Most Popular Posts

11/02/2014

How to disable remote shutdown in Tomcat (secure)

How to disable remote shutdown in Tomcat

Examples:



  • change the port number from default to different one (not recommended)
  • change the shutdown command (partially recommended)
  • change port number to -1 (recommended)




By default Tomcat listens on port 8005 for SHUTDOWN command. When such message is received, all applications within this context are shutdown. By default it is bound to loopback interface, though not accessible from external network. For security reasons I’d strongly advise to disable this functionality if it is not needed, just in case some user might shutdown the service on purpose or by accident.


We can find this definition in the server.xml file
$CATALINA_HOME/conf/server.xml

<Server port="8005" shutdown="SHUTDOWN">
You might have ‘address’ variable in this line. This indicates possible usage of multiple NIC (http://en.wikipedia.org/wiki/Network_interface_controller

We can prevent shutting down on specific port by changing these values.


EXAMPLE 1:

Change the settings in the server.xml file from:
<Server port="8005" shutdown="SHUTDOWN">
To:
<Server port="8008" shutdown="SECRETCOMMAND">
From now on, only SECRETCOMMAND command will shutdown the instance. All other commands (including SHUTDOWN) will fail.

Result:


[me@me ~]$ telnet 192.168.1.3 8005
Trying 192.168.1.3...
Connected to 192.168.1.3.
Escape character is '^]'.
SHUTDOWN
Connection closed by foreign host.


Response (by default- catalina.out file) :


WARNING: StandardServer.await: Invalid command 'SHUTDOWN' received



EXAMPLE 2: 

Change the settings in the server.xml file from:
<Server port="8005" shutdown="SHUTDOWN">
To 
<Server port="8001" shutdown="SHUTDOWN">
From now on only SHUTDOWN command issued on port 8001 (if not used by other application) will shutdown the instance. Port 8005 will not be used by this instance. 

Result: 




[me@me ~]$ telnet 192.168.1.3 8005
Trying 192.168.1.3...
telnet: connect to address 192.168.1.3: Connection refused



EXAMPLE 3 (recommended): 

Change the settings in the server.xml file from:

<Server port="8005" shutdown="SHUTDOWN">
To
<Server port="-1" shutdown="SHUTDOWN">
This will disable SHUTDOWN service/ command for good :)

Result:


[me@me ~]$ telnet 192.168.1.3 8005
Trying 192.168.1.3...
telnet: connect to address 192.168.1.3: Connection refused

3 comments:

  1. It should be noted that when you disable the shutdown port your catalina.bat/sh and shutdown.bat/sh won't work anymore since they are using these ports to shut down the tomcat.

    ReplyDelete
  2. This can get me out of my tomcat issues. Thanks.

    mark emails on tomcat

    ReplyDelete