...
The steps begin with a tar.gz version of Tomcat from the Apache website and starts the setup begins in the root serveradmin home directory of Tomcat.
| Code Block | ||
|---|---|---|
| ||
sudo serveradmin # log in as the user who will be running the service tar -xvpf apache-tomcat-6.0.32 mkdir apache mv ./apache-tomcat-6.0.32/ ./apache/ |
...
Remove Server Information Details
By default Tomcat broadcasts server details to clients through the server.info string stored in catalina.jar. This information could be used by an attacker to determine vulnerabilities.
Temporarily Setup Java Development Kit
To work with catalina.jar, we will use the jre command provided with the Java Development Kit (JDK). Assuming the JDK is not installed on your Ubuntu server refer to the 9.0 Zero Footprint Java on Ubuntu to temporarily setup your JDK directory java in the serveradmin home directory.
Modify ServerInfo.properties
| Code Block | ||
|---|---|---|
| ||
export PATH=$PATH:~/java/bin # Temporarily add the JDK execution directory to serveradmin path
cd ~/apache/tomcat.0/lib
jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties |
This will extract the /home/serveradmin/apache/tomcat.0/lib/org/apache/catalina/util/ServerInfo.properties file. Change the file to read,
| Panel | ||
|---|---|---|
| ||
server.info=Private Server information |
Verify Changes
Clear Text Passwords
When configuring resources such as JDBC, Tomcat only supports clear text username and password in server.xml. By default, if untarred per the BonsaiFramework instructions, server.xml will only be readable by serveradmin.
...