Project

General

Profile

How to Secure a Z2 Installation » History » Revision 5

Revision 4 (Henning Blohm, 15.08.2021 13:53) → Revision 5/9 (Henning Blohm, 15.08.2021 19:45)

h1. How to secure a Z2 installation 

 This how to is looking into some very basic measures to implement to provide basic protection to a z2 installation. While we 

 are considering z2 here, these suggestions apply to pretty much any Web application system. 

 h2. Run a Firewall to Block Port Access 

 Java applications typically have more ports open than you think. This could be JMX related, debugging support etc. The same is true for your operating system. So in general make sure that only those ports are accessible that are required to run your application. On Linux this may well be just one port for SSH access (i.e. 22 by default) and one for Web application access. 

 There are some variations on the latter. In most cases your application is not the actual entry point for Web access but instead there will be some request routing happening before to make sure maintenance scenarios (and outages) and load-balancing can be dealt with and most importantly for SSL termination. 

 Instead of protecting every single server node of your installation, you may consider setting up a "Virtual LAN":https://en.wikipedia.org/wiki/Virtual_LAN setup where you can concentrate all access limitations and rules to securing a single gateway node. 

 The z2 Environment hasa not particular means for managing port-based access and indeed the reason for this section is to make you aware of this fact. 

 Typically the following ports will be used by default with z2: 

 |_. Port |_. Purpose |_. Configuration | 
 | 8080 | Web Container (Jetty) | @environment.base/webServer/jetty-http.xml@ | 
 | 5000 | Java debug port for home process | @$Z2_HOME/bin/launch.properties@ | 
 | 5100+x | Java debug port for web worker process | @environment.base/webWorker.properties@ | 
 | 7800+x | JMX port for web worker process | @environment.base/webWorker.properties@ | 

 However depending on your configuration other ports may be opened. Also note [[How_to_Remote_Manage]]. 

 h2. Use Whitelisting for Web Applications 

 In contrast to this, you may want to also limit access to specific Web applications. For example, you should make sure that access to development or management related Web applications should be tightly restricted to avoid any possibility of triggering unexpected changes on your production environment. 

 The simplest way of achieving that is by allowing access from any other host by localhost only for dedicated Web applications. 

 In short this means: 

 * Only outward facing Web application usage is available by default 
 * Any other access requires access from localhost. 

 The latter is a brilliant limitation as it means you can use lower level means such as SSH tunneling to secure limited access by the same policy you use to limit management access to execution environments. 

 Starting with "Version 2.9":https://redmine.z2-environment.net/versions/48 (#2098) the Jetty configuration of z2-base prohibits access to any built-in Web application from anywhere but locahost.  

 The configuration is part of @environment/webServer@ (which links to @environment.base/webServer@).  

 See also source:z2-base.base|environment.base/webServer/z2-nonlocalhostwhitelist.xml .