Railo 3.1 Install on Linux -- Caucho security note

Now that Railo 3.1 is out, I think we will see a jump in commercial usage. I have done a few installs on production machines now, and wanted to point out a security note.

By default when you install Railo 3.1 (with caucho) on Linux (prob the same for OSX), it adds the following to your apache httpd.conf file:

The bottom one is the problem -- it enables CauchoStatus by default. That means that you can open up a web browser to http://your.host.com/caucho-status and see status info, but there is a lot of detailed info there, including the names of each of the hosts you configured in resin, so people can snoop and see all the railo-enabled sites on that machine. This might also give a would-be-attacker the info they need to plan a DOS attack, SQL injection attack, etc.. especially since they can see how the server is responding to their attacks. Pessimistic, I know, but who can you trust on the Internet anymore ? Kid hackers are emerging just following directions posted online, and some don't even really know what they are doing, but they are causing trouble for you and I. Better to be safe.

So the simple fix is to update your httpd.conf file and set the status option to no:

For those so inclined, check out Nessus, an open source vulnerability scanner, which picked this up on one of our servers.