Can you please let me know if you have followed the Lockdown guide on your server?
portions of it - but I don't believe our dev guys have applied it all....
Please check if they followed this portion in lockdown guide.
4.3.4 Tomcat Shutdown Port
Tomcat listens on a TCP port (8007 by default, may differ if multiple instances) for a SHUTDOWN command.
When the command is received on the specified port the server will shutdown.
Edit the file
and locate the
line similar to:
<Server port="8007" shutdown="SHUTDOWN">
1 to disable this feature, or to random port number. Tomcat should only listen on 127.0.0.1
for this port, however you should also ensure that your firewall does not allow extern
al connections to this port.
Also consider changing the shutdown command, that is the value of the
attribute of the
tag. This string is essentially a password used to shut down the server locally when the port is enabled.
Next look in:
and edit the following line to match
Ensure that global read permission is denied for both these files
Changing the port setting may cause the shutdown of the ColdF
usion Service on Windows
to fail, you may need to kill the process manually to stop ColdFusion. The Linux shutdown script
should still work properly when the port is changed.
That control doesn't appear to be applied, unfortunately. Any other ideas?