Scott M. Mcdermott

UNIX Systems & Network Administrator
available for contract or salaried positions
site location:

Jetty

The Jetty Server is an HTTP server and Java Servlet container. This forms the basis for developers to test their web applications. Developers will use their own deployment tools post-install (likely copying from the "private" area configured in the Apache step to the Jetty deploy directory on the filesystem).

Installation

The installation is dead simple:

$ apt-get install jetty

APT brings in all the package prerequisites. We were told for this project that no additional configuration was necessary.

Security

Even though we were not supposed to do additional configuration, there is a problem:

$ sudo netstat -lnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address     Foreign Address   State
tcp        0      0 127.0.0.1:389     0.0.0.0:*         LISTEN
tcp        0      0 127.0.0.1:8079    0.0.0.0:*         LISTEN
tcp        0      0 0.0.0.0:80        0.0.0.0:*         LISTEN
tcp        0      0 0.0.0.0:22        0.0.0.0:*         LISTEN
tcp        0      0 0.0.0.0:8280      0.0.0.0:*         LISTEN

$ sudo fuser -avn tcp 8280,,
USER        PID ACCESS COMMAND
8280,,/tcp:          jetty     29823 F.... java

Oh no! The dreaded nonlocal listener exposing our services far and wide! Fortunately, the change is simple:

$ grep -C 1 8280 jetty.xml
  <!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
  <!-- Add and configure a HTTP listener to port 8280                  -->
  <!-- The default port can be changed using: java -Djetty.port=80     -->
--
  <Set name="Host">127.0.0.1</Set>
  <Set name="Port"><SystemProperty name="jetty.port" default="8280"/>
  </Set>

Note the addition of the "host" line. Without it, the default is to bind to all interfaces. Now to confirm that it works:

$ sudo /etc/init.d/jetty restart
Stopping Jetty servlet engine: .jetty.
Starting Jetty servlet engine: jetty.

$ sudo netstat -lnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address     Foreign Address   State
tcp        0      0 127.0.0.1:389     0.0.0.0:*         LISTEN
tcp        0      0 127.0.0.1:8079    0.0.0.0:*         LISTEN
tcp        0      0 0.0.0.0:80        0.0.0.0:*         LISTEN
tcp        0      0 0.0.0.0:22        0.0.0.0:*         LISTEN
tcp        0      0 127.0.0.1:8280    0.0.0.0:*         LISTEN

Indeed it does.

Now we only have ssh (for login) and http exposed to external hosts.