JBOSS EAP 5.1.2瘦身及安全加固

最新推荐文章于 2018-06-15 11:29:59 发布

cuizao0418

最新推荐文章于 2018-06-15 11:29:59 发布

阅读量403

点赞数

最近公司新上线的核心系统要使用JBOSS分布式集群作为中间件，使用的是较稳定的JBOSS EAP 5.1.2版本，最近研究了下JBOSS安全加固以及瘦身相关的知识，下载了JBOSS5企业版，开始进行调优，主要通过以下几个方面：1、删除多余服务 2、关闭热部署 3、更新安全漏洞补丁 4、管理控制台安全加固

1.1 删除多余的服务：

1.1.1 Remove JMS functionality (provided via JBoss Messaging):

l $JBOSS_HOME/server/$PROFILE/deploy/messaging/

l $JBOSS_HOME/server/$PROFILE/deploy/jms-ra.rar/

l $JBOSS_HOME/server/$PROFILE/deployers/messaging-definitions-jboss-beans.xml

l the following XAResourceRecovery.JBMESSAGING1 definition if it exists in $JBOSS_HOME/server/$PROFILE/conf/jbossts-properties.xml:

<property name="com.arjuna.ats.jta.recovery.XAResourceRecovery.JBMESSAGING1"

value="org.jboss.jms.server.recovery.MessagingXAResourceRecovery;java:/DefaultJMSProvider"/>

1.1.2 Remove EJB3:

l $JBOSS_HOME/server/$PROFILE/deploy/ejb3-connectors-jboss-beans.xml

l $JBOSS_HOME/server/$PROFILE/deploy/ejb3-container-jboss-beans.xml

l $JBOSS_HOME/server/$PROFILE/deploy/ejb3-interceptors-aop.xml

l $JBOSS_HOME/server/$PROFILE/deploy/ejb3-timerservice-jboss-beans.xml

l $JBOSS_HOME/server/$PROFILE/deployers/ejb3-deployers-jboss-beans.xml

l $JBOSS_HOME/server/$PROFILE/deployers/jboss-ejb3-endpoint-deployer.jar

l $JBOSS_HOME/server/$PROFILE/deployers/jboss-ejb3-metrics-deployer.jar

l $JBOSS_HOME/server/$PROFILE/deployers/ejb3.deployer/

and add:

to the WarDeployer bean block in $JBOSS_HOME/server/$PROFILE/deployers/jbossweb.deployer/META-INF/war-deployers-jboss-beans.xml.

1.1.3 Remove EJB2:

l $JBOSS_HOME/server/$PROFILE/deploy/ejb2-container-jboss-beans.xml

l In addition, if you have removed the EJB3 timer service (deploy/ejb3-timerservice-jboss-beans.xml), you can also remove:

$JBOSS_HOME/server/$PROFILE/deploy/ejb2-timer-service.xml

Note: 不删除 web services (JBossWS)，删除EJB 2.x/3.x。为此，需要做如下操作：

删除如下文件：

l Remove EJB 3 service:

? $JBOSS_HOME/server/$PROFILE/deploy/ejb3-connectors-jboss-beans.xml

? $JBOSS_HOME/server/$PROFILE/deploy/ejb3-container-jboss-beans.xml

? $JBOSS_HOME/server/$PROFILE/deploy/ejb3-interceptors-aop.xml

? $JBOSS_HOME/server/$PROFILE/deploy/ejb3-timerservice-jboss-beans.xml

? $JBOSS_HOME/server/$PROFILE/deployers/jboss-ejb3-endpoint-deployer.jar

? $JBOSS_HOME/server/$PROFILE/deployers/jboss-ejb3-metrics-deployer.jar

? $JBOSS_HOME/server/$PROFILE/deployers/ejb3.deployer/

? $JBOSS_HOME/server/$PROFILE/deployers/ejb3-deployers-jboss-beans.xml

l Remove EJB 2.x service:

