www.bonsaiframework.com
Page tree

Versions Compared

Old Version 10

changes.mady.by.user Tin Pham

Saved on

compared with

New Version 11

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

The Bonsai Framework also provides a pre-packaged portable and secured version of Tomcat. This document outlines the hardening steps taken.

The steps begin with a tar.gz version of Tomcat from the Apache website and start int the root directory of Tomcat. For example,

Code Block
languagebash
sudo serveradmin # log in as the user who will be running the service
tar -xvpf apache-tomcat-6.0.32
mkdir apache
mv ./apache-tomcat-6.0.32/ ./apache/

To make scripts consistent, the BonsaiFramework uses a standard name as described in Portable Tomcat 6.x & Instances.

Code Block
languagebash
cd apache
mv /apache-tomcat-6.0.32/ ./tomcat.0/

As a user with sudo rights,

Code Block
languagebash
sudo mv ./apache/ /opt/apache/

This document is for reference. To get up and started, go ahead and download Bonsai Framework Tomcat 6.0.32.

Remove Unnecessary Files

Delete sample applications,

Code Block
languagebash
cd /opt/apache/tomcat.0/webapps
rm -rf docs examples

We recommend against using the Manager application,

Code Block
# You should still be in the webapps directory
rm -rf host-manager manager

Remove Unnecessary Ports

By default Tomcat listens to the following ports,

  • 8080 - http port for the application server
  • 8009 - http port use by mod_jk

In the BonsaiFramework we front Apache in front of Tomcat, as such we do not need 8080. Edit /opt/apache/tomcat.0/conf/server.xml and comment out 8080,

Code Block
languagehtml/xml
<!--
<Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8643" />
-->

Clear Text Passwords

When configuring resources such as JDBC, Tomcat only supports clear text username and password in server.xml. By default, if untarred per the BonsaiFramework instructions, server.xml will only be readable by serveradmin.

Typical encryption or obfuscation generally do not provide much addition protection. These points and opinions are explained in detail by OSWASP and The Center for Internet Security.

Note

I actually can think of a solution that uses the system's own hardware and a password to bind the encrypted value to the system.

References

http://blogs.mulesoft.org/is-your-tomcat-secure/ - looks like a good lead.

http://www.cisecurity.org/resources-publications/ - Security Benchmark

https://www.owasp.org/index.php/Securing_tomcat/ - OWASP