Subsonic Forum

[ericvonnine]

I run my subsonic instance behind an apache proxy to handle everything over https. So (I think) I have configured subsonic to only listen on the loopback interface. netstat confirms that, indeed it is listening there:

Code: Select all

tcp6       0      0 :::9412                 :::*                    LISTEN      11059/java     
tcp6       0      0 127.0.0.1:4040          :::*                    LISTEN      11059/java     
tcp6       0      0 X.X.X.X:54763           :::*                    LISTEN      11059/java
tcp6       0      0 :::60399                :::*                    LISTEN      11059/java


Where X.X.X.X is my external IP address.

That is a whole pile of open ports when it _should_ be listening to 127.0.0.1:4040 only. Why are these extra TCP ports open?

[ericvonnine]

Is this the wrong place to ask this question? Do any of the devs read this forum?

[acroyear]

Something like this was mentioned in the API users group.

This is normal for Java based web servers like Jetty and Tomcat (and JBoss and other J2EE servers). They keep ports open for internal communications. It is not necessary to open them up to anybody outside your firewall, and generally they restrict any attempt to connect from a different machine unless the administrator has specifically configured them for site mirroring in a production cloud environment.

tl;dr? don't worry about it. It's a Java thing.

Joe

[ericvonnine]

Thanks for the reply.

It is pretty spooky that Java would be listening without being told to do so. If it were localhost only, I would be fine, but this is attempting to listen to the outside world.

[acroyear]

it is actually necessary because of the nature of sockets and IPs. if the internal tried to connect to 'localhost' but something about the network library at the OS level made it come from the machine's IP (192.168.x.y), then the connect would fail. That isn't something that can be as tightly controlled as Java would like.

That said, "outside world" is relative. don't open those ports on your firewall and only your LAN can see them. don't open those ports on your machine's personal firewall, and only your box can see them. if you don't trust yourself, who can you trust?

In addition, the protocol they are expected is extremely tight, white-list driven, and generally binary. it isn't easy to spoof. I've known of no vulnerabilities that took advantage of those ports in at last 12 years.