Announcement

Collapse
No announcement yet.

Port binding not using localhost?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Port binding not using localhost?

    One question concerning security: When I have a server without any firewall in front, I have some ports open to the outside coming from OX.
    Why are the ports 57461 and 57462 listening on all interfaces and not only on localhost?
    Using netstat -an one can see which ports listen only on localhost, like 1099 or 9999.
    And some ports are used in a random range, new ones for every new startup of the groupware server, some "feature" of java or jndi I dislike most.
    Is there any known tweakup to the config files to reduce the number of open ports to the world outside?

  • #2
    Hi,

    Port 1099 is for RMI access, which is used for administration of the admindaemon (command line tools and so on). 9999 is for JMX which provides a monitoring service.
    Those other Ports are used for the different caches that are provided by the groupware and administration daemon. This is a feature which is used when setting up clusters of OX Servers that communicate (synchronize) which each other. If you are familiar with the JCS Protocol, you can configure the caching configuration at the cache.ccf file at the groupware and admindaemon "/etc" directory. This caching feature is not required when only running one instance of the Open-Xchange Server on one physical server. This caching is also the cause for random ports usage.

    Greetings.
    Last edited by Martin Heiland; 08-04-2007, 10:15 PM.

    Comment


    • #3
      Originally posted by Martin Braun View Post
      If you are familiar with the JCS Protocol, you can configure the caching configuration at the cache.ccf file at the groupware and admindaemon "/etc" directory. This caching feature is not required when only running one instance of the Open-Xchange Server on one physical server. This caching is also the cause for random ports usage.
      I'm not yet familiar with JCS but I don't need clustering or multiple instances at all. So I would be glad to downsize some of the features. Any hint what to disable where?

      Comment


      • #4
        Hi,

        you've to comment out the following lines at the admindaemons and groupware's cache.ccf:

        Code:
        # AVAILABLE AUXILIARY CACHES
        # TCP Lateral Cache to broadcast PUTS and REMOVALS (and possibly GETS) to other local caches
        jcs.auxiliary.LTCP=org.apache.jcs.auxiliary.lateral.socket.tcp.LateralTCPCacheFactory
        jcs.auxiliary.LTCP.attributes=org.apache.jcs.auxiliary.lateral.socket.tcp.TCPLateralCacheAttributes
        jcs.auxiliary.LTCP.attributes.TcpServers=127.0.0.1:57461
        jcs.auxiliary.LTCP.attributes.TcpListenerPort=57462
        and every following up line starting with jcs.auxiliary.LTCP.*

        Greetings
        Last edited by Martin Heiland; 08-06-2007, 09:15 AM.

        Comment


        • #5
          Thanks, that closed at least those two ports.
          I still have two ports listening on any-Interface, the port numbers changing every restart of the server. And there remains one udp port 44335 I can't associate any service with.
          Could these ports be configured to listen only on localhost?

          Comment


          • #6
            Hi,

            44335/udp is a push port for the outlook connector. This can be configured at the push.properties file.

            //edit
            Those other JMX Port should be bound to localhost by default as they are configured like that at the server.properties:
            MonitorJMXBindAddress=localhost

            This i obviously a bug and has been reported. Thank you!
            Last edited by Martin Heiland; 08-06-2007, 10:05 AM.

            Comment


            • #7
              Originally posted by Martin Braun View Post
              Those other JMX Port should be bound to localhost by default as they are configured like that at the server.properties:
              MonitorJMXBindAddress=localhost

              This i obviously a bug and has been reported. Thank you!
              Great work, so I could disable this UDP port and the other two 'walking ports' are at least not my own configuration fault. Thanks for your help.

              Comment

              Working...
              X