Subsonic Forum

Hello

I'm running Subsonic on an Ubuntu Server, AD integrated and with SSL-cert.
I want this to be secure from the outside and i've scanned my IP and found the following:

1.

Code: Select all

444 / tcp The remote host is vulnerable to renegotiation DoS over SSLv3.

2.

Code: Select all

444 / tcp
Service: www

Here is the list of weak SSL ciphers supported by the remote server :

  Low Strength Ciphers (< 56-bit key)

    SSLv3
      EXP-EDH-RSA-DES-CBC-SHA      Kx=DH(512)     Au=RSA      Enc=DES(40)              Mac=SHA1   export     
      EXP-DES-CBC-SHA              Kx=RSA(512)    Au=RSA      Enc=DES(40)              Mac=SHA1   export     
      EXP-RC4-MD5                  Kx=RSA(512)    Au=RSA      Enc=RC4(40)              Mac=MD5    export     

    TLSv1
      EXP-EDH-RSA-DES-CBC-SHA      Kx=DH(512)     Au=RSA      Enc=DES(40)              Mac=SHA1   export     
      EXP-DES-CBC-SHA              Kx=RSA(512)    Au=RSA      Enc=DES(40)              Mac=SHA1   export     
      EXP-RC4-MD5                  Kx=RSA(512)    Au=RSA      Enc=RC4(40)              Mac=MD5    export     

The fields above are :

  {OpenSSL ciphername}
  Kx={key exchange}
  Au={authentication}
  Enc={symmetric encryption method}
  Mac={message authentication code}
  {export flag}


3.

Code: Select all

444 / tcp
Service: www

When processing the following request :

  GET / HTTP/1.0

this web server leaks the following private IP address :

  192.168.x.x

as found in the following collection of HTTP headers :

HTTP/1.1 302 Found
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=1l8rygqjs33cz;Path=/
Location: https://192.168.x.x:444/login.view;jsessionid=1l8rygqjs33cz?
Content-Length: 0
Server: Jetty(6.1.x)



Where is the webserver? It's not Apache, where do i find httpd.conf or equal?
Any suggestions?
Thanks

Vanilla Subsonic runs on Jetty 6. If you want to stay with that version, you could run it on Tomcat instead.

hakko wrote:Vanilla Subsonic runs on Jetty 6. If you want to stay with that version, you could run it on Tomcat instead.

Alright. So how do i edit the settings for the web server?

I want to change the security settings. Not install a new web server.
Among other things i'd like to change the cipher security.

There is no built in facility for what you want to do in the standalone jetty version of Subsonic. That is why someone else suggested that you install Tomcat (a different web server/Java Servlet Host) and pointed you to how get subsonic working on that new host once it is installed.

Adjusting Tomcat's security settings is outside of the scope of this mailing list. It appears as though this link:
http://blog.techstacks.com/2008/09/secu ... t-two.html
...might contain what you need.

As to the third issue you mentioned, there is nothing you can do about that. That is how Subsonic is designed to work.

Glenn

There is one more option that I use, albeit on Windows but I assume you can do similar with Apache on Linux and a local firewall (ipfilter). The https port is not directed to Subsonic but goes to IIS (Windows webserver) which proxies it to Jetty using http only. From the internet only the https port is open, enforcing security settings of IIS. For this to work https must be turned off in Subsonic configuration as otherwise Subsonic redirects to https itself.
Best regards, jol

Jetty comes with an embedded web server, and it is normally configured programmatically. It might be possible to configure it using a config file, but I'll think you'll struggle to find information on how to do it (especially since Jetty 6 is really old by now, not maintained and has its own list of vulnerabilities). Setting up Tomcat will be much more straight-forward and well documented.

I personally just use Subsonic on the original port, don't open up that port in the firewall so it's not accessable, then have a reverse nginx proxy so that I use https://xxx/subsonic. The benefit of that is that you can control the chiphers and general ssl settings from within nginx. I've been hearing a lot of people have also been doing basically the same thing with apache as well.

PS What are you using to scan your network? I would be curious to run the same scan on my own.

Alright. Thank you everyone for your answers. I'll look into installing Tomcat.
For network skanning (outside) i used the Nessus Appliance
http://www.tenable.com/products/nessus/ ... -appliance

Most cause we have that one a work so it's outside my network and we have a valid license.

Hey again guys.

Is it possible to migrate from the embedded db to a tomcat installation?
I want all the modifications i've done to be there when i'm migrating. It doesnt seem to work when i just move the db folder.
I have some modifications in the jetty folder aswell i want to move.

How should i do?
Thanks