我打算公开一个端口,用于通过互联网远程调试基于 Java 的 Web 服务,但三思而后行,我意识到它没有任何身份验证。
理论上,似乎可以编写一个工具,附加到远程调试器端口,并通过 Java API 执行任意系统命令。或者修改/转储数据库,等等。 至少这个漏洞似乎是这样http://securityaffairs.co/wordpress/36394/hacking/paypal-remote-code-execution.html
我不记得曾被强烈警告过要公开远程调试器端口。但如今,当数百个僵尸网络扫描端口寻找漏洞时,应该更好地宣传它。
任何人都可以评论它是否安全和/或如何在任意基于 java 的网络服务上以安全的方式做到这一点?我的目标是能够在生产服务器上执行远程调试。
最佳答案
您可以配置远程调试以使用 SSL 和身份验证,这适用于 Windows 和 Linux,但有点麻烦。并且端口一直处于打开状态。
我相信您有充分的理由调试您的实时/生产应用程序,并且知道当您真正调试它时,不仅使用连接来访问 JMX 数据,例如,当您连接调试器时,您的应用程序将停止运行。
甲骨文 documents一些风险,有些更高或更低,具体取决于您如何配置代理:
Caution - A potential security issue has been identified with password authentication for remote connectors when the client obtains the remote connector from an insecure RMI registry (the default). If an attacker starts a bogus RMI registry on the target server before the legitimate registry is started, then the attacker can steal clients' passwords. This scenario includes the case where you launch a Java VM with remote management enabled, using the system property com.sun.management.jmxremote.port=portNum, even when SSL is enabled. Although such attacks are likely to be noticed, it is nevertheless a vulnerability.
Caution - This configuration is insecure. Any remote user who knows (or guesses) your JMX port number and host name will be able to monitor and control your Java application and platform. While it may be acceptable for development, it is not recommended for production systems.
Caution - This configuration is insecure: any remote user who knows (or guesses) your port number and host name will be able to monitor and control your Java applications and platform. Furthermore, possible harm is not limited to the operations you define in your MBeans. A remote client could create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, a rogue remote client could make your Java application execute arbitrary code.
Consequently, while disabling security might be acceptable for development, it is strongly recommended that you do not disable security for production systems.
即使涉及最高安全性的配置(移动端口、启用 ssl、通过 ssl 客户端证书进行身份验证)仍然存在风险。 如果您仍然需要调试连接,我建议您使用可能已经存在的到服务器的 ssh 连接,并使用这个连接创建到调试器端口的 ssh 隧道。您可以在这里阅读更多相关信息:Cannot remotely debug JVM via SSH tunnel (因为它已经在所以我不复制细节)
在没有加密和身份验证的情况下打开端口将使任何人都可以连接到您的 jvm。这将允许读取和写入 JMX 值、停止代码的执行、修改值、创建堆转储、覆盖代码和所有其他不好的东西。
关于java - 将 java 远程调试器端口公开到 Internet 是否安全?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/33184800/