• Forums
    • Public Forums
      • Community Connect
      • Dynatrace
        • Dynatrace Open Q&A
      • Application Monitoring & UEM
        • AppMon & UEM Open Q&A
      • Network Application Monitoring
        • NAM Open Q&A
  • Home /
  • Public Forums /
  • Application Monitoring & UEM /
  • AppMon & UEM Open Q&A /
avatar image
Question by Ryan C. · Oct 31, 2011 at 06:51 PM ·

Security Scan Vulnerabilities

Looking for some suggestions to address some security scan results of the dynaTrace server. The "vulnerabilities" that I am looking for help with are listed below. The dynaTrace server and Collector are both running on Windows.

  • Port 8020 and 8023.
    Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability
    • A Web server was detected that supports the HTTP TRACE method. This method allows debugging and connection trace analysis for connections from the client to the Web server. Per the HTTP specification, when this method is used, the Web server echoes back the information sent to it by the client unmodified and unfiltered. Microsoft IIS web server uses an alias TRACK for this method, and is functionally the same.
  • Port 2021 and 6699
    SSL Server Supports Weak Encryption Vulnerability.
    SSL Certificate - Self-Signed Certificate.
    SSL Certificate - Signature Verification Failed Vulnerability

I am submitting this to the forum on behalf of a new customer.

Thank you.

Comment
Chad T.

People who like this

1 Show 0
10 |2000000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

3 Replies

  • Sort: 
  • Most voted
  • Newest
  • Oldest
avatar image

Answer by Dominik S. · Feb 20, 2012 at 04:56 PM

Just a quick note for anybody interested, for detailed configuration options please contact support:

Port 8020 and 8023.

  • Web Server HTTP Trace is disabled starting with dynaTrace 4.1

Port 2021 and 6699

  • We disabled a number of weak encryption ciphers in 4.1, some more are addressed as part of the March Monthly Update for dynaTrace 4.1
  • The self-signed certificate is just the default certificate that we deliver for communication of dynaTrace Server, Collector and Client. It is possible to replace this with an officially signed one if necessary, please contact support if you need to do that in an installation

Thanks... Dominik.

Comment
Chad T.

People who like this

1 Show 0 · Share
10 |2000000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

avatar image

Answer by Ryan C. · Nov 02, 2011 at 05:40 PM

Thanks Andreas.

Yesterday, in hindsight, I realized that it would have been more appropriate to have opened a support ticket for this topic, versus the discussion forum. So I opened a ticket yesterday afternoon and Markus is helping me.

Thanks.

Comment
Chad T.

People who like this

1 Show 0 · Share
10 |2000000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

avatar image

Answer by Andreas G. · Nov 02, 2011 at 01:33 PM

Hi Ryan

Let me forward this to our engineers and I will let you know the feedback.
As for Port 8020 - thats the WebServers Unsecure Connection which can be turned off in the Server-Settings. All ports you mentioned here are configurable through the Server-Settings Dialog - and - most of these services behind these ports can also be enabled/disabled through the Server-Settings Dialog

Keep you posted

Comment
Chad T.

People who like this

1 Show 3 · Share
10 |2000000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

avatar image Winston B. · Dec 09, 2011 at 07:20 PM 1
Share

Hi Andreas,

This in an interesting case.

Just this week I received a question from a prospect who wanted to know how secure the server, the collector and the data warehouse are.

If the customer choose the “harden” the systems where the above mentioned components run on, what is the bare minimum that needs to be running for dynaTrace to still work? Do you have a list of this?

avatar image Andreas G. ♦ Winston B. · Dec 09, 2011 at 07:28 PM 1
Share

Hi

I am not sure whether I completely understand your question - but - in order for dynaTrace to work you need
a) a dynaTrace Server that listens for incoming dynaTrace Collector Connections - default SSL Port 6699. Also listening on default port 2021 for incoming dynaTrace Clients
b) a dynaTrace Collector that connects to the dynaTrace Server on port 6699 and that is listening for incoming Agent connections - default port 9998
c) a dynaTrace Client that either connects to the dynaTrace server on port 2021 or through an HTTP Tunnel on default port 8023

For further questions on this I recommend talking to the technical support team. Open a question in the support system. They can help you figure out exactly what the requirements for your prospect are.

Andi

avatar image Ashokkumar S. Winston B. · Feb 17, 2012 at 05:56 PM 1
Share

Hi Winston,

even i have a prospect who wants to perform OS hardening on the dynaTrace servers. one of his concerns is that the dynaTrace

servers will be in a service providers datacenter and hence he wants all data within dynaTrace systems to be fully protected.

did you get any reply to this request. if yes, pls forward it to me as well.

rgs

ashok

How to get started

First steps in the forum
Read Community User Guide
Best practices of using forum

NAM 2019 SP5 is available


Check the RHEL support added in the latest NAM service pack.

Learn more

LIVE WEBINAR

"Performance Clinic - Monitoring as a Self Service with Dynatrace"


JANUARY 15, 3:00 PM GMT / 10:00 AM ET

Register here

Follow this Question

Answers Answers and Comments

3 People are following this question.

avatar image avatar image avatar image

Forum Tags

dotnet mobile monitoring load iis 6.5 kubernetes mainframe rest api dashboard framework 7.0 appmon 7 health monitoring adk log monitoring services auto-detection uem webserver test automation license web performance monitoring ios nam probe collector migration mq web services knowledge sharing reports window java hybris javascript appmon sensors good to know extensions search 6.3+ server documentation easytravel web dashboard kibana system profile purelytics docker splunk 6.1 process groups account 7.2 rest dynatrace saas spa guardian appmon administration production user actions postgresql upgrade oneagent measures security Dynatrace Managed transactionflow technologies diagnostics user session monitoring unique users continuous delivery sharing configuration alerting NGINX splitting business transaction client 6.3 installation database scheduler apache mobileapp RUM php dashlet azure purepath agent 7.1 appmonsaas messagebroker nodejs 6.2 android sensor performance warehouse
  • Forums
  • Public Forums
    • Community Connect
    • Dynatrace
      • Dynatrace Open Q&A
    • Application Monitoring & UEM
      • AppMon & UEM Open Q&A
    • Network Application Monitoring
      • NAM Open Q&A