The main thing to remember about jserver-c ("chopchop") is that it currently has NO authentication. Any ol' user with a jabber client can essentially take over a mal-configured jserver-c server, and potentially compromise any systems using OpenSRF (IE: Evergreen).
There is good news, however. There is absolutely no reason for jserver-c to be bound to the network card in a single-server scenario. jserver-c should be bound to localhost AND ONLY LOCALHOST.
More good news: a proper authentication mechanism for chopchop will be implemented shortly.
evergreen-admin/security/chopchop.txt · Last modified: 2022/02/10 13:34 by 127.0.0.1