jboss


Hardening and Performance Tuning in JBoss EAP 7


I read through the standard guideline of JBoss EAP 7. It tells how to secure ports, increase the JVM options but does not specifically how to calculate and archive specific measurement. Referencing Apache practice, what should I do if I need to
Hide the JBoss Version number, and other sensitive information
Make sure JBoss is running under its own user account and group
Ensure that files outside the webapp root folder are not served
Turn off directory browsing Turn off server side includes
Turn off CGI execution
Don't allow JBoss to follow symbolic links
Turning off multiple Options
Turn off support for .htaccess files
Lower the Timeout value
Limiting large requests
Limiting the size of an XML Body
Disable Trace HTTP Request
Use only TLS, Disable SSLv2, SSLv3
Do not open 80 port by default (use SSL only)
Modify web applications to set the HttpOnly attribute for all cookies
Support simultaneous connection process to 400 and maximum connection over 3000
Prevent from Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
Prevent from attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
Prevent from XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
Prevent from Insecure Direct Object References.
Prevent from A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
Too many sub-questions in one question. Answering 1st one :
To remove
X-Powered-By: Undertow/1
X-Powered-By: JSP/2.3
Server: JBoss-EAP/7
execute following CLI commands :
/subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header:remove
/subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header:remove
/subsystem=undertow/servlet-container=default/setting=jsp:write-attribute(name=x-powered-by,value=false)

Related Links

No equals method when deploying and running JBoss
Multiple security-realms for remoting in JBoss AS 7
Encountering a connectino exception while starting JBoss server
JBOSS doesn't find datasource
how to restart jboss server using command prompt
Access Jboss war deployment over internet
unable to open Eclipse Juno IDE
How to expose activemq JMX MBeans via jboss web based jmx-console?
JBoss ESB pipeline interceptor triggers multiple times
JBOSS 7.1.1 : java.lang.ClassNotFoundException Module “org.jgroups:main” from local module loader
Sending 2 request at same time in Struts 1.4 and jBoss 4.2
Access to JBoss4 log4j file While JBoss Is Running
Weld Servlet not working when downgrading from JBoss AS 7 to JBoss AS 5
Arquillian can not deploy “big” WAR in JBOSS
JBPM process designer - WebServices
JBoss AS6.1 will not use log4j appenders - probably a bug?

Categories

HOME
orientdb
webview
mod-rewrite
functional-programming
jms
softlayer
transactions
add-on
devexpress
compilation
plpgsql
out-of-memory
magento-2.0
turbojpeg
bellman-ford
locationmanager
rangy
android-5.1.1-lollipop
playframework-2.0
significance
jitsi
tableview
sqlplus
pst
substring
dragula
window-managers
hevc
ruby-daemons
react-bootstrap-table
macromedia
laravel-4.2
fatfs
toad
winsock
publishing
mongodb-3.4
orchardcms-1.8
bluemixtools
spinner
love2d
cloudera-quickstart-vm
elastica
selenide
praat
angular-datatables
haar-classifier
minikube
sendinput
absolute
viewmodel
embedded-v8
finder
maatwebsite-excel
oracle-fusion-apps
pjax
java-2d
msg
openseadragon
wolfram-language
piping
fiber
in-app-billing
smart-tv
self
chicagoboss
nastran
dsa
srv-record
espresso
libz
embeddedwebserver
actionpack
whitespace-language
scala-macros
htmltidy
debug-symbols
kognitio-wx2
configurable-product
xhprof
siena
oxygene
property-injection
.net-remoting
unicoins
simplecov
idispatch
zend-pdf
android-dialog
popup-blocker
arrow
word-frequency
cakeyframeanimation
java.lang.class
glx
mmc3
delphi-prism
filelock
representation
airprint
android-2.1-eclair
chunking
ccnet-config
iphone-sdk-4.3
asdoc
jquery-effects
datagridcolumn

Resources

Encrypt Message