Re: [jetty-users] Intriguing log message

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] Intriguing log message

From: Simone Bordet <simone.bordet@xxxxxxxxx>
Date: Thu, 16 May 2024 17:17:21 +0200
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-users/>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

Hi,

On Wed, May 15, 2024 at 9:40 PM John English via jetty-users
<jetty-users@xxxxxxxxxxx> wrote:
>
> I was just reviewing my log files to see who's been trying to break into
> my system in the last few days, and I saw this in my jetty.log:
>
> May 13, 2024 10:46:19 PM sun.rmi.transport.tcp.TCPTransport$AcceptLoop
> executeAcceptLoop
> WARNING: RMI TCP Accept-0: accept loop for
> ServerSocket[addr=0.0.0.0/0.0.0.0,localport=35995] throws
> java.io.IOException: The server sockets created using the
> LocalRMIServerSocketFactory only accept connections from clients running
> on the host where the RMI remote objects have been exported.
>         at
> sun.management.jmxremote.LocalRMIServerSocketFactory$1.accept(LocalRMIServerSocketFactory.java:114)
>         at
> sun.rmi.transport.tcp.TCPTransport$AcceptLoop.executeAcceptLoop(TCPTransport.java:405)
>         at sun.rmi.transport.tcp.TCPTransport$AcceptLoop.run(TCPTransport.java:377)
>         at java.lang.Thread.run(Thread.java:748)
>
> Can someone explain to me what the person responsible for this might
> have been trying to do here, and perhaps how they were trying to do it?
> I haven't been able to match this up with anything in the request log.

This is RMI, so it is not related to HTTP.

You have enabled a JMX connector to allow "remote" connections.
By default, the JMX connector only allows connections from the same
host, so you typically have to be able to SSH into the server host,
and then you can connect to the RMI server.

However, as you can see, the ServerSocket is bound to the any address
0.0.0.0, so anyone can actually connect from a remote host, only to
have its connection immediately closed, and the IOException with error
message reported above be thrown.

This could be the result of port scanning, finding port 35995 open.

Typically, the RMI server port is random, and applications connect to
it by downloading an RMI stub from the RMI registry.
Normally, also the RMI registry is protected in the same way, so a
remote client should have not been able to download an RMI stub from
the RMI registry.
However, if the RMI registry is "open", it could have downloaded an
RMI stub that would try to connect to the RMI server, but would not be
able to, as reported above.

All in all, it is a log that confirms that your JMX connector is
correctly secured to accept connections only from local clients.

Finally, note that remote access would still be possible via SSH, for
example by GUI tools, as described here:
https://eclipse.dev/jetty/documentation/jetty-12/operations-guide/index.html#og-jmx-remote

-- 
Simone Bordet
---
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless.   Victoria Livschitz

Follow-Ups:
- Re: [jetty-users] Intriguing log message
  - From: John English

References:
- [jetty-users] Intriguing log message
  - From: John English

Prev by Date: [jetty-users] unsubscribe
Next by Date: Re: [jetty-users] Unresolved callbacks
Previous by thread: [jetty-users] Intriguing log message
Next by thread: Re: [jetty-users] Intriguing log message
Index(es):
- Date
- Thread

Breadcrumbs