You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Patel, Rajni M" <ra...@cgey.com> on 2002/07/23 20:17:23 UTC
Hardening Tomcat 3.2.4
I have tomcat installed and running on a Windows NT 4.0 SP6a box and need to
harden the installation.
The things that I have thought about and I can do is:
1) Change the HTTP port in server.xml file from default value of 8080.
2) Remove the TOMCAT_HOME\examples directory
3) Remove the weapp\admin directory
4) Utilise a Firewall and restrict access to the NT box to IP Domain.
Is there anything else that I could do, like modify the tomcat.policy file,
but I'm a little unsure of what else needs to be done.
Thanks in advance for your help.
Rajni
********************************************************************************************
" This message contains information that may be privileged or confidential and
is the property of the Cap Gemini Ernst & Young Group. It is intended only for
the person to whom it is addressed. If you are not the intended recipient, you
are not authorized to read, print, retain, copy, disseminate, distribute, or use
this message or any part thereof. If you receive this message in error, please
notify the sender immediately and delete all copies of this message ".
********************************************************************************************
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Hardening Tomcat 3.2.4
Posted by Daniel Bruce Lynes <dl...@shaw.ca>.
On Thursday 25 July 2002 10:23, mls@VegInfo.com wrote:
> I posted a similar question a while ago and did not receive any
> answer from this list. May be, folks on this list are admins/
> developers/programmers who are bothered mostly about application
> itself and not security. May be there is an "overall security"
> list where such questions may be posed. Anybody have suggestions
> where questions such as these may be directed?
We are. But I think a good number of us are probably running UNIX, or some
variant thereof.
> It is probably a good idea to pay some attention to security.
> A snippet from my access_log (same IP - somebody is curious!)
> ----------------------------------------------
> [23/Jul/2002:11:49:38 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 648
> [23/Jul/2002:11:49:38 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 648
> [23/Jul/2002:11:49:38 -0800] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 718
> [23/Jul/2002:11:49:39 -0800] "GET
That's a script kiddy looking for nimda, code red, code red 2, or code green.
To me, it's just a pain in the ass...flooding my bandwidth. Doesn't pose any
real threat. But, there are certain versions of Tomcat 4.xx that may or may
not be succeptible, and early versions of Apache 1.3.xx/Apache 2.xx for the
unicode encoded urls, and of course IIS 4.0/5.0 if you're using the indexing
server.
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Hardening Tomcat 3.2.4
Posted by Mike Jackson <mj...@cdi-hq.com>.
Oh, and then you'd of course want to remove all the webapps that you don't
use.
But that's kinda a no-brainer.
--mikej
-=-----
mike jackson
mjackson@cdi-hq.com
-----Original Message-----
From: mls@VegInfo.com [mailto:mls@VegInfo.com]
Sent: Thursday, July 25, 2002 10:23 AM
To: Tomcat Users List
Subject: Re: Hardening Tomcat 3.2.4
I posted a similar question a while ago and did not receive any
answer from this list. May be, folks on this list are admins/
developers/programmers who are bothered mostly about application
itself and not security. May be there is an "overall security"
list where such questions may be posed. Anybody have suggestions
where questions such as these may be directed?
On a different thread, some relevant info was posted...
http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg60278.html
It is probably a good idea to pay some attention to security.
A snippet from my access_log (same IP - somebody is curious!)
----------------------------------------------
[23/Jul/2002:11:49:38 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 648
[23/Jul/2002:11:49:38 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 648
[23/Jul/2002:11:49:38 -0800] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 718
[23/Jul/2002:11:49:39 -0800] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687
[23/Jul/2002:11:49:39 -0800] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687
[23/Jul/2002:11:49:39 -0800] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 721
[23/Jul/2002:11:49:39 -0800] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 715
[23/Jul/2002:11:55:24 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 648
[23/Jul/2002:11:55:24 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 648
[23/Jul/2002:11:55:25 -0800] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 718
[23/Jul/2002:11:55:25 -0800] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687
[23/Jul/2002:11:55:25 -0800] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687
[23/Jul/2002:11:55:25 -0800] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 721
[23/Jul/2002:11:55:25 -0800] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 715
----------------------------------------------
"Sexton, George" wrote:
> Think about the account you are running it under.
> -----Original Message-----
> From: Patel, Rajni M [mailto:rajni.patel@cgey.com]
> Sent: 23 July, 2002 12:17 PM
> I have tomcat installed and running on a Windows NT 4.0 SP6a box and need
to
> harden the installation.
