Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Equinox » Security issue with the Telnet Console
Security issue with the Telnet Console [message #101466] Mon, 12 November 2007 17:30 Go to next message
Eclipse User
Originally posted by: kratz.splix.no

Hi all,

Our OSGi based server is running as a daemon process (/windows service). To
be
able to work with the console we simply used the telnet console option.
Everything works fine except the fact that the port opened for telnet is
totally unprotected. So just by knowing the port you can telnet to the OSGi
server and shut the server down by a simple exit command.

Is there anything that is configurable / changable in the OSGi runtime to
change this behaviour.
If that is not possible any ideas on how to protect us.

BR

K
Re: Security issue with the Telnet Console [message #502009 is a reply to message #101466] Fri, 04 December 2009 18:21 Go to previous messageGo to next message
Kyle Neumeier is currently offline Kyle Neumeier
Messages: 10
Registered: July 2009
Junior Member
I am running into this same problem. I have an osgi program that I want to run as a service. I would like for an administrator to be able to interact with the program using the console. If the program gets started up as a background process, then the administrator won't be able to use the console. I would love to start the console up at a socket, but then it's totally unprotected. Does anyone have a work around for this?
Re: Security issue with the Telnet Console [message #502539 is a reply to message #101466] Tue, 08 December 2009 18:25 Go to previous message
Kyle Neumeier is currently offline Kyle Neumeier
Messages: 3
Registered: July 2009
Junior Member
I have found a work around that will work for me, in case anyone is interested or has any input.

I am running my headless OSGi application in linux with the equionx console available at port 2020 on a remote machine. As noted above, this is not secure since anyone can connect to this port and shutdown or do other nefarious things to my application. So the first thing I'm going to do is set up some firewall rules using iptables to block anyone trying to connect to port 2020 (unless you are connecting from localhost)
sudo iptables -A INPUT -p tcp -s 127.0.0.1 --dport 2020 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 2020 -j REJECT


The first rule accepts ensures that any packets from localhost going to port 2020 are accepted. The second rule causes anything going to port 2020 to be rejected. Since packets from 127.0.0.1 have already been accepted by the first rule, they are not rejected by the second.

Now all outside traffic to port 2020 is blocked. This means that 2020 is secure, but the problem is that an administrator may still want connect to that osgi console from a local machine. For this, you can do ssh port forwarding. Open up a console on the local machine (the one that is not running the osgi application) and type this
ssh -N -L 2020:localhost:2020 user@remotehost


Now you can connect to the osgi console on the local machine like this:
telnet localhost 2020


Now you can disconnect from the eclipse console by typing 'disconnect'.

I know all this might be obvious to any sys admin types, but I have relatively little experience with system administration, so it took me a while to figure all this out.
Previous Topic:Install new Software command
Next Topic:[p2] how to generate "a.jre.javase" IU?
Goto Forum:
  


Current Time: Fri Sep 19 20:05:00 GMT 2014

Powered by FUDForum. Page generated in 0.02622 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software