Link to home
Start Free TrialLog in
Avatar of MichaelBalack
MichaelBalackFlag for Singapore

asked on

How to harden Apache Tomcat?

This is using MS Windows 2008 R2 Server. This server is setup as a web server using Tomcat Apache 7.0.42. In order to "sustain" the possible attack/hacking from Internet, the system need to be hardened. Btw, how to harden the web server? Where do I find the relevant article/information?

Appreciate for help.
Avatar of btan
btan
Always principle of hardening to remove/disable unnecessary account (default, orphaned, redundant, test accts etc) , services (file transfer, directory browsing etc) and interfaces (port and connection). These are subjected to exposure and constant knocking and fingerprinting by the attacker to find that single hole. Run online security assessment to surface weakness esp if you are running CMS (using CMSMap tool) and having SSL connection (using ssllab test), in short do pentest the server.

Use of SCAP compliant scanner (see the NIST STIG Checklist too) may be consider as well as CIS benchmark used widely as hardening baseline. The CIS (need membership but can explore further here, though it may not be of exact version stated but the base fundamental will no differ).

Overall, NIST has a good checklist (pdf) to run through for the aspect of web server (see "5. Securing the Web Server" and "6. Securing Web Content"). The full no of checklists summary are collated in the pdf reference as "Appendix E-Web Server Security Checklist", can be a good checker for a start.

To add, OWASP practices should not be missed out either. It has a comprehensive cheatsheet listing  , but I suggest you check out -"Attack Surface Analysis Cheat Sheet " and "Web Service Security Cheat Sheet ".

There are quite a large scope for hardening so I do suggest focus on the principles and the NIST pdf checklist to start going first. Hope it helps
Avatar of MichaelBalack
MichaelBalack
Flag of Singapore image

ASKER

Hi Btan,

Thanks for your comments and articles. Let's me go through the suggested article chapters and then update you.
ASKER CERTIFIED SOLUTION
Avatar of btan
btan
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of MichaelBalack
MichaelBalack
Flag of Singapore image

ASKER

Hi btan,

Thanks for your prompt suggestion and sharing. Please give me some time to go through the suggested link. I am get back to you sooner.
Avatar of btan
btan
no worries
Avatar of MichaelBalack
MichaelBalack
Flag of Singapore image

ASKER

Thanks for btan in pointing out the core of the hardening on Apache. However, I won't have the chance to implement it yet as the whole hardening project will be pending to next quarter.
Avatar of btan
btan
thanks but do always go by secure by default principle where not unnecessarily "open" up default account and service to "free" access and probing from public access ..