[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [jetty-users] jetty keeps getting hacked
|
Setuid is the way to start it as root so you can bind to port 80 and
then have it drop privileges
http://www.eclipse.org/jetty/documentation/current/setuid.html#configuring-setuid
--
jesse mcconnell
jesse.mcconnell@xxxxxxxxx
On Fri, Aug 1, 2014 at 2:03 PM, Haupt-Konto <dev@xxxxxxxxxxxx> wrote:
> As mentioned in another mail from Steve Sobol, folder rights and executing
> user might be useful. What priviledges does this user have (/etc/group)?
>
> Some further clues:
> - Never run a container server as root; Register Jetty on some user-valid
> port, i.e. 8080 and let it listen on loopback-device only.
> - Following, set up a proxy HTTP server. Have in mind, that this proxy must
> be secure, caused by the fact, that it must listen on port 80 - AFAIK there
> is no way to bind a port lower than 1024 with non-root priviledges.
>
> You might also use IP tables to forward traffic. However, this is a
> non-optimal solution due to the fact, that some further Linux development
> might break your set up.
>
> Best regards
>
> Am 2014-08-01 18:25, schrieb Joakim Erdfelt:
>>
>> What's in conf.n? (details please)
>> What do you have in your webapp? (be detailed)
>> How do you start Jetty? (your command line *AND* your start.ini and
>> start.d/ contents)
>> Do you customize anything in ${jetty.home}? (like lib or xml files)
>>
>> Do you run elasticsearch on your machine?
>>
>> --
>> Joakim Erdfelt <joakim@xxxxxxxxxxx>
>> webtide.com [2] - intalio.com/jetty [3]
>>
>> Expert advice, services and support from from the Jetty & CometD
>> experts
>> eclipse.org/jetty [4] - cometd.org [5]
>>
>>
>> On Fri, Aug 1, 2014 at 9:16 AM, Kent Tong <kent.tong.mo@xxxxxxxxx>
>> wrote:
>>
>>> Hi,
>>>
>>> I have set up jetty-8.1.15.v20140411 on CentOS 6.5 with all the
>>> updates installed. However, jetty keeps getting hacked: malicious
>>> files (usually there is one named conf.n) are frequently created in
>>> jetty's directory (/opt/jetty). I have only enabled the minimum
>>> configuration in start.ini:
>>>
>>> etc/jetty.xml
>>> etc/jetty-annotations.xml
>>> etc/jetty-ssl.xml
>>> etc/jetty-deploy.xml
>>>
>>> etc/jetty-contexts.xml
>>>
>>> there is only one webapp installed which is nothing out of ordinary.
>>>
>>>
>>> any idea? thanks in advance!
>>>
>>> --
>>>
>>> Kent Tong
>>> IT author and consultant, child education coach
>>> _______________________________________________
>>> jetty-users mailing list
>>> jetty-users@xxxxxxxxxxx
>>> To change your delivery options, retrieve your password, or
>>> unsubscribe from this list, visit
>>> https://dev.eclipse.org/mailman/listinfo/jetty-users [1]
>>
>>
>>
>>
>> Links:
>> ------
>> [1] https://dev.eclipse.org/mailman/listinfo/jetty-users
>> [2] http://www.webtide.com/
>> [3] http://intalio.com/jetty
>> [4] http://eclipse.org/jetty/
>> [5] http://cometd.org/
>>
>>
>> _______________________________________________
>> jetty-users mailing list
>> jetty-users@xxxxxxxxxxx
>> To change your delivery options, retrieve your password, or
>> unsubscribe from this list, visit
>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit
> https://dev.eclipse.org/mailman/listinfo/jetty-users
