Skip to main content

Railo 3.1 Install on Linux -- Caucho security note

Now that Railo 3.1 is out, I think we will see a jump in commercial usage.  I have done a few installs on production machines now, and wanted to point out a security note.

By default when you install Railo 3.1 (with caucho) on Linux (prob the same for OSX), it adds the following to your apache httpd.conf file:

<code>
LoadModule caucho_module /usr/lib/httpd/modules/mod_caucho.so

ResinConfigServer localhost 6800
CauchoConfigCacheDirectory /tmp
CauchoStatus yes
</code>

The bottom one is the problem -- it enables CauchoStatus by default.  That means that you can open up a web browser to http://your.host.com/caucho-status and see status info, but there is a lot of detailed info there, including the names of each of the hosts you configured in resin, so people can snoop and see all the railo-enabled sites on that machine.  This might also give a would-be-attacker the info they need to plan a DOS attack, SQL injection attack, etc.. especially since they can see how the server is responding to their attacks.  Pessimistic, I know, but who can you trust on the Internet anymore ?  Kid hackers are emerging just following directions posted online, and some don't even really know what they are doing, but they are causing trouble for you and I.  Better to be safe.

So the simple fix is to update your httpd.conf file and set the status option to no:

<code>
CauchoStatus no
</code>

For those so inclined, check out Nessus, an open source vulnerability scanner, which picked this up on one of our servers.

Popular posts from this blog

Making Macbook Air with 128GB SSD usable with Bootcamp

I recently got a new Macbook Air 11" (the 2012 version) and loaded it with goodies like 8GB ram and 2GHz Core i7.  What I DIDN'T upgrade was the internal SSD.  My config came with 128GB SSD and I refused to pay $300+ to upgrade it to 256GB.  Yeah I know, some call me cheap, but SSds cost $75-$150 for 240GB, so adding another 128GB for $300 seemed way too steep for me.  I figured "ok, I'm going to make 128G work!"

Here is the story of how that went...

Installing python 3.4.x on OSX El Capitan

I love "brew" package manager, but sometimes being too progressive breaks things.  I have several python apps that I maintain that get deployed to AWS using Elastic Beanstalk.  AWS eb can deploy with python 2.7 or 3.4.  Any recent 'brew install python3" will get 3.5.1. #annoying

Dell XPS M1330 + Snow Leopard Hackintosh

I have been working with a Dell XPS M1330 laptop for a few years now.  It doesn't quite match up to the newest notebooks in terms of performance, but it certainly still has some life in it.  I had previously installed OSX 10.5.x on it as an experiment, and had moderate success.  I decided to revisit this idea again to install Snow Leopard (OSX 10.6) on the Dell M1330, and keep some notes for those of you brave enough to Hackintosh your own machine...