Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
Received-SPF: pass (hermes.apache.org: local policy)
Date: Thu, 24 Feb 2005 10:38:10 +0000 (GMT)
From: Pete Stevens <pete@ex-parrot.com>
To: Tomcat Users List <tomcat-user@jakarta.apache.org>,
    Patrick Lacson <placson@gmail.com>
Subject: Re: how to harden tomcat?
In-Reply-To: <72112a505022400293b4c2b45@mail.gmail.com>
Message-ID: <Pine.LNX.4.58.0502241028140.11198@sphinx.mythic-beasts.com>
References: <72112a505022311244861b6f9@mail.gmail.com>
 <72112a5050223112731b91df6@mail.gmail.com>
  <421CEECF.3000908@wizardslair.net>
 <72112a505022400293b4c2b45@mail.gmail.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: Pete Stevens <pete@sphinx.mythic-beasts.com>

Hi,

My beginners guide is here (for tomcat on linux), it covers

Running not as root.
Restricting the permissions of the tomcat directories.

http://www.mythic-beasts.com/support/topic_vds_java.html

I'd also recommend removing all the management utilities from the webbased
front end and a completely facist host firewall that denies everything but
port 80 / 22.

Pete Stevens

On Thu, 24 Feb 2005, Patrick Lacson wrote:

> Thanks Peter.
>
>
>
>
> On Thu, 24 Feb 2005 07:59:59 +1100, Peter Johnson <peter@wizardslair.net> wrote:
> > I haven't really come across hardening documents for Tomcat or any Java
> > container for that matter. That is probably because Java by design is
> > relatively secure as it runs within a virtual machine so it isn't
> > possible to escape code etc and breakout into the OS kernel space.
> >
> > So basically run Tomcat as a specific user and tune the filesystem
> > parameters to only allow access to the resources it needs (standard
> > approach for every app Java or not). Now focus all your attention on the
> > application code (not Tomcat but the webapp) make sure all database
> > interactions are escaped properly etc etc etc
> >
> > One thing to look out for would be the use of JNI i.e. native calls. I'm
> > not sure if there is a way of preventing someone from packaging a .so in
> > a WAR and then loading it in to the app via code to bypass the lack of
> > LD_LIBRARY_PATH (on *nix).
> >
> > The authentication / authorisation stuff (e.g. realms) is all to do with
> > access to webapps.
> >
> > If you come across anything else I would be interested to know about it,
> > especially if it is to do with securing Java in general.
> >
> > PJ
> >
> > Patrick Lacson wrote:
> >
> > >Specifically authoritative articles on how to do this.. would be
> > >greatly appreciated.
> > >
> > >
> > >
> > >On Wed, 23 Feb 2005 11:24:12 -0800, Patrick Lacson <placson@gmail.com> wrote:
> > >
> > >
> > >>Does anybody have any links/documents on how to harden tomcat?
> > >>
> > >>thanks,
> > >>--
> > >>Patrick
> > >>
> > >>
> > >>
> > >
> > >
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
>
>
> --
> Patrick
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>

--
Pete Stevens
pete@ex-parrot.com
http://www.ex-parrot.com/~pete/

     Always buy a lottery ticket on a Friday or Saturday, otherwise you're more
                                    likely to be run over than claim the prize.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org