? $JBOSS_HOME/server/$PROFILE/deploy/ejb2-container-jboss-beans.xml

? $JBOSS_HOME/server/$PROFILE/deploy/ejb2-timer-service.xml

? $JBOSS_HOME/server/$PROFILE/deployers/ejb-deployer-jboss-beans.xml

做如下变更：

$JBOSS_HOME/server/$PROFILE/deployers/jbossws.deployer/META-INF/jbossws-deployer-jboss-beans.xml to remove dependence on EJB deployers from JBossWS deployer:

l Remove the following in section:

EJB2xDeployer

Ejb3Deployer

l Change the following "ejbReferenceResolver" property in section from:

to:

1.1.4 Remove scheduled jobs or timer EJBs：

l $JBOSS_HOME/server/$PROFILE/deploy/schedule-manager-service.xml

l $JBOSS_HOME/server/$PROFILE/deploy/scheduler-service.xml

l $JBOSS_HOME/server/$PROFILE/deploy/quartz-ra.rar/

l $JBOSS_HOME/server/$PROFILE/deploy/ejb3-timerservice-jboss-beans.xml

l $JBOSS_HOME/server/$PROFILE/deploy/ejb2-timer-service.xml

1.1.5 Remove UDDI for web services：

l $JBOSS_HOME/server/$PROFILE/deploy/juddi-service.sar/
Note: this directory exists in the "all", "production", or "standard" based profile.

1.1.6 Remove IIOP:

l $JBOSS_HOME/server/$PROFILE/deploy/iiop-service.xml
Note: this file exists in the "all", "production", or "standard" based profile.

1.1.7 Remove email :

l $JBOSS_HOME/server/$PROFILE/deploy/mail-service.xml

l $JBOSS_HOME/server/$PROFILE/deploy/mail-ra.rar/

1.1.8 Remove BeanShell scripts:

l $JBOSS_HOME/server/$PROFILE/deployers/bsh.deployer/

1.1.9 Remove XNIO:

l $JBOSS_HOME/server/$PROFILE/deploy/xnio-provider.jar/

l $JBOSS_HOME/server/$PROFILE/deployers/xnio.deployer/

1.1.10 Remove cluster：

l Remove

? farm/

? deploy-hasingleton/

? deploy/cluster/

l In deploy/messaging/*-persistence-service.xml, change Clustered to false:

and remove

and remove the "farmURIs" property a few lines below that.

l Replace deploy/httpha-invoker.sar with http-invoker.sar from the default profile

l In the deployers/clustering-deployer-jboss-beans.xml, comment out WebAppClusteringDependencyDeployer.

1.1.11 Remove HypersonicSQL

Note: HypersonicSQL不建议用在生产环境中；

l Replace Hypersonic with an alternative database

? replace $JBOSS_HOME/server/$PROFILE/deploy/messaging/hsqldb-persistence-service.xml with $JBOSS_HOME/docs/examples/jms/*-persistence-service.xml.

l Remove the "DefaultDS" Hypersonic datasource and all the components that depends on or refer to it

1) Remove JMS

? remove $JBOSS_HOME/server/$PROFILE/deploy/messaging

? remove the recovery configuration for the DefaultJMSProvider from $JBOSS_HOME/server/$PROFILE/conf/jbossts-properties.xml if present; the property is named com.arjuna.ats.jta.recovery.XAResourceRecovery.JBMESSAGING1

2) Remove $JBOSS_HOME/server/$PROFILE/deploy/uuid-key-generator.sar

3) Change the EJB Timer persistence policy

l $JBOSS_HOME/server/$PROFILE/deploy/ejb2-timer-service.xml.

? Uncomment the "jboss.ejb:service=EJBTimerService,persistencePolicy=noop" MBean.

? Change the PersistencePolicy attribute of the jboss.ejb:service=EJBTimerService MBean to be "jboss.ejb:service=EJBTimerService,persistencePolicy=noop"

? Comment out the "jboss.ejb:service=EJBTimerService,persistencePolicy=database" MBean

4) Remove $JBOSS_HOME/server/$PROFILE/deploy/juddi-sevice.sar. This is only necessary if using the "all" or "production" profile.

