www.bonsaiframework.com
Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 18 Next »

The Bonsai Framework also provides a pre-packaged portable and secured version of Tomcat. This document outlines the hardening steps taken.

Unzip

The steps begin with a tar.gz version of Tomcat from the Apache website and starts in the root directory of Tomcat.

sudo serveradmin # log in as the user who will be running the service
tar -xvpf apache-tomcat-6.0.32
mkdir apache
mv ./apache-tomcat-6.0.32/ ./apache/

To make scripts consistent, the BonsaiFramework uses a standard name as described in Portable Tomcat 6.x & Instances.

cd apache
mv apache-tomcat-6.0.32 tomcat.0

Change Folder and File Permissions

Only svradm and members of the staff group should have access to work with Tomcat. As a sudo enabled user,

sudo chown -R svradm:staff ./tomcat.0/ 
chmod 750 ./tomcat.0/

Remove Unnecessary Files

Delete sample applications,

cd /opt/apache/tomcat.0/webapps
rm -rf docs examples

We recommend against using the Manager application,

# You should still be in the webapps directory
rm -rf host-manager manager

Per p9 of Center for Internet Security, Security Configuration Benchmark for Apache Tomcat 5.5/6.0 Version 1.0.0.

Remove Unnecessary Ports

By default Tomcat listens to the following ports,

  • 8080 - http port for the application server
  • 8009 - http port use by mod_jk

In the BonsaiFramework we front Apache in front of Tomcat, as such we do not need 8080. Edit /opt/apache/tomcat.0/conf/server.xml and comment out 8080,

<!--
<Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8643" />
-->

Per p11 of Center for Internet Security, Security Configuration Benchmark for Apache Tomcat 5.5/6.0 Version 1.0.0.

Remove Server Information Details

...

Clear Text Passwords

When configuring resources such as JDBC, Tomcat only supports clear text username and password in server.xml. By default, if untarred per the BonsaiFramework instructions, server.xml will only be readable by serveradmin.

Typical encryption or obfuscation generally do not provide much addition protection. These points and opinions are explained in detail by OSWASP and The Center for Internet Security.

I actually can think of a solution that uses the system's own hardware and a password to bind the encrypted value to the system.

References

http://blogs.mulesoft.org/is-your-tomcat-secure/ - looks like a good lead.

http://www.cisecurity.org/resources-publications/ - Security Benchmark

https://www.owasp.org/index.php/Securing_tomcat/ - OWASP

  • No labels