You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Richard <ri...@gmail.com> on 2004/11/24 06:24:54 UTC
Protecting my web server
Hello Guys,
Please advise.
For demo purposes I need to expose my machine to the web. I got a
public IP and have hosted my dev version of my webapp at port 80. im
using tomcat 5. This machine should be running 24/7 for a couple of
days and I need to know how I can protect it.
Thanks in advance
Richard
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Protecting my web server
Posted by Andoni <an...@eurokom.ie>.
Also trim down your server.xml (over a number of days if necessary) to only
what is necessary.
If you only have to expose one webapp then only have one connector in that
service, and one engine which has the only host inside it as the default and
that has the only context inside it as your application.
Then put liveDeploy="false" and autoDeploy="false" in the <Host>
Then you can go into %tomcat_home%/conf/web.xml and set "listings" parameter
to "false" so that nobody can see directory listings no matter what you do.
As for monitoring I would suggest putting an Apache web server in front of
your Tomcat server but if it's only for a short time this may be too much
hassle. What you can do instead is to add an Access log valve to your
<Engine> and monitor the contents of the access logs every day to see that
there are no hack attempts coming in through port 80.
Also you might download a free portscanner from the web to see what ports
are open on your machine. Once you have found the open ports use Windows to
close down the programs that are listening on them.
Best of luck.
Andoni.
----- Original Message -----
From: "Richard" <ri...@gmail.com>
Newsgroups: gmane.comp.jakarta.tomcat.user
Sent: Wednesday, November 24, 2004 6:14 AM
Subject: Re: Protecting my web server
> Thanks a lot
>
>
> On Wed, 24 Nov 2004 07:58:37 +0200, Quinton Delpeche
> <qu...@vippayroll.co.za> wrote:
> > On Wednesday 24 November 2004 07:49, Richard wrote:
> > > Hi Quinton,
> >
> > Can't really check, but the following guidelines are good:
> >
> > -> Make sure your tomcat user does not have admin privileges on the
server.
> > (Not sure how to do this on Windows, I am a linux person).
> >
> > -> Make sure your web-application doesn't have any funny code that might
get
> > exploited by a proficient hacker (i.e. shell commands run as ROOT).
> >
> > -> Add a blank index.html to each directory of your web-app, this
prevents
> > users from getting directory listings on your server.
> >
> > -> Ensure that you don't give away too much information in your URL
(using ?
> > and & parameters). This can easily be prevented by implementing SSL and
> > ensuring that the users have to log on first.
> >
> > > How can you tell when your web-app is secure?
> > > Forgive me for asking too many questions, im just a newbie.
> >
> > No problem. I understand. :)
> >
> > > Thanks
> >
> >
> > Q
> > --
> > Quinton Delpeche
> > Internal Systems Developer
> > Softline VIP
> >
> > Telephone: +27 12 420 7000
> > Direct: +27 12 420 7007
> > Facsimile: +27 12 420 7344
> >
> > http://www.vippayroll.co.za/
> >
> > For some reason, this fortune reminds everyone of Marvin Zelkowitz.
> >
> >
> >
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Protecting my web server
Posted by Richard <ri...@gmail.com>.
Thanks a lot
On Wed, 24 Nov 2004 07:58:37 +0200, Quinton Delpeche
<qu...@vippayroll.co.za> wrote:
> On Wednesday 24 November 2004 07:49, Richard wrote:
> > Hi Quinton,
>
> Can't really check, but the following guidelines are good:
>
> -> Make sure your tomcat user does not have admin privileges on the server.
> (Not sure how to do this on Windows, I am a linux person).
>
> -> Make sure your web-application doesn't have any funny code that might get
> exploited by a proficient hacker (i.e. shell commands run as ROOT).
>
> -> Add a blank index.html to each directory of your web-app, this prevents
> users from getting directory listings on your server.
>
> -> Ensure that you don't give away too much information in your URL (using ?
> and & parameters). This can easily be prevented by implementing SSL and
> ensuring that the users have to log on first.
>
> > How can you tell when your web-app is secure?
> > Forgive me for asking too many questions, im just a newbie.
>
> No problem. I understand. :)
>
> > Thanks
>
>
> Q
> --
> Quinton Delpeche
> Internal Systems Developer
> Softline VIP
>
> Telephone: +27 12 420 7000
> Direct: +27 12 420 7007
> Facsimile: +27 12 420 7344
>
> http://www.vippayroll.co.za/
>
> For some reason, this fortune reminds everyone of Marvin Zelkowitz.
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Protecting my web server
Posted by Quinton Delpeche <qu...@vippayroll.co.za>.
On Wednesday 24 November 2004 07:49, Richard wrote:
> Hi Quinton,
Can't really check, but the following guidelines are good:
-> Make sure your tomcat user does not have admin privileges on the server.
(Not sure how to do this on Windows, I am a linux person).
-> Make sure your web-application doesn't have any funny code that might get
exploited by a proficient hacker (i.e. shell commands run as ROOT).
-> Add a blank index.html to each directory of your web-app, this prevents
users from getting directory listings on your server.
-> Ensure that you don't give away too much information in your URL (using ?
and & parameters). This can easily be prevented by implementing SSL and
ensuring that the users have to log on first.
> How can you tell when your web-app is secure?
> Forgive me for asking too many questions, im just a newbie.
