Solved

Apache Tomcat 5.0.27 Hardening Best Practices

Posted on 2006-06-22
6
5,914 Views
Last Modified: 2012-06-21
Hello -

I'd like some best practices for hardening/securing an installation of Apache Tomcat 5.0.27.

Also, I need to know how to remove the default "If you're seeing this page via a web browser, it means you've setup Tomcat successfully" page.

Thanks!

0
Comment
Question by:joshsfinn
  • 3
  • 2
6 Comments
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 250 total points
ID: 16967173
there're at least 4 part for hardening:
  1. the OS (including directoory, file and process owner and permission)
  2. apache konfiguration
  3. tomcat configuration
  4. applications used in apache and/or tomcat

keep in mind that 2. to 4. rely, somehow, on 1.
In which one are you interested?
0
 
LVL 10

Accepted Solution

by:
dnojcd earned 250 total points
ID: 16967271
1. use an unprivileged user account to run the  server.
2.use a firewall before your server
3. Disable the connectors you dont need  in server.xml
4. Restrict the manager,admin applications by ip restriction.
5. Disable the examples application
6. use apache http server to forward the request to the tomcat server.

list is not exhaustive . only some tips :-)
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16967296
> 2.use a firewall before your server
what does this help if port 80 and 443 are wide, wide open, probably enhanced by a cache and load balancer?
You need a WAF - web application firewall- for that too.
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 

Author Comment

by:joshsfinn
ID: 16968891
I think I should have offered more information.

I'm a Windows System Administrator and am fairly familiar with IIS. I'm NOT at all familiar with UNIX systems/configuration.

We have a new application that we are implementing that runs Tomcat on a Windows Server. I've never used Tomcat before so I really need beginner instructions on configuration.

I've found the http://webserver/admin tools but I get kind of lost looking through there.

Maybe you could point me to some good documentation on Tomcat server configuration?

Thanks for the comments.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16969894
some basic general steps:
  1. bind tomcat to those IPs and ports only which you need, don't bind to any
  2. disable the tomcat's admin/manager web application completely or configure it that way that it needs proper username/passwort and connection from well known hosts
  3. use server-minimal.xml instead of server.xml (make security life simpler;-)
  4. check what you allow in tomcat's default context.xml, web.xml and anything below your configured host (see <Host ...> directive in server.xsml)
  5. use a special user to run tomcat, don't use administrator/root for that
  6. allow only that user /see 5.) to read all your files, disallow any other users
  7. make all files read-only (except those tomcat needs to write to)
0
 

Author Comment

by:joshsfinn
ID: 16993373
Ok. Thanks for the tips. I'm splitting the points.
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Are date-time stamps in Microsoft IIS log files in GMT +0? 3 60
Redundant SQL Servers Without Clustering 7 121
DNS, website, godaddy 6 90
Two wordpress questions 3 62
Article by: kevp75
Hey folks, 'bout time for me to come around with a little tip. Thanks to IIS 7.5 Extensions and Microsoft (well... really Windows 8, and IIS 8 I guess...), we can now prime our Application Pools, when IIS starts. Now, though it would be nice t…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question