Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5922
  • Last Modified:

Apache Tomcat 5.0.27 Hardening Best Practices

Hello -

I'd like some best practices for hardening/securing an installation of Apache Tomcat 5.0.27.

Also, I need to know how to remove the default "If you're seeing this page via a web browser, it means you've setup Tomcat successfully" page.

Thanks!

0
joshsfinn
Asked:
joshsfinn
  • 3
  • 2
2 Solutions
 
ahoffmannCommented:
there're at least 4 part for hardening:
  1. the OS (including directoory, file and process owner and permission)
  2. apache konfiguration
  3. tomcat configuration
  4. applications used in apache and/or tomcat

keep in mind that 2. to 4. rely, somehow, on 1.
In which one are you interested?
0
 
dnojcdCommented:
1. use an unprivileged user account to run the  server.
2.use a firewall before your server
3. Disable the connectors you dont need  in server.xml
4. Restrict the manager,admin applications by ip restriction.
5. Disable the examples application
6. use apache http server to forward the request to the tomcat server.

list is not exhaustive . only some tips :-)
0
 
ahoffmannCommented:
> 2.use a firewall before your server
what does this help if port 80 and 443 are wide, wide open, probably enhanced by a cache and load balancer?
You need a WAF - web application firewall- for that too.
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
joshsfinnAuthor Commented:
I think I should have offered more information.

I'm a Windows System Administrator and am fairly familiar with IIS. I'm NOT at all familiar with UNIX systems/configuration.

We have a new application that we are implementing that runs Tomcat on a Windows Server. I've never used Tomcat before so I really need beginner instructions on configuration.

I've found the http://webserver/admin tools but I get kind of lost looking through there.

Maybe you could point me to some good documentation on Tomcat server configuration?

Thanks for the comments.
0
 
ahoffmannCommented:
some basic general steps:
  1. bind tomcat to those IPs and ports only which you need, don't bind to any
  2. disable the tomcat's admin/manager web application completely or configure it that way that it needs proper username/passwort and connection from well known hosts
  3. use server-minimal.xml instead of server.xml (make security life simpler;-)
  4. check what you allow in tomcat's default context.xml, web.xml and anything below your configured host (see <Host ...> directive in server.xsml)
  5. use a special user to run tomcat, don't use administrator/root for that
  6. allow only that user /see 5.) to read all your files, disallow any other users
  7. make all files read-only (except those tomcat needs to write to)
0
 
joshsfinnAuthor Commented:
Ok. Thanks for the tips. I'm splitting the points.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now