No problem. I understand. :)
> Thanks
Q
--
Quinton Delpeche
Internal Systems Developer
Softline VIP
Telephone: +27 12 420 7000
Direct: +27 12 420 7007
Facsimile: +27 12 420 7344
http://www.vippayroll.co.za/
For some reason, this fortune reminds everyone of Marvin Zelkowitz.
Re: Protecting my web server
Posted by Richard <ri...@gmail.com>.
Hi Quinton,
How can you tell when your web-app is secure?
Forgive me for asking too many questions, im just a newbie.
Thanks
On Wed, 24 Nov 2004 07:46:35 +0200, Quinton Delpeche
<qu...@vippayroll.co.za> wrote:
> On Wednesday 24 November 2004 07:36, Richard wrote:
> > Hi Quinton / Guys,
> >
> > Im running on win xp sp2 and has turned on the bundled firewall. im
> > currently scanning on sygate online scan. so far only port 80 is open.
>
> Then your machine should be secure.
>
> Just make sure that all the latest security patches/updates have been
> installed.
>
> As long as only Port 80 is open you should be fine.
> As long as your web-application is secure you should also be fine.
>
> Good luck. :)
>
>
>
> Q
> --
> Quinton Delpeche
> Internal Systems Developer
> Softline VIP
>
> Telephone: +27 12 420 7000
> Direct: +27 12 420 7007
> Facsimile: +27 12 420 7344
>
> http://www.vippayroll.co.za/
>
> Too much of a good thing is WONDERFUL.
> -- Mae West
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Protecting my web server
Posted by Quinton Delpeche <qu...@vippayroll.co.za>.
On Wednesday 24 November 2004 07:36, Richard wrote:
> Hi Quinton / Guys,
>
> Im running on win xp sp2 and has turned on the bundled firewall. im
> currently scanning on sygate online scan. so far only port 80 is open.
Then your machine should be secure.
Just make sure that all the latest security patches/updates have been
installed.
As long as only Port 80 is open you should be fine.
As long as your web-application is secure you should also be fine.
Good luck. :)
Q
--
Quinton Delpeche
Internal Systems Developer
Softline VIP
Telephone: +27 12 420 7000
Direct: +27 12 420 7007
Facsimile: +27 12 420 7344
http://www.vippayroll.co.za/
Too much of a good thing is WONDERFUL.
-- Mae West
Re: Protecting my web server
Posted by Richard <ri...@gmail.com>.
Hi Quinton / Guys,
Im running on win xp sp2 and has turned on the bundled firewall. im
currently scanning on sygate online scan. so far only port 80 is open.
On Wed, 24 Nov 2004 07:29:58 +0200, Quinton Delpeche
<qu...@vippayroll.co.za> wrote:
> On Wednesday 24 November 2004 07:24, Richard wrote:
> > Hello Guys,
>
> Hi,
>
> -> If possible load a firewall on the server or before the server with port
> forwarding.
>
> -> Close all ports that are not required 110 25 22 21 23 etc.
>
> -> Disable all services that are not required.
>
> -> Load a tripwire if possible.
>
> -> Monitor your server closely.
>
>
>
> > Please advise.
> >
> > For demo purposes I need to expose my machine to the web. I got a
> > public IP and have hosted my dev version of my webapp at port 80. im
> > using tomcat 5. This machine should be running 24/7 for a couple of
> > days and I need to know how I can protect it.
> >
> > Thanks in advance
> > Richard
> Q
> --
> Quinton Delpeche
> Internal Systems Developer
> Softline VIP
>
> Telephone: +27 12 420 7000
> Direct: +27 12 420 7007
> Facsimile: +27 12 420 7344
>
> http://www.vippayroll.co.za/
>
> A novice was trying to fix a broken Lisp machine by turning the power
> off and on. Knight, seeing what the student was doing spoke sternly:
> "You can not fix a machine by just power-cycling it with no
> understanding of what is going wrong." Knight turned the machine off
> and on. The machine worked.
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Protecting my web server
Posted by Quinton Delpeche <qu...@vippayroll.co.za>.
On Wednesday 24 November 2004 07:24, Richard wrote:
> Hello Guys,
Hi,
-> If possible load a firewall on the server or before the server with port
forwarding.
-> Close all ports that are not required 110 25 22 21 23 etc.
-> Disable all services that are not required.
-> Load a tripwire if possible.
-> Monitor your server closely.
> Please advise.
>
> For demo purposes I need to expose my machine to the web. I got a
> public IP and have hosted my dev version of my webapp at port 80. im
> using tomcat 5. This machine should be running 24/7 for a couple of
> days and I need to know how I can protect it.
>
> Thanks in advance
> Richard
Q
--
Quinton Delpeche
Internal Systems Developer
Softline VIP
Telephone: +27 12 420 7000
Direct: +27 12 420 7007
Facsimile: +27 12 420 7344
http://www.vippayroll.co.za/
A novice was trying to fix a broken Lisp machine by turning the power
off and on. Knight, seeing what the student was doing spoke sternly:
"You can not fix a machine by just power-cycling it with no
understanding of what is going wrong." Knight turned the machine off
and on. The machine worked.
Re: Protecting my web server
Posted by Tim Funk <fu...@joedog.org>.
If a limited number of people need to see your machine and your know their ip
addresses or domain names, you can use the RemoteAddresssValve.
-Tim
Richard wrote:
> Hello Guys,
>
> Please advise.
>
> For demo purposes I need to expose my machine to the web. I got a
> public IP and have hosted my dev version of my webapp at port 80. im
> using tomcat 5. This machine should be running 24/7 for a couple of
> days and I need to know how I can protect it.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org