tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antony Riley <cyberianti...@gmail.com>
Subject Re: Blocking AJP13 (port 8009) access
Date Tue, 14 Feb 2006 08:30:49 GMT
Try adding address="127.0.0.1" to the ajp13 <connector> tag in  server.xml,
and configuring apache to connect to 127.0.0.1 if you haven't already.

This should stop the ajp13 port from being visable to other machines.

As far as iptables goes, you probably want -o lo -j ACCEPT at the top of the
ruleset, and I'm really not sure why you're using state flags to attempt to
block external access to port 8009. Mostly you don't want drop rules to
check the state table, though this might be some iptablism, I'm not too
familiar with it past basic NAT / port blocking.

-Antony

On 2/14/06, OG <ogjunk-tomcat@yahoo.com> wrote:
>
> Hi,
>
> I'm trying to block external access to port 8009 (AJP13), as only my local
> host really needs to be able to talk to it.
> I'm wondering if there are any internal/mod_jk mechanisms for that, or if
> iptables is the best option.
>
> I have tried iptables, which did block external requests, but it also got
> me in a situation where I had a few hundred httpd processes in a SYN_SENT
> state ( netstat | grep 8009 | grep -c SYN_SENT ) and returning 503s instead
> of 200s:
>
> iptables -A INPUT \
>      -p TCP --dport 8009 \
>      -m state --state NEW \
>      -j DROP
> iptables -A INPUT \
>      -p UDP --dport 8009 \
>      -m state --state NEW \
>      -j DROP
>
> iptables -A OUTPUT -o lo -j ACCEPT
> iptables -A INPUT  -i lo -j ACCEPT
>
>
> If anyone has iptables rules that work, I'd appreciate it if you could
> share them.
>
> I'd also be curious to know whether people use some other mechanisms to
> prevent evil folks from connecting to your port 8009 from the outsite and
> consuming your available connections.
>
> Thanks,
> Otis
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message