• Forums
    • Public Forums
      • Community Connect
      • Dynatrace
        • Dynatrace Open Q&A
      • Application Monitoring & UEM
        • AppMon & UEM Open Q&A
      • Network Application Monitoring
        • NAM Open Q&A
        • Enterprise Synthetic Monitoring
      • Synthetic Classic
        • Synthetic Classic Open Q&A
      • BSM Open Q&A
  • Home /
  • Public Forums /
  • Application Monitoring & UEM /
  • AppMon & UEM Open Q&A /
avatar image
Question by Ryan C. · Oct 31, 2011 at 06:51 PM ·

Security Scan Vulnerabilities

Looking for some suggestions to address some security scan results of the dynaTrace server. The "vulnerabilities" that I am looking for help with are listed below. The dynaTrace server and Collector are both running on Windows.

  • Port 8020 and 8023.
    Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability
    • A Web server was detected that supports the HTTP TRACE method. This method allows debugging and connection trace analysis for connections from the client to the Web server. Per the HTTP specification, when this method is used, the Web server echoes back the information sent to it by the client unmodified and unfiltered. Microsoft IIS web server uses an alias TRACK for this method, and is functionally the same.
  • Port 2021 and 6699
    SSL Server Supports Weak Encryption Vulnerability.
    SSL Certificate - Self-Signed Certificate.
    SSL Certificate - Signature Verification Failed Vulnerability

I am submitting this to the forum on behalf of a new customer.

Thank you.

Comment

People who like this

0 Show 0
10 |2000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

3 Replies

· Add your reply
  • Sort: 
  • Most voted
  • Newest
  • Oldest
avatar image

Answer by Andreas G. · Nov 02, 2011 at 01:33 PM

Hi Ryan

Let me forward this to our engineers and I will let you know the feedback.
As for Port 8020 - thats the WebServers Unsecure Connection which can be turned off in the Server-Settings. All ports you mentioned here are configurable through the Server-Settings Dialog - and - most of these services behind these ports can also be enabled/disabled through the Server-Settings Dialog

Keep you posted

Comment

People who like this

0 Show 3 · Share
10 |2000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Winston B. · Dec 09, 2011 at 07:20 PM 0
Share

Hi Andreas,

This in an interesting case.

Just this week I received a question from a prospect who wanted to know how secure the server, the collector and the data warehouse are.

If the customer choose the “harden” the systems where the above mentioned components run on, what is the bare minimum that needs to be running for dynaTrace to still work? Do you have a list of this?

avatar image Andreas G. &. Winston B. · Dec 09, 2011 at 07:28 PM 0
Share

Hi

I am not sure whether I completely understand your question - but - in order for dynaTrace to work you need
a) a dynaTrace Server that listens for incoming dynaTrace Collector Connections - default SSL Port 6699. Also listening on default port 2021 for incoming dynaTrace Clients
b) a dynaTrace Collector that connects to the dynaTrace Server on port 6699 and that is listening for incoming Agent connections - default port 9998
c) a dynaTrace Client that either connects to the dynaTrace server on port 2021 or through an HTTP Tunnel on default port 8023

For further questions on this I recommend talking to the technical support team. Open a question in the support system. They can help you figure out exactly what the requirements for your prospect are.

Andi

avatar image Ashokkumar S. Winston B. · Feb 17, 2012 at 05:56 PM 0
Share

Hi Winston,

even i have a prospect who wants to perform OS hardening on the dynaTrace servers. one of his concerns is that the dynaTrace

servers will be in a service providers datacenter and hence he wants all data within dynaTrace systems to be fully protected.

did you get any reply to this request. if yes, pls forward it to me as well.

rgs

ashok

avatar image

Answer by Ryan C. · Nov 02, 2011 at 05:40 PM

Thanks Andreas.

Yesterday, in hindsight, I realized that it would have been more appropriate to have opened a support ticket for this topic, versus the discussion forum. So I opened a ticket yesterday afternoon and Markus is helping me.

Thanks.

Comment

People who like this

0 Show 0 · Share
10 |2000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image

Answer by Dominik S. · Feb 20, 2012 at 04:56 PM

Just a quick note for anybody interested, for detailed configuration options please contact support:

Port 8020 and 8023.

  • Web Server HTTP Trace is disabled starting with dynaTrace 4.1

Port 2021 and 6699

  • We disabled a number of weak encryption ciphers in 4.1, some more are addressed as part of the March Monthly Update for dynaTrace 4.1
  • The self-signed certificate is just the default certificate that we deliver for communication of dynaTrace Server, Collector and Client. It is possible to replace this with an officially signed one if necessary, please contact support if you need to do that in an installation

Thanks... Dominik.

Comment

People who like this

0 Show 0 · Share
10 |2000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Your answer

Hint: You can notify a user about this post by typing @username

Up to 10 attachments (including images) can be used with a maximum of 52.4 MB each and 262.1 MB total.

Welcome to the
Dynatrace Community Forums

Check out the Forum User Guide and Forum Guidelines to learn how to get started.

Community Member of the Month
February 2019

Announcing Dynatrace's Community Member of the Month for February 2019, Larry R.! Click here to read more!

Employee Member of the Month
February 2019

Announcing Dynatrace's Employee Member of the Month for February 2019, Dave M.! Click here to read more!

Live webinar: AIOps done right through enhanced Dynatrace AI root cause detection

Learn the enhanced capabilities of the next generation Dynatrace AI root cause analysis and how to feed it with your own data sources.
Wednesday, February 20, 2019
Register today!

Live webinar: AIOps done right through enhanced Dynatrace AI root cause detection

Learn the enhanced capabilities of the next generation Dynatrace AI root cause analysis and how to feed it with your own data sources.
Wednesday, February 20, 2019
Register today!

NAM 2019 Beta is available

Would you like to have an early taste of what we have cooked up for 2019? We would love to hear your feedback and improve some of the new features. Check NAM 2019 Beta release notes.
Sign up today!

Follow this Question

Answers Answers and Comments

4 People are following this question.

avatar image avatar image avatar image avatar image

Forum Tags

nginx java dotnet docker 6.5 ios customization knowledge sharing browser agent mobileapp sensor chart 7.1 hybris 6.3+ production incidents Dynatrace Managed php javascript processes monitoring nodejs uem splunk license framework good to know installation web services plugin splitting rest webserver reports 7.0 kubernetes errors rum mainframe 6.1 account configuration forum user guide security web dashboard agent load window oneagent upgrade diagnostics search scheduler appmonsaas log analytics database performance warehouse services web performance monitoring user sessions test automation transactionflow measures business transaction migration plugins android dashlet server purelytics 6.2 rest api system profile appmon appmon 7 mobile monitoring collector adk messagebroker purepath apache guardian appmon iis 7.2 dashboard mq kibana client continuous delivery unique users postgresql sensors documentation alerting auto-detection 6.3 administration
  • Forums
  • Public Forums
    • Community Connect
    • Dynatrace
      • Dynatrace Open Q&A
    • Application Monitoring & UEM
      • AppMon & UEM Open Q&A
    • Network Application Monitoring
      • NAM Open Q&A
      • Enterprise Synthetic Monitoring
    • Synthetic Classic
      • Synthetic Classic Open Q&A
    • BSM Open Q&A