Solved

Apache Tomcat 5.0.27 Hardening Best Practices

Posted on 2006-06-22
6
5,909 Views
Last Modified: 2012-06-21
Hello -

I'd like some best practices for hardening/securing an installation of Apache Tomcat 5.0.27.

Also, I need to know how to remove the default "If you're seeing this page via a web browser, it means you've setup Tomcat successfully" page.

Thanks!

0
Comment
Question by:joshsfinn
  • 3
  • 2
6 Comments
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 250 total points
ID: 16967173
there're at least 4 part for hardening:
  1. the OS (including directoory, file and process owner and permission)
  2. apache konfiguration
  3. tomcat configuration
  4. applications used in apache and/or tomcat

keep in mind that 2. to 4. rely, somehow, on 1.
In which one are you interested?
0
 
LVL 10

Accepted Solution

by:
dnojcd earned 250 total points
ID: 16967271
1. use an unprivileged user account to run the  server.
2.use a firewall before your server
3. Disable the connectors you dont need  in server.xml
4. Restrict the manager,admin applications by ip restriction.
5. Disable the examples application
6. use apache http server to forward the request to the tomcat server.

list is not exhaustive . only some tips :-)
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16967296
> 2.use a firewall before your server
what does this help if port 80 and 443 are wide, wide open, probably enhanced by a cache and load balancer?
You need a WAF - web application firewall- for that too.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:joshsfinn
ID: 16968891
I think I should have offered more information.

I'm a Windows System Administrator and am fairly familiar with IIS. I'm NOT at all familiar with UNIX systems/configuration.

We have a new application that we are implementing that runs Tomcat on a Windows Server. I've never used Tomcat before so I really need beginner instructions on configuration.

I've found the http://webserver/admin tools but I get kind of lost looking through there.

Maybe you could point me to some good documentation on Tomcat server configuration?

Thanks for the comments.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16969894
some basic general steps:
  1. bind tomcat to those IPs and ports only which you need, don't bind to any
  2. disable the tomcat's admin/manager web application completely or configure it that way that it needs proper username/passwort and connection from well known hosts
  3. use server-minimal.xml instead of server.xml (make security life simpler;-)
  4. check what you allow in tomcat's default context.xml, web.xml and anything below your configured host (see <Host ...> directive in server.xsml)
  5. use a special user to run tomcat, don't use administrator/root for that
  6. allow only that user /see 5.) to read all your files, disallow any other users
  7. make all files read-only (except those tomcat needs to write to)
0
 

Author Comment

by:joshsfinn
ID: 16993373
Ok. Thanks for the tips. I'm splitting the points.
0

Featured Post

Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A web service (http://en.wikipedia.org/wiki/Web_service) is a software related technology that facilitates machine-to-machine interaction over a network. This article helps beginners in creating and consuming a web service using the ColdFusion Ma…
Have you ever sent email via ColdFusion and thought of tracking this mail to capture the exact date and time when the message was opened ?  If yes, then this article is for you ! First we need a table user_email with columns user_id , email , sub…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now