5) Comment out the

"jboss.jca:name=DefaultDS,service=ManagedConnectionPool" MBean from "$JBOSS_HOME/server/$PROFILE/deploy/snmp-adaptor.sar/attributes.xml". This is only necessary if using the "all" or "production" profile.

6) Remove $JBOSS_HOME/server/$PROFILE/deploy/hsqldb-ds.xml

1.1.12 测试效果

[jboss@jboss bin]$ ./run.sh -Djboss.http.port=8080 -b 0.0.0.0 -c default

=========================================================================

JBoss Bootstrap Environment

JBOSS_HOME: /opt/jboss

JAVA: java

JAVA_OPTS: -Dprogram.name=run.sh -server -Xms1303m -Xmx1303m -XX:MaxPermSize=256m -Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Dsun.lang.ClassLoader.allowArraySyntax=true -Djava.net.preferIPv4Stack=true

CLASSPATH: /opt/jboss/bin/run.jar

=========================================================================

20:39:40,878 INFO [ServerImpl] Starting JBoss (Microcontainer)...

20:39:40,879 INFO [ServerImpl] Release ID: JBoss [EAP] 5.1.2 (build: SVNTag=JBPAPP_5_1_2 date=201111102209)

…………………………………………………

20:40:16,917 INFO [ServerImpl] JBoss (Microcontainer) [5.1.2 (build: SVNTag=JBPAPP_5_1_2 date=201111102209)] Started in 36s:31ms

如上信息显示JBOSS实例启动成功；

1.2 关闭热部署：

l Remove the hdscanner-jboss-beans.xm l file from deployment;

l Edit the hdscanner-jboss-beans.xm l file, add the scanEnabled attribute (if it's not already present)and set its value to false.

详见如下hdscanner-jboss-beans.xm配置：

<!--

Hot deploym ent scanning

$ Id: hdscanner-jboss-beans.xm l 98983 2010-01-04 13:35:41Z em uckenhuber $

-->

<bean nam="" e="HDScanner"

class="org.jboss.system .server.profileservice.hotdeploy.HDScanner">

<inject <="" inject

bean="ProfileServiceDeployer"/>

5000

HDScanner

false

...(snip)...

1.3 更新JBoss EAP 5.1.2安全漏洞补丁：

1.3.1 CallerIdentityLoginModule 方面安全漏洞补丁更新

1) 漏洞描述：

JBoss Enterprise Application Platform (EAP) 5.2.0，Web Platform (EWP) 5.2.0，以及BRMS Platform 5.3.1之前版本中的CallerIdentityLoginModule中存在漏洞。远程攻击者可通过空密码利用该漏洞获取之前用户的权限，这也将导致之前用户的密码被盗用。（CVE-2012-3369 ）

2) 更新方法：

解压JBPAPP-10626.zip文件。把JBPAPP-10626中解压文件替换如下文件：

? $JBOSS_HOME/lib/jbosssx.jar

? $JBOSS_HOME/client/jbosssx-client.jar

1.3.2 JMX Console 方面安全漏洞补丁更新

1) 漏洞描述：

JMX Console没有防护CSRF攻击。如果用户浏览特制的URL，攻击者可对MBeans执行某些
操作，导致执行任意代码。(CVE-2011-2908)。

2) 更新方法：

解压BPAPP-9448.zip文件。把BPAPP-9448中解压文件替换如下文件：:

- $JBOSS_HOME/server/$profile/deploy/

1.3.3 JNDI方面安全漏洞补丁更新

1) 漏洞描述：

JBoss JNDI，HA-JNDI服务，HAJNDIFactory调用器(invoker servle)存在一个安全漏洞，默认允许未验证远程写访问。能访问端口1099(JNDI),端口1100 (HA-JNDI)或HAJNDIFactory调用器的远程攻击者可以利用此缺陷在JNDI树中添加，删除和修改项目。（CVE-2011-4605 ）

2) 更新方法：

解压JBPAPP-7788.zip文件。把JBPAPP-7788中解压文件替换如下文件：

? $JBOSS_HOME/client/jboss-ha-legacy-client.jar with the new jboss-ha-legacy-client.jar

? $JBOSS_HOME/common/lib/jbossha.jar with the new jbossha.jar

? $JBOSS_HOME/common/lib/jnpserver.jar with the new jnpserver.jar

解压http-invoker.zip到 $JBOSS_HOME directory 中web.xml 文件.

