Monday, February 16, 2015


We're all guilty of it.  You are using this awesome tool that made your life so much easier.  You were initially debating writing something like this yourself or cobbling together a bunch of other tools in order to do what you want, but Behold!  Tool 'X' is doing everything you needed and more.

You started using it straight away.  You dove right in, and never looked back.  Now your app is in production and everything seems to be going great.

That is until your world is shattered by an article such as:


You double check your configs and notice that you left a lot of things as 'default'.  Shouldn't it be safe by default!?  You read a little more into what the actual defaults are and realize that alas, no, they are not.

A lesson not to be taken lightly.  Even if you weren't affected by this MongoDB issue, let it be a lesson.  Understand what all the configuration options are and make sure you configure your tools correctly.  DO NOT TRUST THE DEFAULTS.

This happens all the time.  Another one that comes to mind was the JMX console on JBoss.  As a quick reminder, JMX is a tool used by most application servers to allow you quick access to monitor applications or interact with container managed beans.  And by interact, I mean things such as calling functions and invoking business logic.  The JMX Console is a webpage that allows you access to JMX.  For a long time, the default was no security for this page.  Anyone could put in your JMX console URL, and start mucking around with your server.  Even worse, because it's a public page, Google will actually index it.  Don't believe me?  Just do a search for "8080/jmx-console" and you'll find a bunch of servers with their JMX consoles exposed.

Happily, the latest version of JBoss has the JMX Console removed and allows access to JMX through JConsole.  From there you can use a username and password to log in and start using JMX.  These usernames and passwords come from either the ManagementRealm or the ApplicationRealm, so again, RTFM and do not simply use the defaults!

tl;dr RTFM and don't trust the defaults.

No comments: