I'm wondering if there exists a guide to securing a JBoss installation.
I'm thinking of network-level security rather than application-level security: things a network administrator would care about. To a network administrator, any network-available service is a potential vulnerability, and must be closed off unless it absolutely has to be accessed from another host. The target audience is somebody who is clued-up enough to edit configuration files and restart the server, but is not a Java programmer.
The ultimate aim would be to have a stand-alone JBoss server that sits safely on a network, listening only for web traffic on ports 80 and 443 and everything else blocked off, without the benefit of a firewall:
- By default, which services are active, and what ports do they listen on?
- Which of these services can be shut down?
- How does one re-bind the remainder of the services to only the loopback interface, so they are no longer externally accessible?
I've tried Google, and looked over the JBoss website. I've also consulted the (purchased) JBoss 3.x Administration Guide, which disturbingly does not seem to cover network security at all.
If you are in a position to tell me conclusively that such a guide does not exist, that would also be useful information.
Any luck finding this information? On the privacy side of security, I have used SSL with EJBs and JMS, but can't seem to lock down the JNDI communication.
Jamie
I'm looking for a consistent guide to implement SSL in jboss? Has anyone find one?