Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Apache Tomcat 5.0.27 Hardening Best Practices

Posted on 2006-06-22
6
Medium Priority
?
5,919 Views
Last Modified: 2012-06-21
Hello -

I'd like some best practices for hardening/securing an installation of Apache Tomcat 5.0.27.

Also, I need to know how to remove the default "If you're seeing this page via a web browser, it means you've setup Tomcat successfully" page.

Thanks!

0
Comment
Question by:joshsfinn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 1000 total points
ID: 16967173
there're at least 4 part for hardening:
  1. the OS (including directoory, file and process owner and permission)
  2. apache konfiguration
  3. tomcat configuration
  4. applications used in apache and/or tomcat

keep in mind that 2. to 4. rely, somehow, on 1.
In which one are you interested?
0
 
LVL 10

Accepted Solution

by:
dnojcd earned 1000 total points
ID: 16967271
1. use an unprivileged user account to run the  server.
2.use a firewall before your server
3. Disable the connectors you dont need  in server.xml
4. Restrict the manager,admin applications by ip restriction.
5. Disable the examples application
6. use apache http server to forward the request to the tomcat server.

list is not exhaustive . only some tips :-)
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16967296
> 2.use a firewall before your server
what does this help if port 80 and 443 are wide, wide open, probably enhanced by a cache and load balancer?
You need a WAF - web application firewall- for that too.
0
Understanding Web Applications

Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites.  So, what is the difference?

 

Author Comment

by:joshsfinn
ID: 16968891
I think I should have offered more information.

I'm a Windows System Administrator and am fairly familiar with IIS. I'm NOT at all familiar with UNIX systems/configuration.

We have a new application that we are implementing that runs Tomcat on a Windows Server. I've never used Tomcat before so I really need beginner instructions on configuration.

I've found the http://webserver/admin tools but I get kind of lost looking through there.

Maybe you could point me to some good documentation on Tomcat server configuration?

Thanks for the comments.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16969894
some basic general steps:
  1. bind tomcat to those IPs and ports only which you need, don't bind to any
  2. disable the tomcat's admin/manager web application completely or configure it that way that it needs proper username/passwort and connection from well known hosts
  3. use server-minimal.xml instead of server.xml (make security life simpler;-)
  4. check what you allow in tomcat's default context.xml, web.xml and anything below your configured host (see <Host ...> directive in server.xsml)
  5. use a special user to run tomcat, don't use administrator/root for that
  6. allow only that user /see 5.) to read all your files, disallow any other users
  7. make all files read-only (except those tomcat needs to write to)
0
 

Author Comment

by:joshsfinn
ID: 16993373
Ok. Thanks for the tips. I'm splitting the points.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to setting up a new WHM/cPanel Server to be used for web hosting accounts. It is intended for web hosting company administrators and dedicated server owners. For under $99 per month (considering normal rate of Big Data Cetnters like …
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question