Skip to main content


Eclipse Community Forums

      Home
Home » Eclipse Projects » Equinox » Security issue with the Telnet Console
Security issue with the Telnet Console [message #101466] Mon, 12 November 2007 12:30 Go to next message
Eclipse UserFriend
Originally posted by: kratz.splix.no

Hi all,

Our OSGi based server is running as a daemon process (/windows service). To
be
able to work with the console we simply used the telnet console option.
Everything works fine except the fact that the port opened for telnet is
totally unprotected. So just by knowing the port you can telnet to the OSGi
server and shut the server down by a simple exit command.

Is there anything that is configurable / changable in the OSGi runtime to
change this behaviour.
If that is not possible any ideas on how to protect us.

BR

K
Re: Security issue with the Telnet Console [message #502009 is a reply to message #101466] Fri, 04 December 2009 13:21 Go to previous messageGo to next message
Eclipse UserFriend
I am running into this same problem. I have an osgi program that I want to run as a service. I would like for an administrator to be able to interact with the program using the console. If the program gets started up as a background process, then the administrator won't be able to use the console. I would love to start the console up at a socket, but then it's totally unprotected. Does anyone have a work around for this?
Re: Security issue with the Telnet Console [message #502539 is a reply to message #101466] Tue, 08 December 2009 13:25 Go to previous message
Eclipse UserFriend
I have found a work around that will work for me, in case anyone is interested or has any input.

I am running my headless OSGi application in linux with the equionx console available at port 2020 on a remote machine. As noted above, this is not secure since anyone can connect to this port and shutdown or do other nefarious things to my application. So the first thing I'm going to do is set up some firewall rules using iptables to block anyone trying to connect to port 2020 (unless you are connecting from localhost)
sudo iptables -A INPUT -p tcp -s 127.0.0.1 --dport 2020 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 2020 -j REJECT


The first rule accepts ensures that any packets from localhost going to port 2020 are accepted. The second rule causes anything going to port 2020 to be rejected. Since packets from 127.0.0.1 have already been accepted by the first rule, they are not rejected by the second.

Now all outside traffic to port 2020 is blocked. This means that 2020 is secure, but the problem is that an administrator may still want connect to that osgi console from a local machine. For this, you can do ssh port forwarding. Open up a console on the local machine (the one that is not running the osgi application) and type this
ssh -N -L 2020:localhost:2020 user@remotehost


Now you can connect to the osgi console on the local machine like this:
telnet localhost 2020


Now you can disconnect from the eclipse console by typing 'disconnect'.

I know all this might be obvious to any sys admin types, but I have relatively little experience with system administration, so it took me a while to figure all this out.
Previous Topic:Install new Software command
Next Topic:[p2] how to generate "a.jre.javase" IU?
Goto Forum:
  


Current Time: Sat Jul 12 06:49:47 EDT 2025

Powered by FUDForum. Page generated in 0.12195 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top

Sign up to our Newsletter

A fresh new issue delivered monthly