将 java 远程调试器端口公开到互联网是否安全?
Is it safe to expose java remote debugger port to the internet?
我打算公开一个端口,用于通过互联网远程调试基于 Java 的 Web 服务,但三思而后行,我意识到它没有任何身份验证。
理论上,似乎可以编写一个工具,附加到远程调试器端口,并通过 Java API 执行任意系统命令。或者modifies/dumps数据库,等等。
至少这个漏洞似乎是这样 http://securityaffairs.co/wordpress/36394/hacking/paypal-remote-code-execution.html
我不记得曾被强烈警告过要公开远程调试器端口。但是如今,当成百上千的僵尸网络扫描端口寻找漏洞时,应该更好地宣传一下。
任何人都可以评论它是否安全 and/or 如何在任意基于 java 的网络服务上以安全的方式做到这一点?我的目标是能够在生产服务器上执行远程调试。
您可以配置远程调试以使用 SSL 和身份验证,这对 Windows 和 Linux 都有效,但有点麻烦。并且端口一直处于打开状态。
我相信您有充分的理由调试您的实时/生产应用程序,并且知道当您真正调试它而不是仅使用连接来访问 JMX 数据时,例如您的应用程序将停止 运行当您连接调试器时。
Oracle documents 一些风险,有的更高或更低,具体取决于您如何配置代理:
Caution - A potential security issue has been identified with password
authentication for remote connectors when the client obtains the
remote connector from an insecure RMI registry (the default). If an
attacker starts a bogus RMI registry on the target server before the
legitimate registry is started, then the attacker can steal clients'
passwords. This scenario includes the case where you launch a Java VM
with remote management enabled, using the system property
com.sun.management.jmxremote.port=portNum, even when SSL is enabled.
Although such attacks are likely to be noticed, it is nevertheless a
vulnerability.
Caution - This configuration is insecure. Any remote user who knows
(or guesses) your JMX port number and host name will be able to
monitor and control your Java application and platform. While it may
be acceptable for development, it is not recommended for production
systems.
Caution - This configuration is insecure: any remote user who knows
(or guesses) your port number and host name will be able to monitor
and control your Java applications and platform. Furthermore, possible
harm is not limited to the operations you define in your MBeans. A
remote client could create a javax.management.loading.MLet MBean and
use it to create new MBeans from arbitrary URLs, at least if there is
no security manager. In other words, a rogue remote client could make
your Java application execute arbitrary code.
Consequently, while disabling security might be acceptable for
development, it is strongly recommended that you do not disable
security for production systems.
即使涉及最高安全性的配置(移动端口,启用ssl,通过ssl客户端证书进行身份验证)仍然存在风险。
如果您仍然需要调试连接,我建议您使用可能已经存在的到服务器的 ssh 连接,并使用这个连接创建到调试器端口的 ssh 隧道。你可以在这里阅读更多相关信息:Cannot remotely debug JVM via SSH tunnel(因为它已经在所以我不复制细节)
在没有加密和身份验证的情况下打开端口将使任何人都可以连接到您的 jvm。这将允许读取和写入 JMX 值、停止代码的执行、修改值、创建堆转储、覆盖代码和所有其他不好的东西。
我打算公开一个端口,用于通过互联网远程调试基于 Java 的 Web 服务,但三思而后行,我意识到它没有任何身份验证。
理论上,似乎可以编写一个工具,附加到远程调试器端口,并通过 Java API 执行任意系统命令。或者modifies/dumps数据库,等等。 至少这个漏洞似乎是这样 http://securityaffairs.co/wordpress/36394/hacking/paypal-remote-code-execution.html
我不记得曾被强烈警告过要公开远程调试器端口。但是如今,当成百上千的僵尸网络扫描端口寻找漏洞时,应该更好地宣传一下。
任何人都可以评论它是否安全 and/or 如何在任意基于 java 的网络服务上以安全的方式做到这一点?我的目标是能够在生产服务器上执行远程调试。
您可以配置远程调试以使用 SSL 和身份验证,这对 Windows 和 Linux 都有效,但有点麻烦。并且端口一直处于打开状态。
我相信您有充分的理由调试您的实时/生产应用程序,并且知道当您真正调试它而不是仅使用连接来访问 JMX 数据时,例如您的应用程序将停止 运行当您连接调试器时。
Oracle documents 一些风险,有的更高或更低,具体取决于您如何配置代理:
Caution - A potential security issue has been identified with password authentication for remote connectors when the client obtains the remote connector from an insecure RMI registry (the default). If an attacker starts a bogus RMI registry on the target server before the legitimate registry is started, then the attacker can steal clients' passwords. This scenario includes the case where you launch a Java VM with remote management enabled, using the system property com.sun.management.jmxremote.port=portNum, even when SSL is enabled. Although such attacks are likely to be noticed, it is nevertheless a vulnerability.
Caution - This configuration is insecure. Any remote user who knows (or guesses) your JMX port number and host name will be able to monitor and control your Java application and platform. While it may be acceptable for development, it is not recommended for production systems.
Caution - This configuration is insecure: any remote user who knows (or guesses) your port number and host name will be able to monitor and control your Java applications and platform. Furthermore, possible harm is not limited to the operations you define in your MBeans. A remote client could create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, a rogue remote client could make your Java application execute arbitrary code.
Consequently, while disabling security might be acceptable for development, it is strongly recommended that you do not disable security for production systems.
即使涉及最高安全性的配置(移动端口,启用ssl,通过ssl客户端证书进行身份验证)仍然存在风险。 如果您仍然需要调试连接,我建议您使用可能已经存在的到服务器的 ssh 连接,并使用这个连接创建到调试器端口的 ssh 隧道。你可以在这里阅读更多相关信息:Cannot remotely debug JVM via SSH tunnel(因为它已经在所以我不复制细节)
在没有加密和身份验证的情况下打开端口将使任何人都可以连接到您的 jvm。这将允许读取和写入 JMX 值、停止代码的执行、修改值、创建堆转储、覆盖代码和所有其他不好的东西。