-
Notifications
You must be signed in to change notification settings - Fork 81
Railo Lockdown Guide
Some good resources:
- OWASP Securing Tomcat: https://www.owasp.org/index.php/Securing_tomcat
- Railo installation on CentOS Best Practices : http://blog.getrailo.com/assets/content/RailoInstallationonCentOSLinux6BestPractices.pdf
As with ACF, it is recommended best security practice to restrict access to URI's that are not necessary to publicly expose. Examples that have been cited include:
/railo-context /manager /host-manager /web-inf /meta-inf
An Apache directive that restricts access to /railo-context, as an example, is given below:
<Location /railo-context> Order Deny,Allow Deny from all Allow from 127.0.0.1
In the above example, only the localhost IP address, 127.0.0.1, would be allowed to navigate to any url that contains /railo-context. This, however, blocks access to URL's like /railo-context/admin/server.cfm that admins need access to.
There is a relatively simple technique called SSH tunneling which will allow an administrator to log into a web server with URI's restricted to 127.0.0.1e. In a nutshell, the admin logs onto the server using SSH with the -D flag and a free local port of your choice, and then sets up a browser to use the server, via the port specified, as a proxy. The net effect is that once the admin is logged into the server via SSH and has the browser properly set, browsing to 127.0.0.1/railo-context/admin/server.cfm opens the login screen on the server, not on the local machine. This approach allows one to lock down potentially vulnerable URI's and still allow an admin to access them from any IP address, no matter where they happen to be when a difficulty with the server arises.
Detailed instructions for SSH tunneling:
- ssh into a server using the -D flag, example: ssh -D 60001 [email protected]
- In your web browser, setup your proxy to point to "localhost", your port (for our example our port is 60001), using SOCKS5. This should work with any browser. Using Firefox as an example, here's how to do that:
- Go to Preferences
- Click the Advanced icon
- Click the Network tab
- Click the Settings button, across from where it says "Configure how Firefox connects to the Internet
- Select Manual proxy configuration
- In the SOCKS Host field put "localhost" without the quotation marks
- In the Port field put the port number you used in the -D flag, 60001 in our example
- Select SOCKS v5
- Click OK
- To revert the browser to normal behavior, simply choose No Proxy in the Network Settings dialog
- Note that the port chosen is arbitrary, it only has to be available and match in both the -D flag and SOCKS port setting.
- Getting to know Railo Server
- Railo Server features & specifications
- Getting started with Railo Server
- Installation & configuration
- Railo Server Versions
- Developing with Railo Server
- Deploying Railo Server apps
- Managing Railo Server apps
- Railo Server Extensions
- Useful resources & further reading
- Developing & debugging Railo Server
- FAQs