>
> The things that I have thought about and I can do is:
>
> 1) Change the HTTP port in server.xml file from default value of 8080.
> 2) Remove the TOMCAT_HOME\examples directory
> 3) Remove the weapp\admin directory
> 4) Utilise a Firewall and restrict access to the NT box to IP Domain.
--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Hardening Tomcat 3.2.4
Posted by Mike Jackson <mj...@cdi-hq.com>.
The problem is that the webserver (iis is a good example of the problem)
is still vunerable to "strange" requests. A firewall which inspects the
contents of the packets can be configured to block access to the web server
based on web apps. That's really the only way to truely harden a web
server as I see it.
However this doesn't always need to be a true firewall that does the work,
it could be a specilized proxy that does the filtering. Then the point
of presence is the proxy not the webserver, and you gain the benifit of
caching at the proxy as well.
But you're right, blocking access to ports it generally acceptable when
you're not dealing with particularily sensitive data.
--mikej
-=-----
mike jackson
mjackson@cdi-hq.com
-----Original Message-----
From: mls@VegInfo.com [mailto:mls@VegInfo.com]
Sent: Thursday, July 25, 2002 11:01 AM
To: Tomcat Users List
Subject: Re: Hardening Tomcat 3.2.4
Mike Jackson wrote:
> A firewall is probably the best way to harden tomcat. Or any web server
> for that matter, however for a one good you're going to probably end up
> paying a large sum of money. You could go on the cheaper side and only
use
> a stateful port blocking firewall, but really to do it right you'll need
> a firewall that looks at data being sent to the server and then blocks
> on types of data rather than just the port.
Is iptables on Linux generally good enough(?), assuming the data
is not all that critical. Other than its basic functions, haven't
really looked at iptables to see whether it can interface with
any IDS...
das
--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Hardening Tomcat 3.2.4
Posted by ml...@VegInfo.com.
Mike Jackson wrote:
> A firewall is probably the best way to harden tomcat. Or any web server
> for that matter, however for a one good you're going to probably end up
> paying a large sum of money. You could go on the cheaper side and only use
> a stateful port blocking firewall, but really to do it right you'll need
> a firewall that looks at data being sent to the server and then blocks
> on types of data rather than just the port.
Is iptables on Linux generally good enough(?), assuming the data
is not all that critical. Other than its basic functions, haven't
really looked at iptables to see whether it can interface with
any IDS...
das
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Hardening Tomcat 3.2.4
Posted by Mike Jackson <mj...@cdi-hq.com>.
A firewall is probably the best way to harden tomcat. Or any web server
for that matter, however for a one good you're going to probably end up
paying a large sum of money. You could go on the cheaper side and only use
a stateful port blocking firewall, but really to do it right you'll need
a firewall that looks at data being sent to the server and then blocks
on types of data rather than just the port. That and a good IDS system
of some type, preferably with the ability to automajickally shutdown access
from ip's on the internet when it detects questionable traffic. Cisco's
IDS will link up to their PIX firewall to do this, but the PIX is only
a stateful port blocking firewall. You'd need another better firewall to
be sure of blocking everything in a more secure manner.
--mikej
-=-----
mike jackson
mjackson@cdi-hq.com
-----Original Message-----
From: mls@VegInfo.com [mailto:mls@VegInfo.com]
Sent: Thursday, July 25, 2002 10:23 AM
To: Tomcat Users List
Subject: Re: Hardening Tomcat 3.2.4
I posted a similar question a while ago and did not receive any
answer from this list. May be, folks on this list are admins/
developers/programmers who are bothered mostly about application
itself and not security. May be there is an "overall security"
list where such questions may be posed. Anybody have suggestions
where questions such as these may be directed?
On a different thread, some relevant info was posted...
http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg60278.html
It is probably a good idea to pay some attention to security.
A snippet from my access_log (same IP - somebody is curious!)
----------------------------------------------
[23/Jul/2002:11:49:38 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 648
[23/Jul/2002:11:49:38 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 648
[23/Jul/2002:11:49:38 -0800] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 718
[23/Jul/2002:11:49:39 -0800] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687
[23/Jul/2002:11:49:39 -0800] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687
[23/Jul/2002:11:49:39 -0800] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 721
[23/Jul/2002:11:49:39 -0800] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 715
[23/Jul/2002:11:55:24 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 648
[23/Jul/2002:11:55:24 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 648
[23/Jul/2002:11:55:25 -0800] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 718
[23/Jul/2002:11:55:25 -0800] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687
[23/Jul/2002:11:55:25 -0800] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687
[23/Jul/2002:11:55:25 -0800] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 721
[23/Jul/2002:11:55:25 -0800] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 715
----------------------------------------------
"Sexton, George" wrote:
> Think about the account you are running it under.
> -----Original Message-----
> From: Patel, Rajni M [mailto:rajni.patel@cgey.com]
> Sent: 23 July, 2002 12:17 PM
> I have tomcat installed and running on a Windows NT 4.0 SP6a box and need
to
> harden the installation.
>
> The things that I have thought about and I can do is:
>
> 1) Change the HTTP port in server.xml file from default value of 8080.
> 2) Remove the TOMCAT_HOME\examples directory
> 3) Remove the weapp\admin directory
> 4) Utilise a Firewall and restrict access to the NT box to IP Domain.
--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Hardening Tomcat 3.2.4
Posted by ml...@VegInfo.com.
I posted a similar question a while ago and did not receive any
answer from this list. May be, folks on this list are admins/
developers/programmers who are bothered mostly about application
itself and not security. May be there is an "overall security"
list where such questions may be posed. Anybody have suggestions
where questions such as these may be directed?
On a different thread, some relevant info was posted...
http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg60278.html
It is probably a good idea to pay some attention to security.
A snippet from my access_log (same IP - somebody is curious!)
----------------------------------------------
[23/Jul/2002:11:49:38 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 648
[23/Jul/2002:11:49:38 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 648
[23/Jul/2002:11:49:38 -0800] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 718
[23/Jul/2002:11:49:39 -0800] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687
[23/Jul/2002:11:49:39 -0800] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687
[23/Jul/2002:11:49:39 -0800] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 721
[23/Jul/2002:11:49:39 -0800] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 715
[23/Jul/2002:11:55:24 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 648
[23/Jul/2002:11:55:24 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 648
[23/Jul/2002:11:55:25 -0800] "GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 718
[23/Jul/2002:11:55:25 -0800] "GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687
[23/Jul/2002:11:55:25 -0800] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687
[23/Jul/2002:11:55:25 -0800] "GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 721
[23/Jul/2002:11:55:25 -0800] "GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 715
----------------------------------------------
"Sexton, George" wrote:
> Think about the account you are running it under.
> -----Original Message-----
> From: Patel, Rajni M [mailto:rajni.patel@cgey.com]
> Sent: 23 July, 2002 12:17 PM
> I have tomcat installed and running on a Windows NT 4.0 SP6a box and need to
> harden the installation.
>
> The things that I have thought about and I can do is:
>
> 1) Change the HTTP port in server.xml file from default value of 8080.
> 2) Remove the TOMCAT_HOME\examples directory
> 3) Remove the weapp\admin directory
> 4) Utilise a Firewall and restrict access to the NT box to IP Domain.
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Hardening Tomcat 3.2.4
Posted by "Sexton, George" <gs...@mhsoftware.com>.
Think about the account you are running it under.
-----Original Message-----
From: Patel, Rajni M [mailto:rajni.patel@cgey.com]
Sent: 23 July, 2002 12:17 PM
To: 'tomcat-user@jakarta.apache.org'
Subject: Hardening Tomcat 3.2.4
Importance: High
I have tomcat installed and running on a Windows NT 4.0 SP6a box and need to
harden the installation.
The things that I have thought about and I can do is:
1) Change the HTTP port in server.xml file from default value of 8080.
2) Remove the TOMCAT_HOME\examples directory
3) Remove the weapp\admin directory
4) Utilise a Firewall and restrict access to the NT box to IP Domain.
Is there anything else that I could do, like modify the tomcat.policy file,
but I'm a little unsure of what else needs to be done.
Thanks in advance for your help.
Rajni
****************************************************************************
****************
" This message contains information that may be privileged or confidential
and
is the property of the Cap Gemini Ernst & Young Group. It is intended only
for
the person to whom it is addressed. If you are not the intended recipient,
you
are not authorized to read, print, retain, copy, disseminate, distribute, or
use
this message or any part thereof. If you receive this message in error,
please
notify the sender immediately and delete all copies of this message ".
****************************************************************************
****************
--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>