[jboss-jira] [JBoss JIRA] (JGRP-1947) JGRP000006 errors triggered by nmap TCP Connect scanning JGroups ports

Justin Cranford (JIRA) issues at jboss.org
Thu Jul 30 21:45:03 EDT 2015 

     [ https://issues.jboss.org/browse/JGRP-1947?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Justin Cranford updated JGRP-1947:
----------------------------------
    Workaround Description: Use nmap TCP SYN scanning. Half-open scanning only reaches the TCP layer of the TCP/IP stack, whereas TCP Connection scanning reaches the application layer (ex: JGroups). Unfortunately SYN scanning requires root privileges, so this workaround is not always available.  (was: Use nmap TCP SYN scanning. Half-open scanning open reaches the TCP layer of the TCP/IP stack, whereas TCP Connection scanning reaches the application layer (ex: JGroups). Unfortunately SYN scanning requires root privileges, so this workaround is not always available.)


> JGRP000006 errors triggered by nmap TCP Connect scanning JGroups ports
> ----------------------------------------------------------------------
>
>                 Key: JGRP-1947
>                 URL: https://issues.jboss.org/browse/JGRP-1947
>             Project: JGroups
>          Issue Type: Bug
>    Affects Versions: 3.4.6
>         Environment: Java 7u80 x32
> Tomcat 7.0.62
> HA-JDBC 3.0.4-SNAPSHOT + JGroups 3.4.6
> nmap 5.5.1
>            Reporter: Justin Cranford
>            Assignee: Bela Ban
>
> I am running a two node Tomcat cluster. Both JGroups and Hazelcast are used for different parts of application clustering - JGroups for HA-JDBC, and Hazelcast for application locks outside of HA-JDBC.
> Hazelcast is not relevant to JGroups, except I included the Hazelcast errors because they happen at the same time as the JGroups JGRP000006 errors. This gave me a hint of why I see JGRP000006, because the Hazelcast error is more specific about root cause.
> Basically if I run a nmap TCP Connect scan on my servers like so, this opens/closes empty TCP connections. JGroups reports these events as JGRP000006, whereas Hazelcast reports them as "java.io.IOException[Connection reset by peer]".
> I am wondering if JGroups can handle these nmap TCP Connect scans more gracefully, or even log a more descriptive error with the JGRP000006 error code.
> My Tomcat errors for both JGroups and Hazelcast
> Jul 31, 2015 12:27:52 AM com.hazelcast.nio.SocketAcceptor
> INFO: [10.0.0.85]:5900 [ClusterManager] [3.2.4] Accepting socket connection from /10.0.0.86:40527
> Jul 31, 2015 12:27:52 AM com.hazelcast.nio.TcpIpConnectionManager
> INFO: [10.0.0.85]:5900 [ClusterManager] [3.2.4] 5900 accepted socket connection from /10.0.0.86:40527
> Jul 31, 2015 12:27:52 AM org.jgroups.logging.JDKLogImpl warn
> WARNING: JGRP000006: failed accepting connection from peer
> java.net.SocketException: Connection reset
>         at java.net.SocketInputStream.read(Unknown Source)
>         at java.net.SocketInputStream.read(Unknown Source)
>         at java.io.BufferedInputStream.fill(Unknown Source)
>         at java.io.BufferedInputStream.read1(Unknown Source)
>         at java.io.BufferedInputStream.read(Unknown Source)
>         at java.io.DataInputStream.readFully(Unknown Source)
>         at org.jgroups.blocks.TCPConnectionMap$TCPConnection.readPeerAddress(TCPConnectionMap.java:494)
>         at org.jgroups.blocks.TCPConnectionMap$TCPConnection.<init>(TCPConnectionMap.java:376)
>         at org.jgroups.blocks.TCPConnectionMap$Acceptor.handleAccept(TCPConnectionMap.java:298)
>         at org.jgroups.blocks.TCPConnectionMap$Acceptor.run(TCPConnectionMap.java:282)
>         at java.lang.Thread.run(Unknown Source)
> Jul 31, 2015 12:27:52 AM com.hazelcast.nio.TcpIpConnection
> INFO: [10.0.0.85]:5900 [ClusterManager] [3.2.4] Connection [/10.0.0.86:40527] lost. Reason: java.io.IOException[Connection reset by peer]
> My nmap scan which triggers the JGRP000006 errors:
> root at myserver:~$ nmap -n -T4 -sT -PN --max-scan-delay 0ms --min-rate 1000000 --max-retries 0 -p 443,3306,5900,7900,7901 10.0.0.85
> Starting Nmap 5.51 ( http://nmap.org ) at 2015-07-31 01:33 UTC
> Cannot find nmap-payloads. UDP payloads are disabled.
> Nmap scan report for 10.0.0.85
> Host is up (0.00035s latency).
> PORT     STATE SERVICE
> 443/tcp  open  https
> 3306/tcp open  mysql
> 5900/tcp open  vnc
> 7900/tcp open  mevent
> 7901/tcp open  unknown
> Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

More information about the jboss-jira mailing list