Am Thu, 5 Nov 2009 19:42:58 +0000 schrieb Anurag Kapur > On Thu, Nov 5, 2009 at 12:29 PM, Tobias Crefeld <t...@cataneo.eu> wrote:
> > Separating JMX Proxy from manager won't be very helpful because JMX > > Proxy itself is offering control over tomcat. And it needs direct > > access to MBeans of Tomcat's JVM. > My Understanding: > > Even if an attacker gets access to the jmx proxy servelt, it would > not pose the same risk as access to the manager application would. > With the proxy servlet you can only query the MBeans and get > information about the state of the container. However, with access to > manager application, you can potentially reload/start/stop contexts > which is a big risk. > > Am I correct with this understanding? The doc under http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html#Using the JMX Proxy Servlet describes a command "set" in addition to the "query" you mentioned. I haven't tested but it looks like that it offers nearly the same possibilities as "manager" does. Actually "query" alone discloses enough information that a potential attacker could use to get real confidential information via other channels that I don't want to have it in the web. I don't know how safe you webserver is - standard-setup of Solaris runs with no active packet filter... - but if you have no other firewall with ALG I would strongly suggest that you run e.g. an Apache in front of Tomcat with no access by Tomcat-deployers. Today in our standard setup there is such an Apache2 that offers the same Tomcat via two different virtual hosts. One is only proxying URIs that belong to the production context and can be reached from the whole web. The other is proxying the manager-applications as well (manager, probe and j4p) but there are some Apache-rules that allow only access for clients from VPN-users. BTW: j4p might be another nice approach to get a read-only monitoring. It's a Tomcat application that delivers all (?) the data that can get reached by JMX/TCPIP or Mbeans. There is script jmx4perl to read this data and there is a plugin check_jmx4perl to poll this data by a Nagios-server. I found a article which describes this nice tool: http://blog.techstacks.com/2009/09/tomcat-management-jmx4perl-makes-it-easier.html Actually I haven't tested it in detail and so I can't promise that this tool is already ready for production. Ask me in two months when I can tell you more... ;) RU, Tobias. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
