Friday, August 5, 2011

Restricting Direct Access to Weblogic and Jboss by IP and Port

How to Prevent direct Access to Weblogic and Jboss ??

Weblogic

In order to prevent access directly to the port, we can implement ip filtering.

The steps to do so are:

1) Login into the Admin Console.
2) Click on the Domain on the left panel.
3) On the right side, Navigate to Security --> Filter tab.
4) Enable 'Connection Logger Enabled'
5) Enter the class name in the Connection Filter tab as ' weblogic.security.net.ConnectionFilterImpl '
6) Now at the Connection Filter Rules add the IP address and you can either set the roles as 'allow' or 'deny' for the mentioned IP address.

The format is: Accesing_Client ServerHosting Port Action Protocol

For example:

With this rule, I'll block any http requests coming from ip 10.157.152.62 to managed server located on socket: 10.157.153.161:7003

10.157.152.62 10.157.153.161 7003 deny http

With this other one, I'll grant access from all the requests http coming from 10.157.152.62 to managed server located on socket: 10.157.153.161:7004

10.157.152.62 10.157.153.161 7004 allow http

When trying to access the denied socket, a message like this should appear on the browser and in the log file for the server being tried to accessed.

The Server is not able to service this request: [Socket:000445]Connection rejected, filter blocked Socket, weblogic.security.net.FilterException: [Security:090220]rule 1

For further information, please refer to documentation: http://download.oracle.com/docs/cd/E12839_01/web.1111/e13711/con_filtr.htm#i1029317


JBoss

Open $JBOSS_HOME/server/$PROFILE/deploy/$JBOSSWEB/server.xml and as a child of
the Host element:


Host name="localhost"
autoDeploy="false" deployOnStartup="false" deployXML="false"
configClass="org.jboss.web.tomcat.security.config.JBossContextConfig"


Add:

Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.0.1"


The allow attribute is a comma-delimited series of regular expressions, so:


Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192\.168\.0\..*,192\.168\.1\..*"


Would allow access to all computers in that range. The list can also contain additional IP addresses and ranges via comma separated values.


One can also specify a deny attribute to deny port ranges and also use the RemoteHostValve instead of RemoteAddrValve like so:

Valve className="org.apache.catalina.valves.RemoteHostValve" allow="*.mydomain.com"

would allow connections from all virtual hosts in *.mydomain.com.
Posted by Vijay at 11:36 AM

1 comment:

Pavan Devarakonda [PD] said...

This is very informative. Thanks for sharing.

February 28, 2013 at 4:53 AM

Post a Comment

Subscribe to: Post Comments (Atom)