You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Michael McQuade <m....@sympatico.ca> on 2007/07/25 17:38:32 UTC
Server Security
Hi folks, hope someone can offer me a little bit of advice..... Im running Tomcat 5.0.28 on a home server.... I want to allow people to look at a product I'm developing over the web.... But I am worried about my server being hacked.... Can anyone offer me some tips on how to protect it..... I'm not very network saavy..... Thank-You in advance....
Mike
Re: Server Security
Posted by Len Popp <le...@gmail.com>.
There's no "handicap" under Windows - you can run a server on port 80 with
no problem, even if it's running under a user account.
On the other hand, for a demo site it's not such a big deal to use a
different port. Just makes the URL look a little uglier.
--
Len
On 7/26/07, Craig Skinner <cr...@kepax.co.uk> wrote:
>
> On Wed, Jul 25, 2007 at 01:37:03PM -0400, Len Popp wrote:
> > Yes, you can run Tomcat on port 80. Some OS's (Linux, UNIX) require
> > the process to have root privs to use port 80.
>
> Why not run it on 8080 as the _tomcat user, and use the packet filter to
> redirect the incoming port 80 traffic to port 8080?
>
> If you are handicapped by using windos, your broadband router may be able
> to do port forwarding from its external interface, port 80, to your
> "server:8080"
>
> See: http://www.oreilly.com/catalog/tomcat/chapter/ch06.pdf
>
> Also covers security manager and some nice OpenBSD security tips that
> can be cludged on Linux.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Server Security
Posted by Craig Skinner <cr...@kepax.co.uk>.
On Wed, Jul 25, 2007 at 01:37:03PM -0400, Len Popp wrote:
> Yes, you can run Tomcat on port 80. Some OS's (Linux, UNIX) require
> the process to have root privs to use port 80.
Why not run it on 8080 as the _tomcat user, and use the packet filter to
redirect the incoming port 80 traffic to port 8080?
If you are handicapped by using windos, your broadband router may be able
to do port forwarding from its external interface, port 80, to your
"server:8080"
See: http://www.oreilly.com/catalog/tomcat/chapter/ch06.pdf
Also covers security manager and some nice OpenBSD security tips that
can be cludged on Linux.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Server Security
Posted by Len Popp <le...@gmail.com>.
Yes, you can run Tomcat on port 80. Some OS's (Linux, UNIX) require
the process to have root privs to use port 80.
Most important is to keep your OS and Tomcat up to date and use a
firewall - standard advice for connecting any computer to the
internet.
The fortunate thing that I've noticed is that there are very few
attempts to exploit security holes in Tomcat or the Apache web server.
The exploits I've seen in my web logs are targeted at IIS, PHP and
other things. There are security holes in Tomcat and Apache
(obviously, because they keep releasing patches for them) but no-one
seems to bother trying to exploit them. And it's unlikely that the bad
guys will even notice your custom web app (although you should still
eliminate any vulnerabilities that you can of course).
--
Len
On 7/25/07, Michael McQuade <m....@sympatico.ca> wrote:
> Ummmm, also, can Tomcat be run on Port 80?
>
>
> ----- Original Message -----
> From: "Michael McQuade" <m....@sympatico.ca>
> To: "Tomcat Users List" <us...@tomcat.apache.org>
> Sent: Wednesday, July 25, 2007 11:38 AM
> Subject: Server Security
>
>
> Hi folks, hope someone can offer me a little bit of advice..... Im running
> Tomcat 5.0.28 on a home server.... I want to allow people to look at a
> product I'm developing over the web.... But I am worried about my server
> being hacked.... Can anyone offer me some tips on how to protect it.....
> I'm not very network saavy..... Thank-You in advance....
>
> Mike
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Server Security
Posted by Steve Ochani <oc...@ncc.edu>.
On 25 Jul 2007 at 11:48, Michael McQuade wrote:
> Ummmm, also, can Tomcat be run on Port 80?
Yes you can but be aware that a lot of ISPs (for home use anyways) block incoming
connections on port 80.
>
>
> ----- Original Message -----
> From: "Michael McQuade" <m....@sympatico.ca>
> To: "Tomcat Users List" <us...@tomcat.apache.org>
> Sent: Wednesday, July 25, 2007 11:38 AM
> Subject: Server Security
>
>
> Hi folks, hope someone can offer me a little bit of advice..... Im
> running Tomcat 5.0.28 on a home server.... I want to allow people to
> look at a product I'm developing over the web.... But I am worried
> about my server being hacked.... Can anyone offer me some tips on how
> to protect it..... I'm not very network saavy..... Thank-You in
> advance....
>
> Mike
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
> e-mail: users-unsubscribe@tomcat.apache.org For additional commands,
> e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Server Security
Posted by Michael McQuade <m....@sympatico.ca>.
Ummmm, also, can Tomcat be run on Port 80?
----- Original Message -----
From: "Michael McQuade" <m....@sympatico.ca>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Wednesday, July 25, 2007 11:38 AM
Subject: Server Security
Hi folks, hope someone can offer me a little bit of advice..... Im running
Tomcat 5.0.28 on a home server.... I want to allow people to look at a
product I'm developing over the web.... But I am worried about my server
being hacked.... Can anyone offer me some tips on how to protect it.....
I'm not very network saavy..... Thank-You in advance....
Mike
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Server Security
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mike,
Michael McQuade wrote:
> Im
> running Tomcat 5.0.28 on a home server.... I want to allow people to
> look at a product I'm developing over the web.... But I am worried
> about my server being hacked.... Can anyone offer me some tips on
> how to protect it..... I'm not very network saavy..... Thank-You in
> advance....
Is your server connected directly to your Internet connection, or are
you using a router? If you are using a router, there's good news and bad
news. The good news is that nobody can hit your server directly from the
Internet, so you are relatively protected. The bad news is that you will
have to set up a port forwarding rule on your router so that people from
the Internet can get to your server. Since a port forwarding rule can be
limited to a single port, you don't have to worry about anyone hacking
/other/ services that might be running on your server -- at least not
directly.
Now, you just need to make sure that Tomcat is up-to-date and that your
application doesn't offer any juicy places to attack (like allowing a
remote user to submit code to be executed, etc.). As always, never run
Tomcat as an administrative user. Instead, run it as a regular user with
access only to files owned by the "tomcat" user (or whatever).
If you're really paranoid, you could run Tomcat using chroot (if you're
using anything UNIX-like) and/or run Tomcat with a SecurityManager
locking-down everything. Turning on a SecurityManager usually results in
you having to take a while to figure out everything that your
application needs and specifically granting access to it. (It's kind of
a headache).
Everything comes down to this:
1. Make sure your OS and app server are up-to-date with security
patches.
2. Limit access to only what you need (forward only the one port).
3. Never run a service as root or administrator.
4. Make sure your application doesn't do anything stupid.
Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGp3HE9CaO5/Lv0PARAqCYAJ4v7W7XUDmv4K65c5uyDl89Vtzh7ACgjga6
+aA51gv8ZFrQdPB1LJ13qxg=
=nlpd
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org