Uploaded image for project: 'JGroups'
  1. JGroups
  2. JGRP-1947

JGRP000006 errors triggered by nmap TCP Connect scanning JGroups ports

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Do
    • Major
    • 3.6.5
    • 3.4.6
    • None
    • Workaround Exists
    • Hide

      Use nmap TCP SYN scanning. Half-open scanning only reaches the TCP layer of the TCP/IP stack, whereas TCP Connection scanning reaches the application layer (ex: JGroups). Unfortunately SYN scanning requires root privileges, so this workaround is not always available.

      Show
      Use nmap TCP SYN scanning. Half-open scanning only reaches the TCP layer of the TCP/IP stack, whereas TCP Connection scanning reaches the application layer (ex: JGroups). Unfortunately SYN scanning requires root privileges, so this workaround is not always available.
    • Hide

      Run this nmap TCP Connect scan on JGroups ports. In my case, I used JGroups for HA-JDBC cluster state and lock sharing between Tomcats, and the ports used are 7900 and 7901. The other ports 443, 3306, and 5900 are not relevant to JGroups so you can exclude them.

      nmap -n -T4 -sT -PN --max-scan-delay 0ms --min-rate 1000000 --max-retries 0 -p 443,3306,5900,7900,7901 10.0.0.85

      Show
      Run this nmap TCP Connect scan on JGroups ports. In my case, I used JGroups for HA-JDBC cluster state and lock sharing between Tomcats, and the ports used are 7900 and 7901. The other ports 443, 3306, and 5900 are not relevant to JGroups so you can exclude them. nmap -n -T4 -sT -PN --max-scan-delay 0ms --min-rate 1000000 --max-retries 0 -p 443,3306,5900,7900,7901 10.0.0.85

    Description

      I am running a two node Tomcat cluster. Both JGroups and Hazelcast are used for different parts of application clustering - JGroups for HA-JDBC, and Hazelcast for application locks outside of HA-JDBC.

      Hazelcast is not relevant to JGroups, except I included the Hazelcast errors because they happen at the same time as the JGroups JGRP000006 errors. This gave me a hint of why I see JGRP000006, because the Hazelcast error is more specific about root cause.

      Basically if I run a nmap TCP Connect scan on my servers like so, this opens/closes empty TCP connections. JGroups reports these events as JGRP000006, whereas Hazelcast reports them as "java.io.IOException[Connection reset by peer]".

      I am wondering if JGroups can handle these nmap TCP Connect scans more gracefully, or even log a more descriptive error with the JGRP000006 error code.

      My Tomcat errors for both JGroups and Hazelcast

      Jul 31, 2015 12:27:52 AM com.hazelcast.nio.SocketAcceptor
      INFO: [10.0.0.85]:5900 [ClusterManager] [3.2.4] Accepting socket connection from /10.0.0.86:40527
      Jul 31, 2015 12:27:52 AM com.hazelcast.nio.TcpIpConnectionManager
      INFO: [10.0.0.85]:5900 [ClusterManager] [3.2.4] 5900 accepted socket connection from /10.0.0.86:40527
      Jul 31, 2015 12:27:52 AM org.jgroups.logging.JDKLogImpl warn
      WARNING: JGRP000006: failed accepting connection from peer
      java.net.SocketException: Connection reset
      at java.net.SocketInputStream.read(Unknown Source)
      at java.net.SocketInputStream.read(Unknown Source)
      at java.io.BufferedInputStream.fill(Unknown Source)
      at java.io.BufferedInputStream.read1(Unknown Source)
      at java.io.BufferedInputStream.read(Unknown Source)
      at java.io.DataInputStream.readFully(Unknown Source)
      at org.jgroups.blocks.TCPConnectionMap$TCPConnection.readPeerAddress(TCPConnectionMap.java:494)
      at org.jgroups.blocks.TCPConnectionMap$TCPConnection.<init>(TCPConnectionMap.java:376)
      at org.jgroups.blocks.TCPConnectionMap$Acceptor.handleAccept(TCPConnectionMap.java:298)
      at org.jgroups.blocks.TCPConnectionMap$Acceptor.run(TCPConnectionMap.java:282)
      at java.lang.Thread.run(Unknown Source)

      Jul 31, 2015 12:27:52 AM com.hazelcast.nio.TcpIpConnection
      INFO: [10.0.0.85]:5900 [ClusterManager] [3.2.4] Connection [/10.0.0.86:40527] lost. Reason: java.io.IOException[Connection reset by peer]

      My nmap scan which triggers the JGRP000006 errors:

      root@myserver:~$ nmap -n -T4 -sT -PN --max-scan-delay 0ms --min-rate 1000000 --max-retries 0 -p 443,3306,5900,7900,7901 10.0.0.85

      Starting Nmap 5.51 ( http://nmap.org ) at 2015-07-31 01:33 UTC
      Cannot find nmap-payloads. UDP payloads are disabled.
      Nmap scan report for 10.0.0.85
      Host is up (0.00035s latency).
      PORT STATE SERVICE
      443/tcp open https
      3306/tcp open mysql
      5900/tcp open vnc
      7900/tcp open mevent
      7901/tcp open unknown

      Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

      Attachments

        Activity

          People

            rhn-engineering-bban Bela Ban
            justincranford Justin Cranford (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: