Tomee on port 80 on Linux in Production

[zeeman <ha...@fastmail.us>]

I'll be releasing the first version of my web app on Amazon EC2 on Ubuntu
once Tomee 1.1 is released.  I have below questions:

1- Most Linux distros have a Tomcat package but not a Tomee package. Distros
include a simple way to use authbind to run Tomcat on port 80. Since I'll be
installing Tomee manually, not via a distro package, what do I need to do to
run Tomee on port 80 as an unprivileged user? 
A Tomcat example
http://case.bradysoftware.com/blog/2012/03/14/1331779080000.html

2- Is there any documentation on securing Tomee. I understand it's Tomcat
plus JavaEE but I figured I would ask in case there is Tomee-specific
details.

3- Any good guides on configuring Tomcat for production?

Some details is appreciated, it'll be a large web app and don't want to have
any security risks. Thanks!

--
View this message in context: http://openejb.979440.n4.nabble.com/Tomee-on-port-80-on-Linux-in-Production-tp4656198.html
Sent from the OpenEJB User mailing list archive at Nabble.com.

Re: Tomee on port 80 on Linux in Production

[Neale Rudd <ne...@metawerx.net>]

Hi Zeeman,

http://manpages.ubuntu.com/manpages/hardy/man1/authbind.1.html
Amongst other tips mentioned:
authbind may not operate correctly with multithreaded programs.  It  is
       inherently  very  difficult  (if not impossible) to perform the kind 
of
       trickery  that  authbind  does   while   preventing   all 
undesirable
       interactions  between  authbind's  activities  and  those  of  (say) 
a
       threading runtime system.

For port-forwarding, most people either use dedicated hardware or iptables 
with a single DNAT target-rule to simply forward 80->8080 for the desired IP 
address (no need to use the FORWARD or REDIRECT targets).

As Anthony mentioned, this should be added to a startup script.

For security, you can chroot tomee, use HTTP DIGEST auth to prevent 
plain-text password transmission to the /tomee app or other apps if using 
HTTP, and enforce an internal policy of using SFTP/FTPES for file or 
sensitive data transfers requiring logins as opposed to plaintext protocols 
(eg: Tomcat Manager over HTTP, standard FTP).

If using /tomee, Tomcat Manager or other Realm-based container security, 
TC7+ (and TomEE) have a LockOutRealm which can be used to protect against 
single-IP brute-forcing.

Also of course lock down other obvious vulnerabilities on a fresh VPS or 
dedicated server as detailed on numerous guides on the net and ideally add 
some sort of automated IP blocking system, IP blacklisting and IDS as a 
first line of defence against bots.

To increase SSL security, see ssllabs.com and the TC7 docs for guides.

And as mentioned earlier, uninstall anything you don't *require for 
production*, on the OS, and on TomEE, to further limit the attack surface.

Best Regards,
Neale Rudd
Metawerx Java Hosting
www.metawerx.net


----- Original Message ----- 
From: "zeeman" <ha...@fastmail.us>
To: <us...@openejb.apache.org>
Sent: Wednesday, July 11, 2012 1:02 AM
Subject: Re: Tomee on port 80 on Linux in Production


> Thank you guys. I don't see why Apache needs to be used, if Tomcat is not
> secure enough to run on its then we should not be using it. Apache can be
> used if static content or software load balancing are needed.
>
> The other two options are to use port forwarding as suggested by Anthony, 
> or
> authbind (allows unprivileged users to run port 80). After reading around
> online it seems that the later option is the more reliable and performant
> option. Forwarding by the OS will still take some extra time and 
> complicate
> server setup. Am I missing something?
>
> --
> View this message in context: 
> http://openejb.979440.n4.nabble.com/Tomee-on-port-80-on-Linux-in-Production-tp4656198p4656206.html
> Sent from the OpenEJB User mailing list archive at Nabble.com. 

Re: Tomee on port 80 on Linux in Production

[zeeman <ha...@fastmail.us>]

Thank you guys. I don't see why Apache needs to be used, if Tomcat is not
secure enough to run on its then we should not be using it. Apache can be
used if static content or software load balancing are needed.

