1. Tomcat default port (8081) - Is it a security concern?
0 Recommend
Posted Jan 07, 2018 06:10 PM
Hi,
We've recently had some external pen-testers in whohave raised concerns over the ability to access the dafault Tomcat URL via https://<DCS_SERVER_IP>:8081from local workstation browsers.
This is a newly installed DCS:SA system and although anyone accessig this URL would also require authorised login credentials, the preference is that no users can access the URL:8081.
What is the best-practice for hiding the Tomcat URL from users on the local network?Would restricting firewalls so that only someone logging in locally the DCS server can access it be a recommendation? Or should an alternate (other than default 8081) port number be considered?
Any advice will be very much appreciated.
KS
2. RE: Tomcat default port (8081) - Is it a security concern?
0 Recommend
Broadcom Employee
Posted Jan 09, 2018 03:20 PM
Hi Kevin,
There are a few ways to remove the listener.
You can remove the listener from the server.xml (tomcat/conf/server.xml) and then restart the DCS Manager. The port is not required.
You can also block all traffic to that portvia the IPS policy that you have configured for and applied to your DCS manager.
I would recommend at a minimum you apply the DCS IPS Manager Policy to the DCS manager. The other items listed above are optional.
Best Regards,
Jim
3. RE: Tomcat default port (8081) - Is it a security concern?
0 Recommend
Posted Jan 15, 2018 10:31 PM
Hi,
Thanks fo rthe response. The main purpose is to 'hide' the Tomcat home page. The main concernisthat the home page may provide infomration useful to a malicious 3rd party. (version etc) I'm also concerned that the Java console will be affected if 8081 is blocked.
Isn't the listener still needed by the Java console?
Kev
6. RE: Tomcat default port (8081) - Is it a security concern?
0 Recommend
Posted Feb 12, 2018 10:58 PM
Apologies for the late response. Your solution was accepted by the team.. So it's sorted now. Thanks for your help. Kev
