Solved

Apache Tomcat 5.0.27 Hardening Best Practices

Posted on 2006-06-22
6
5,908 Views
Last Modified: 2012-06-21
Hello -

I'd like some best practices for hardening/securing an installation of Apache Tomcat 5.0.27.

Also, I need to know how to remove the default "If you're seeing this page via a web browser, it means you've setup Tomcat successfully" page.

Thanks!

0
Comment
Question by:joshsfinn
  • 3
  • 2
6 Comments
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 250 total points
Comment Utility
there're at least 4 part for hardening:
  1. the OS (including directoory, file and process owner and permission)
  2. apache konfiguration
  3. tomcat configuration
  4. applications used in apache and/or tomcat

keep in mind that 2. to 4. rely, somehow, on 1.
In which one are you interested?
0
 
LVL 10

Accepted Solution

by:
dnojcd earned 250 total points
Comment Utility
1. use an unprivileged user account to run the  server.
2.use a firewall before your server
3. Disable the connectors you dont need  in server.xml
4. Restrict the manager,admin applications by ip restriction.
5. Disable the examples application
6. use apache http server to forward the request to the tomcat server.

list is not exhaustive . only some tips :-)
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> 2.use a firewall before your server
what does this help if port 80 and 443 are wide, wide open, probably enhanced by a cache and load balancer?
You need a WAF - web application firewall- for that too.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:joshsfinn
Comment Utility
I think I should have offered more information.

I'm a Windows System Administrator and am fairly familiar with IIS. I'm NOT at all familiar with UNIX systems/configuration.

We have a new application that we are implementing that runs Tomcat on a Windows Server. I've never used Tomcat before so I really need beginner instructions on configuration.

I've found the http://webserver/admin tools but I get kind of lost looking through there.

Maybe you could point me to some good documentation on Tomcat server configuration?

Thanks for the comments.
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
some basic general steps:
  1. bind tomcat to those IPs and ports only which you need, don't bind to any
  2. disable the tomcat's admin/manager web application completely or configure it that way that it needs proper username/passwort and connection from well known hosts
  3. use server-minimal.xml instead of server.xml (make security life simpler;-)
  4. check what you allow in tomcat's default context.xml, web.xml and anything below your configured host (see <Host ...> directive in server.xsml)
  5. use a special user to run tomcat, don't use administrator/root for that
  6. allow only that user /see 5.) to read all your files, disallow any other users
  7. make all files read-only (except those tomcat needs to write to)
0
 

Author Comment

by:joshsfinn
Comment Utility
Ok. Thanks for the tips. I'm splitting the points.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

Periodically we have to update or add SSL certificates for customers. Depending upon your hosting plan you may be responsible for the installation and/or key generation. In the wake of Heartbleed many sites were forced to re-key. We will concen…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now