Tightening security

Hi All

I used Nessus to scan my openfire 3.6.3 server and it showed one issue.

Synopsis :

Debugging functions are enabled on the remote web server.

Description :

The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods which are used to debug web server
connections.

Solution :

Disable these methods.

I know how to disable tracking and tracing for apache. How do I do this for openfire?

Any help would be appreciated.

I don’t know Nessus or what TRACE or TRACK methods are. However, since this seems to be HTTP releated, Nessus might detect the web based Admin console interface. You should block all ports in your firewall which you don’t require. E.g when running on Linux with SSH available you don’t need to have the admin console available from remote. You can use SSH as tunnel:

ssh -L 9090:localhost:9090 username@your-server.com

Openfire’s Admin console is then available via http://localhost:9090/ from remote.

It might be also possible that Nessus does dectect HTTP-Binding-Ports 8080 and 8483 or 7080 and 7483. You can disable HTTP-Binding if you don’t need HTTP-based clients. Also you can define an rewrite rule for Apache, so you don’t need to open that ports in your firewall.