Tuesday, November 30, 2010

Tomcat Hardening Recomendations

1. use an unprivileged user account to run the  server.
2.use a firewall before your server
3. Disable the connectors you dont need  in server.xml
4. disable the tomcat's admin/manager web application completely or configure it that way that it needs proper username/passwort and connection from well known hosts
5. Disable the examples application
6. use apache http server to forward the request to the tomcat server.
7. bind tomcat to those IPs and ports only which you need, don't bind to any
8.Use server-minimal.xml instead of server.xml (make security life simpler;-)
9. check what you allow in tomcat's default context.xml, web.xml and anything below your configured host 10. use a special user to run tomcat, don't use administrator/root for that
11. allow only that user to read all your files, disallow any other users
12. make all files read-only (except those tomcat needs to write to)

To Allow/Disallow access from Specifc port use following Valves.
<Valve className="org.apache.catalina.valves.RemoteHostValve" allow="10.6.1.*" deny="10.6.1.1"/>

By Defining Address Tag we can Allow the AJP Access from specific IP only as shown below
<Connector address="127.0.0.1" port="8009"   enableLookups="false" redirectPort="8443" protocol="AJP/1.3"  allowTrace="false" xpoweredBy="true"/>

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"  prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
<Valve className="org.apache.catalina.valves.RemoteHostValve" allow="127.0.0.1,10.6.10.*" deny="10.6.10.2"/>

while Config of ADMIN/ Manager Application For tomcat Administration put admin.xml and manager.xml from the server's server\webapps location to the D:\ApacheSoftwareFoundation\Tomcat5.5\conf\Catalina\localhost and Restart the Tomcat Server to get the Changes
whenever making any change to the admin.xml again put the same in the above mentioned location and Restart

Always Allow ADMIN/Manager Application from Local/Intranet IP's don’t let them over Internet due to security Threat

For more informations on securing TOMCAT refere
http://www.owasp.org/index.php/Securing_tomcat
http://www.unidata.ucar.edu/Projects/THREDDS/tech/reference/TomcatSecurity.html

1 comment:

  1. Good one, you can also refer to http://www.chandank.com/application-server/tomcat/apache-tomcat-hardening-and-security-guide

    ReplyDelete