tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Server Security
Date Wed, 25 Jul 2007 15:52:36 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mike,

Michael McQuade wrote:
> Im
> running Tomcat 5.0.28 on a home server....  I want to allow people to
> look at a product I'm developing over the web....  But I am worried
> about my server being hacked....  Can anyone offer me some tips on
> how to protect it.....  I'm not very network saavy.....  Thank-You in
> advance....

Is your server connected directly to your Internet connection, or are
you using a router? If you are using a router, there's good news and bad
news. The good news is that nobody can hit your server directly from the
Internet, so you are relatively protected. The bad news is that you will
have to set up a port forwarding rule on your router so that people from
the Internet can get to your server. Since a port forwarding rule can be
limited to a single port, you don't have to worry about anyone hacking
/other/ services that might be running on your server -- at least not
directly.

Now, you just need to make sure that Tomcat is up-to-date and that your
application doesn't offer any juicy places to attack (like allowing a
remote user to submit code to be executed, etc.). As always, never run
Tomcat as an administrative user. Instead, run it as a regular user with
access only to files owned by the "tomcat" user (or whatever).

If you're really paranoid, you could run Tomcat using chroot (if you're
using anything UNIX-like) and/or run Tomcat with a SecurityManager
locking-down everything. Turning on a SecurityManager usually results in
you having to take a while to figure out everything that your
application needs and specifically granting access to it. (It's kind of
a headache).

Everything comes down to this:

1. Make sure your OS and app server are up-to-date with security
   patches.
2. Limit access to only what you need (forward only the one port).
3. Never run a service as root or administrator.
4. Make sure your application doesn't do anything stupid.

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGp3HE9CaO5/Lv0PARAqCYAJ4v7W7XUDmv4K65c5uyDl89Vtzh7ACgjga6
+aA51gv8ZFrQdPB1LJ13qxg=
=nlpd
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message