Is it safe to set the remote java debug port on the Internet?

Question

Is it safe to set the remote java debug port on the Internet?

I was about to open a port for remote debugging of a Java-based web service over the Internet, but thinking twice, I realized that it had no authentication.

It is theoretically possible to write a tool that connects to the remote port of the debugger and executes arbitrary system commands through the Java API. Or modifies / resets the database, etc. At least this exploit looks like this: http://securityaffairs.co/wordpress/36394/hacking/paypal-remote-code-execution.html

I don’t remember being warned about exposing the remote debugger port. But now, when hundreds of botnets scan ports for vulnerabilities, they should be advertised better.

Can anyone comment on whether it is safe and / or how to do it in a secure manner on an arbitrary Java-based web service? My goal is to be able to remotely debug on a production server.

+4

java security exploit remote-debugging

Dmitriusan Oct 17 '15 at 9:07

source share

1 answer

Marged · Accepted Answer · 2015-10-17T12:48:09+0000

You can configure remote debugging to use SSL and authentication, this works for both Windows and Linux, but a little cumbersome. And the port is open all the time.

I am sure that you have every reason to debug your real / useful application and I know that when you really debug it and not only use the connection to gain access to JMX data, for example, your application will stop working when the debugger is connected.

Oracle , , , :

- , RMI ( ). RMI- , , . , Java , com.sun.management.jmxremote.port = portNum, SSL. , , , .
- . , ( ) JMX Java- . , .
. : , ( ), Java. , , MBeans. javax.management.loading.MLet MBean MBeans URL-, , . , - Java .
, , .

( , ssl enabled, ssl) - . , ssh- ssh . : JVM SSH ( SO, )

jvm. JMX, , , heapdumps, .

Is it safe to set the remote java debug port on the Internet?

More articles: