WebApp Sec mailing list archives
Re: Securing Tomcat
From: oc.rynning.no () securityfocus com
Date: 7 Jan 2006 00:34:35 -0000
Four (obvious) points: * Run as a non-privileged user (You might want to use a pre-emptive kernel to ensure performance). * Limit access to manager and administrator to localhost, admin-ip/-net. (and choose a proper password). * Change error messages (if the service is down, don't advertise the stacktrace, give a generic apology). (This is security by obscurity but nonetheless it hides specifics that may give an attacker information about possible injections or DoS). * Use a web-tier: Firewall <-> (load balancer if its for a web cluster) <-> Web frontend (Apache) <-> Firewall <-> Tomcat Application Server (cluster) For inexpensive solutions i.e. Use a two linux servers with packet filters... For the connections between Apache and Tomcat you have several options.. If you choose Apache, you have mod_jk, mod_jk2 (deprecated), mod_proxy_ajp, mod_proxy, mod_voodoo (my favourite). Alternatives to Apache can be simple proxying servers or caching proxies such as Squid (with a ipfilter redirect of port 80 to port 8080 on the application server). The point is that there are many options. I usually use Apache2 with mod_voodoo or mod_proxy (_ajp) on the frontend and run Tomcat on its own server only accepting connections from the web-frontend using iptables (netfilter). The downside with mod_proxy is that it is proxying - whereas voodoo forwards the client IP, etc. ------------------------------------------------------------------------------- Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh -------------------------------------------------------------------------------
Current thread:
- Re: Securing Tomcat oc . rynning . no (Jan 06)
- Re: Securing Tomcat Stephen de Vries (Jan 09)