The other two options are to use port forwarding as suggested by Anthony, or
authbind (allows unprivileged users to run port 80). After reading around
online it seems that the later option is the more reliable and performant
option. Forwarding by the OS will still take some extra time and complicate
server setup. Am I missing something?

--
View this message in context: http://openejb.979440.n4.nabble.com/Tomee-on-port-80-on-Linux-in-Production-tp4656198p4656206.html
Sent from the OpenEJB User mailing list archive at Nabble.com.

Re: Tomee on port 80 on Linux in Production

[Anthony Fryer <ap...@hotmail.com>]

I've got a tomee installation running on debian and it listens on port 80. 
There's a few options.  As already mentioned you could run apache httpd
server on port 80 and create a virtual host that reverse proxies to your
tomee server running on port 8080.  I originally had that setup and it works
fine except i found that apache httpd was using more memory than i liked.  
I could have reduced the memory consumption by tuning apache httpd server
but i opted to remove it altogether.

I replaced apache httpd reverse proxying with iptables configuration.  I
believe the following is debian specific, but there might be something
similar for Ubuntu.

The commands i used were...

/sbin/iptables -A FORWARD -p tcp --destination-port 80 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 80
--to-ports 8080
/sbin/iptables-save

With those commands, anything received on port 80 gets redirected to 8080 by
the operating system, so there is no memory overhead and tomee can continue
to run as an unprivileged user (ie. tomcat or something like that).

I had an issue when the server was bounced.  My configuration wasn't
persisted, so additional configuration was required to allow the iptables
change to survive a reboot.

First create some iptables rules and list them:

iptables --list
if the listed rules satisfy your needs, then save them somewhere. I use
/etc/firewall.conf but this location is not fixed:

iptables-save > /etc/firewall.conf

Then create a script so ifupdown loads these rules on boot:

echo "#!/bin/sh" > /etc/init.d/iptables 
echo "iptables-restore < /etc/firewall.conf" >> /etc/init.d/iptables 
chmod 755 /etc/init.d/iptables

Now set that script to run start server start time

update-rc.d iptables default


--
View this message in context: http://openejb.979440.n4.nabble.com/Tomee-on-port-80-on-Linux-in-Production-tp4656198p4656205.html
Sent from the OpenEJB User mailing list archive at Nabble.com.

Re: Tomee on port 80 on Linux in Production

[Martin Kjær Jørgensen <mk...@gotu.dk>]

I know my answer is not a guide but I not believe there is a definitive
guide, because security is not a product you buy or get, or a feature
you switch on.
This short guide covers very basic web.xml security settings.

http://software-security.sans.org/blog/2010/08/11/security-misconfigurations-java-webxml-files/

I would disable any feature and port, and undeploy all applications, not
needed for production. (like the /docs applcation). Remember to keep it
all as simple as possible, so you at least have a chance to comprehend
what is happening.

You could also setup a Apache webserver up with mod_jk, making it the
"front" server of your Tomcat backend. I have this setup running on a
OpenBSD front server and it works great.

You could also run Tomcat locked inside a chroot (jail), although this
take some work and maintainance.

It really depends on what the application does and which features it
needs. The "art" of security is knowing exactly what your application(s)
are doing and what it needs, and try limit it accordingly.


On 10-07-2012 05:06, zeeman wrote:
> I'll be releasing the first version of my web app on Amazon EC2 on Ubuntu
> once Tomee 1.1 is released.  I have below questions:
> 
> 1- Most Linux distros have a Tomcat package but not a Tomee package. Distros
> include a simple way to use authbind to run Tomcat on port 80. Since I'll be
> installing Tomee manually, not via a distro package, what do I need to do to
> run Tomee on port 80 as an unprivileged user? 
> A Tomcat example
> http://case.bradysoftware.com/blog/2012/03/14/1331779080000.html
> 
> 2- Is there any documentation on securing Tomee. I understand it's Tomcat
> plus JavaEE but I figured I would ask in case there is Tomee-specific
> details.
> 
> 3- Any good guides on configuring Tomcat for production?
> 
> Some details is appreciated, it'll be a large web app and don't want to have
> any security risks. Thanks!
> 
> --
> View this message in context: http://openejb.979440.n4.nabble.com/Tomee-on-port-80-on-Linux-in-Production-tp4656198.html
> Sent from the OpenEJB User mailing list archive at Nabble.com.