1.3.4 NonManagedConnectionFactory方面安全漏洞补丁更新

1) 漏洞描述：

JBoss Enterprise Application Platform (EAP) 5.1.2以及5.2.0，Web Platform (EWP) 5.2.0，以及BRMS Platform 5.3.1之前版本中的NonManagedConnectionFactory中存在漏洞，该漏洞源于程序在出现异常的情况下以明文形式在日志中记录用户名及密码。通过读取日志文件，本地攻击者可利用该漏洞获取敏感信息。（CVE-2012-0034 ）

2) 更新方法：

替换$JBOSS_HOME/server/$PROFILE/lib/jbosscache-core.jar文件；

1.3.5 Asterisk等方面安全漏洞补丁更新

1) 漏洞描述：

此补丁解决Asterisk 1.8.10.1之前的1.8.x版本和10.2.1之前的10.x版本中的main/utils.c中的‘ast_parse_digest’函数中存在基于栈的缓冲区溢出漏洞。远程攻击者可利用该漏洞通过HTTP Digest Authentication头中的较长字符串，导致拒绝服务或执行任意代码等安全漏洞。（CVE-2011-1184, CVE-2011-2526, CVE-2011-4610, CVE-2011-4858, CVE-2011-5062, CVE-2011-5063, CVE-2011-5064, CVE-2012-0022）

2) 更新方法：

替换$JBOSS_HOME/server/$PROFILE/deploy/jbossweb.sar/jbossweb.jar文件

1.3.6 测试效果

[jboss@jboss bin]$ ./run.sh -Djboss.http.port=8080 -b 0.0.0.0 -c default

=========================================================================

JBoss Bootstrap Environment

JBOSS_HOME: /opt/jboss

JAVA: java

CLASSPATH: /opt/jboss/bin/run.jar

=========================================================================

20:39:40,878 INFO [ServerImpl] Starting JBoss (Microcontainer)...

20:39:40,879 INFO [ServerImpl] Release ID: JBoss [EAP] 5.1.2 (build: SVNTag=JBPAPP_5_1_2 date=201111102209)

…………………………………………………

20:40:16,917 INFO [ServerImpl] JBoss (Microcontainer) [5.1.2 (build: SVNTag=JBPAPP_5_1_2 date=201111102209)] Started in 36s:31ms

如上信息显示JBOSS实例启动成功；

1.3.7 mod_cluster方面安全漏洞补丁更新建议

1) 漏洞描述：

JBoss 'mod_cluster'模块在实现上存在远程安全绕过漏洞，攻击者可利用此漏洞绕过某些安全限制并执行非法操作。（CVE-2012-1154 ）

2) 更新方法：

拷贝mod_cluster.jar 到

1) %{EAP_HOME}/jboss-eap-5.1/mod_cluster/mod-cluster.sar/mod-cluster-1.0.10.GA_CP02.jar

2) %{EAP_HOME}/jboss-eap-5.1/mod_cluster/JBossWeb-Tomcat/lib/mod-cluster.jar

1.3.8 RESTEasy方面安全漏洞补丁更新建议

1) 漏洞描述：

RESTEasy 2.3.1之前版本中存在信息泄露漏洞。攻击者可利用该漏洞获取对某一本地文件的访问，这可能导致进一步攻击。（CVE-2012-0818 ）

2) 更新方法：

To install this patch replace the following with the jars included in this patch:

