6 Replies Latest reply on Apr 9, 2012 7:44 PM by milce.george

    Securing JBoss JTA ports

      When I start up our JBoss AS (version 4.2.0) there are three ports that are opened up in the 30000+ range which are bound to all addresses. By removing services from the installation I have verified that they are coming from the JBoss JTA. I have found documentation for how to fix the port number for the Transaction Status Manager but I can find nothing about what the other two ports might be or how to either close them since I do not think we need them or at a minimum bind them to localhost so they are not accessible from another device.

      Any help would be appreciated,
      Mark

        • 1. Re: Securing JBoss JTA ports
          jhalliday

          In no particular order see these JIRA issues and the forum discussions linked from them:
          http://jira.jboss.com/jira/browse/JBTM-253
          http://jira.jboss.com/jira/browse/JBTM-324
          http://jira.jboss.com/jira/browse/JBTM-348

          Basically the JTA version of JBossTS uses the ports to talk to itself. You can safely firewall them (e.g. with iptables) from remote access, it only needs loopback on localhost.

          • 2. Re: Securing JBoss JTA ports

            How can I configure iptables if the port numbers change everytime it is started? Is there somewhere I can query the port numbers in order to configure iptables or that I can fix all of the ports to specific values. Alternatively, we are running a complete standalone App server with no remote operations, but we are using EJBs internally so I could not just remove the transaction manager, is there a simpler transaction manager I could use since I do not need all of the recovery or remote capabilities.

            Thanks for your assistance,
            Mark

            • 3. Re: Securing JBoss JTA ports
              jhalliday

              > How can I configure iptables if the port numbers change everytime it is started?

              You are approaching the problem the wrong way around. As any sufficiently paranoid security administrator will tell you, you start by closing everything, then selectively open the minimum possible set of ports to make things work.

              • 4. Re: Securing JBoss JTA ports

                You are right if this was for a server we are running, but we are bundling this into an appliance where the user can configure additional ports to be open, so if we closed all ports by default we would have to change the ipTables each time the list of port was configured instead of just starting and stopping the listening of those ports. We also need to know the ports that might be opened by JBoss in order to not allow the user to configure those ports for their use.

                • 5. Re: Securing JBoss JTA ports
                  jhalliday

                  > we are bundling this into an appliance

                  Hmm, sounds to me like you need a support contract then :-)

                  https://www.redhat.com/apps/store/jboss/

                  • 6. Re: Securing JBoss JTA ports
                    milce.george

                    Know that its an old thread, but i too am facing the exact same problem. When I start up our JBoss AS (version 4.2.3) there are three ports that are opened up in the 30000+ range

                    The problem is when the open ports are scanned on the machine a lot of TCP CLOSE_WAITS are left behind on one of the JTA ports. Is there a way to fix these ports from random to a particular range so that i can create and exception for these ports or make it unavailable remotely.