Hardening and Performance Tuning in JBoss EAP 7
I read through the standard guideline of JBoss EAP 7. It tells how to secure ports, increase the JVM options but does not specifically how to calculate and archive specific measurement. Referencing Apache practice, what should I do if I need to Hide the JBoss Version number, and other sensitive information Make sure JBoss is running under its own user account and group Ensure that files outside the webapp root folder are not served Turn off directory browsing Turn off server side includes Turn off CGI execution Don't allow JBoss to follow symbolic links Turning off multiple Options Turn off support for .htaccess files Lower the Timeout value Limiting large requests Limiting the size of an XML Body Disable Trace HTTP Request Use only TLS, Disable SSLv2, SSLv3 Do not open 80 port by default (use SSL only) Modify web applications to set the HttpOnly attribute for all cookies Support simultaneous connection process to 400 and maximum connection over 3000 Prevent from Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Prevent from attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities. Prevent from XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. Prevent from Insecure Direct Object References. Prevent from A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
Too many sub-questions in one question. Answering 1st one : To remove X-Powered-By: Undertow/1 X-Powered-By: JSP/2.3 Server: JBoss-EAP/7 execute following CLI commands : /subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header:remove /subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header:remove /subsystem=undertow/servlet-container=default/setting=jsp:write-attribute(name=x-powered-by,value=false)
No equals method when deploying and running JBoss
Multiple security-realms for remoting in JBoss AS 7
Encountering a connectino exception while starting JBoss server
JBOSS doesn't find datasource
how to restart jboss server using command prompt
Access Jboss war deployment over internet
unable to open Eclipse Juno IDE
How to expose activemq JMX MBeans via jboss web based jmx-console?
JBoss ESB pipeline interceptor triggers multiple times
JBOSS 7.1.1 : java.lang.ClassNotFoundException Module “org.jgroups:main” from local module loader
Sending 2 request at same time in Struts 1.4 and jBoss 4.2
Access to JBoss4 log4j file While JBoss Is Running
Weld Servlet not working when downgrading from JBoss AS 7 to JBoss AS 5
Arquillian can not deploy “big” WAR in JBOSS
JBPM process designer - WebServices
JBoss AS6.1 will not use log4j appenders - probably a bug?