >"/> >> >> ./jetty.xml: <Property name="jetty.port" >> default="8181"/> >> ./org.apache.activemq.**webconsole.cfg:webconsole.jms.**url=tcp:// >> 0.0.0.0:61616 >> <http://0.0.0.0:61616> >> >> ./org.apache.karaf.management.**cfg:rmiRegistryPort = 9901 >> ./org.apache.karaf.management.**cfg:rmiServerPort = 44444 >> ./org.apache.karaf.shell.cfg:**sshPort=8101 >> >> Or with Karaf shell, try: config:list | grep -i port >> >> >> Some common defaults: >> 5005 Karaf debug port >> 44444 and 1099 RMI server and registry >> 8181 default for PaxWeb >> 8101 SSH (shown as ldoms-migr in your listing) >> 61616 ActiveMq >> 1527 Derby dB >> >> >> ${KARAF_HOME}/data/port contains a port number used to trigger >> shutdown by service scripts. In your lsof it looks like the >> shutdown port is on 59113 (that's why it's only open on localhost). >> >> You can always try: telenet localhost PORTNUM to see if the other >> side displays any protocol info (enter, ^D or ^C to exit). >> >> >> To make things more secure without disabling services etc, set the >> host to localhost / 127.0.0.1 in various config files to ensure the >> ports are not exposed to the network: grep -i host ${KARAF_HOME}/etc >> >> >> cheers, >> Caspar >> >> >> >> >> On 14 February 2013 07:00, Christian Schneider >> <[email protected] >> <mailto:chris@die-schneider.**net<[email protected]>>> >> wrote: >> >> When looking at the security please be aware that the ssh port >> allows access with a default private key that is publicly >> available. >> So make sure you remove the line karaf=... in >> etc/keys.properties and you should also change the password of >> the karaf user in user.properties. >> >> Christian >> >> Am 12.02.2013 10:44, schrieb Graham Leggett: >> >> Hi all, >> >> I am currently trying to security harden the default version >> of karaf. When the default latest version of v2.3.0 is >> started up with a default configuration, it binds to and >> listens on the following ports: >> >> [minfrin@localhost bin]$ lsof -p 11151 | grep LISTEN >> java 11151 minfrin 15u IPv6 357257 >> 0t0 TCP *:59514 (LISTEN) >> java 11151 minfrin 68u IPv6 357493 >> 0t0 TCP localhost:59113 (LISTEN) >> java 11151 minfrin 87u IPv6 357859 >> 0t0 TCP *:rmiregistry (LISTEN) >> java 11151 minfrin 88u IPv6 357860 >> 0t0 TCP *:44444 (LISTEN) >> java 11151 minfrin 99u IPv6 358277 >> 0t0 TCP *:ldoms-migr (LISTEN) >> >> Can anyone confirm what services these ports are exposing, >> and how they can be controlled, secured, or switched off? >> >> Regards, >> Graham >> -- >> >> >> >> -- >> Christian Schneider >> http://www.liquid-reality.de >> >> Open Source Architect >> Talend Application Integration Division http://www.talend.com >> >> >> >> >> >> -- >> >> Apache Karaf <http://karaf.apache.org/> Committer & PMC >> OPS4J Pax Web >> <http://wiki.ops4j.org/**display/paxweb/Pax+Web/<http://wiki.ops4j.org/display/paxweb/Pax+Web/>> >> Committer >> & Project Lead >> OPS4J Pax for Vaadin >> <http://team.ops4j.org/wiki/**display/PAXVAADIN/Home<http://team.ops4j.org/wiki/display/PAXVAADIN/Home> >> > >> Commiter & Project Lead >> blog <http://notizblog.nierbeck.de/**> >> > > -- > Jean-Baptiste Onofré > [email protected] > http://blog.nanthrax.net > Talend - http://www.talend.com >