? $JBOSS_HOME/resteasy/lib/resteasy-jaxb-provider.jar

? $JBOSS_HOME/resteasy/lib/resteasy-fastinfoset-provider.jar

? $JBOSS_HOME/resteasy/lib/resteasy-jettison-provider.jar

? $JBOSS_HOME/resteasy/lib/resteasy-jaxrs.jar

? $JBOSS_HOME/seam/lib/resteasy-jaxb-provider.jar

? $JBOSS_HOME/seam/lib/resteasy-fastinfoset-provider.jar

? $JBOSS_HOME/seam/lib/resteasy-jettison-provider.jar

? $JBOSS_HOME/seam/lib/resteasy-jaxrs.jar

Note: A manual configuration change is required if your system exposes RESTEasy XML endpoints. This patch provides a new configuration option for disabling entity expansion in RESTEasy. If you are deploying RESTEasy XML endpoints to your server, the following configuration snippet needs to be added to the web.xml file for the applications exposing RESTEasy XML endpoints:

< context-param>

< param-name>resteasy.document.expand.entity.references< /param-name>

< param-value>false< /param-value>

< /context-param>

Note that this < context-param> setting has precedence over< init-param>, and will override a contrary setting in an< init-param> element.

此补丁包需在应用中web.xml做相关修改。修改内容见如上描述。

1.4 Jboss控制安全加固：

1.4.1 关闭JBoss主页

1) 关闭方式：

删除/opt/jboss/server/default/deploy下ROOT.war文件；

2) 测试方法：http://IP：端口，类似如下测试方式；

如上显示JBoss主页关闭成功；

1.4.2 关闭status统计信息

1) 关闭方式：

删除/opt/jboss/server/default/deploy下ROOT.war文件；

2) 测试方法：http://IP：端口/ status，类似如下测试方式；

1.4.3 jmx-console与web-console安全加固

1) jmx-console安全加固方法

? 把GET和POST两行注释掉，同时security-constraint整个部分不要注释掉

? 修改admin密码

2) web-console安全加固方法

3) 测试方法：

http://IP:端口/jmx-console、http:// IP:端口//web-console/ 类似如下测试方式；

用户名：admin

密码：****

1.4.4 admin-console安全加固

1) admin-console安全加固方法

admin-console 已是密码验证的。但密码是默认的，需要修改。修改server/xxx/conf/props里jmx-console-roles.properties，jmx-console-users.properties；

2) 测试方法：

http://IP:端口//admin-console类似如下测试方式；

1.4.5 Jboss控制安全加固建议

目前使用的方式为用户模式登入。为加强安全设置，建议设置为固定IP登入方式。Jboss控制安全加固设置方式：

l There are two options:

? Use JBossWeb's "RemoteAddrValve" or "RemoteHostValve" [1]

Create /server//deploy/jmx-console.war/WEB-INF/context.xml. An example is as shown below:

? Use JBossWeb's "RemoteHostFilter" [2]

Add a filter setting to /server//deploy/jmx-console.war/WEB-INF/web.xml. An example setting is as shown below:

　　 RemoteHostFilter

　　 org.jboss.web.tomcat.filters.RemoteHostFilter

　　　 deny

　　　 128.0.*,192.4.5.7

　　　allow

　　　 192.4.5.6,127.0.0.*

　　RemoteHostFilter

大家还有什么好的优化建议，可以提出来

来自 “ ITPUB博客 ” ，链接：http://blog.itpub.net/29018063/viewspace-2057454/，如需转载，请注明出处，否则将追究法律责任。

转载于:http://blog.itpub.net/29018063/viewspace-2057454/

cuizao0418

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
JBOSS EAP 5.1.2瘦身及安全加固

最近公司新上线的核心系统要使用JBOSS分布式集群作为中间件，使用的是较稳定的JBOSS EAP 5.1.2版本，最近研究了下JBOSS安全加固以及瘦身相关的知识，下载了JBOSS5企业版，开始进行调优，主要通过以下几...
复制链接

扫一扫