Search code examples
jbossjboss7.xwildflyundertow

Hardening and Performance Tuning in JBoss EAP 7

I read through the standard guideline of JBoss EAP 7. It tells how to secure ports, increase the JVM options but does not specifically how to calculate and archive specific measurement. Referencing Apache practice, what should I do if I need to

  1. Hide the JBoss Version number, and other sensitive information
  2. Make sure JBoss is running under its own user account and group
  3. Ensure that files outside the webapp root folder are not served
  4. Turn off directory browsing Turn off server side includes
  5. Turn off CGI execution
  6. Don't allow JBoss to follow symbolic links
  7. Turning off multiple Options
  8. Turn off support for .htaccess files
  9. Lower the Timeout value
  10. Limiting large requests
  11. Limiting the size of an XML Body
  12. Disable Trace HTTP Request
  13. Use only TLS, Disable SSLv2, SSLv3
  14. Do not open 80 port by default (use SSL only)
  15. Modify web applications to set the HttpOnly attribute for all cookies
  16. Support simultaneous connection process to 400 and maximum connection over 3000
  17. Prevent from Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
  18. Prevent from attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
  19. Prevent from XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
  20. Prevent from Insecure Direct Object References.
  21. Prevent from A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
Solution

  • Too many sub-questions in one question. Answering 1st one :

    To remove

    X-Powered-By: Undertow/1
X-Powered-By: JSP/2.3
Server: JBoss-EAP/7

    execute following CLI commands :

    /subsystem=undertow/server=default-server/host=default-host/filter-ref=x-powered-by-header:remove /subsystem=undertow/server=default-server/host=default-host/filter-ref=server-header:remove /subsystem=undertow/servlet-container=default/setting=jsp:write-attribute(name=x-powered-by,value=false)