|Security issue with the Telnet Console [message #101466]
||Mon, 12 November 2007 12:30
Originally posted by: kratz.splix.no|
Our OSGi based server is running as a daemon process (/windows service). To
able to work with the console we simply used the telnet console option.
Everything works fine except the fact that the port opened for telnet is
totally unprotected. So just by knowing the port you can telnet to the OSGi
server and shut the server down by a simple exit command.
Is there anything that is configurable / changable in the OSGi runtime to
change this behaviour.
If that is not possible any ideas on how to protect us.
|Re: Security issue with the Telnet Console [message #502539 is a reply to message #101466]
||Tue, 08 December 2009 13:25
| Kyle Neumeier
Registered: July 2009
I have found a work around that will work for me, in case anyone is interested or has any input.|
I am running my headless OSGi application in linux with the equionx console available at port 2020 on a remote machine. As noted above, this is not secure since anyone can connect to this port and shutdown or do other nefarious things to my application. So the first thing I'm going to do is set up some firewall rules using iptables to block anyone trying to connect to port 2020 (unless you are connecting from localhost)
sudo iptables -A INPUT -p tcp -s 127.0.0.1 --dport 2020 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 2020 -j REJECT
The first rule accepts ensures that any packets from localhost going to port 2020 are accepted. The second rule causes anything going to port 2020 to be rejected. Since packets from 127.0.0.1 have already been accepted by the first rule, they are not rejected by the second.
Now all outside traffic to port 2020 is blocked. This means that 2020 is secure, but the problem is that an administrator may still want connect to that osgi console from a local machine. For this, you can do ssh port forwarding. Open up a console on the local machine (the one that is not running the osgi application) and type this
ssh -N -L 2020:localhost:2020 user@remotehost
Now you can connect to the osgi console on the local machine like this:
Now you can disconnect from the eclipse console by typing 'disconnect'.
I know all this might be obvious to any sys admin types, but I have relatively little experience with system administration, so it took me a while to figure all this out.
Powered by FUDForum
. Page generated in 0.02165 seconds