Oracle MVA

Tales from a Jack of all trades

Securing embedded ldap access with a connection filter

leave a comment »

Numerous people have written about the embedded ldap (see here). These blog posts show that access to the embedded ldap is always enabled, just the username and password is unknown.

Others have posted about connection filters (see here). A connection filter allows the server to reject unwanted connections based on some filter criteria.

Since the embedded ldap is probe to brute force attacks, one should secure the ldap (and ldaps) port using a connection filter. When constructing the connection filter, you should remember that the managed servers use each others embedded ldap, therefore you should only block remote traffic.

For single server setups this rule would suffice:


0.0.0.0/0 * * deny ldap ldaps

Breakdown:
For all remote IP’s deny access to any server running on any local IP adres and any port for protocols ldap and ldaps

For clustered setups I would advice to allow local addresses in your server backbone and block all remote addresses. If your local server backbone would run on 172.16.X.X these two rules would be applicable:


172.16.0.0/0 * * allow
0.0.0.0/0 * * deny ldap ldaps

Breakdown:
Allow access to any server running on any port for all protocols if the originating IP address is in the 172.16.0.0 range. If the originating IP address is in any other range, deny access to any server running on any port for protocols ldap and ldaps.

Hope this helps.

Advertisements

Written by Jacco H. Landlust

April 11, 2012 at 11:28 am

Posted in security, Weblogic

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: