Some important pointers concerning security of JBoss application servers:
On the productive machine which is accessible from outside your development environment you should shut down all the admin access tools.
That is:
- jmx-console,
- admin-console and
- web-console.
Either take them down manually, i.e. undeploy (=delete) the corresponding .war files on the runnning JBoss instance, or move them to different ports which are blocked on your companies firewall so they are not accessible from the outside. (This is better, so you will still be able to use them to maintain your server.)
Here is an article talking about how dangerous it is to not configure the above things: vulnerability of unsecure JMX-consoles (Read this, this is important. An unsecured jmx-console will allow anyone full access to your server, e.g. he could shut it down with the click of a mouse...)
You will also have to activate the security on the jmx-console, otherwise it will not even ask you for a password. Here is a link that explains you what to do:
securing the JMX-console
Last but not least, definitely change the default admin password. Just in case someone will still be able to access one of those consoles it is not clever to leave the admin/admin default credentials in there...
If you do the above things this should be a good start.
Securing the Ubuntu Server is of course quite an other story. However the default configuration of Ubuntu is rather good - if you didn't do too many crazy things like (installing unsecure services) I guess you should be rather secure on that end.