Spring Boot 2 application cannot overwrite RMIRegistry default port 1099 to make JMX connections safe
Question
Unfortunately, our Spring Boot 2 Application exposes the RMI Registry default port 1099 and our security team complains about that. We expect that JMX should exclusively be used via port 8999 in a safe manner. Currently, you can connect in both ways - insecure via port 1099 and secure by port 8999. We do not understand this so far because we actually have set the proper System Properties to prevent this:
-Dcom.sun.management.jmxremote=true
-Dcom.sun.management.jmxremote.port=8999
-Dcom.sun.management.jmxremote.rmi.port=8999
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=true
-Dcom.sun.management.jmxremote.password.file=/opt/our_app/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=/opt/our_app/jmxremote.access
Why is port 1099 still open? I have to mention that Spring Actuator is in use too but I cannot find any configuration there to control the port, so it seems not to be the issue.
1 answers
solution1
2 ACCPTED 2020-03-11 17:52:50
Thanks to Ravi Sharam who has given the solution in the comment above.
We had the following dependency in our project:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-activemq</artifactId>
</dependency>
By starting the application additionally with System Property
-Dorg.apache.activemq.broker.jmx.createConnector=false
the open default port 1099 was removed. Let's check it with netstat :
root@protect01:/opt/our_app# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 29956/rpcbind
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 19282/systemd-resol
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1421/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 25126/master
tcp 0 0 0.0.0.0:8001 0.0.0.0:* LISTEN 988/java
tcp6 0 0 :::8999 :::* LISTEN 988/java
tcp6 0 0 :::111 :::* LISTEN 29956/rpcbind
tcp6 0 0 :::80 :::* LISTEN 3986/apache2
tcp6 0 0 :::22 :::* LISTEN 1421/sshd
tcp6 0 0 127.0.0.1:8089 :::* LISTEN 988/java
tcp6 0 0 ::1:25 :::* LISTEN 25126/master
tcp6 0 0 :::34139 :::* LISTEN 988/java
tcp6 0 0 :::11099 :::* LISTEN 988/java
tcp6 0 0 :::443 :::* LISTEN 3986/apache2
tcp6 0 0 :::45093 :::* LISTEN 988/java
No open port 1099 is there anymore and only the expected one 8999. Yippiiii!
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.