The Bonsai Framework also provides a pre-packaged portable and secured version of Tomcat. This document outlines the hardening steps taken.
The steps begin with a tar.gz version of Tomcat from the Apache website and start int the root directory of Tomcat. For example,
sudo serveradmin # log in as the user who will be running the service tar -xvpf apache-tomcat-6.0.32 mkdir apache mv ./apache-tomcat-6.0.32/ ./apache/
To make scripts consistent, the BonsaiFramework uses symbolic links as described in Portable Tomcat 6.x & Instances.
cd apache/ ln -s ./apache-tomcat-6.0.32/ ./tomcat.0
As a user with sudo rights,
sudo mv ./apache/ /opt/apache/
This document is for reference. To get up and started, go ahead and download Bonsai Framework Tomcat 6.0.32.
Remove Unnecessary Files
Delete sample applications,
cd /opt/apache/apache-tomcat-6.0.32/webapps rm -rf docs examples
We recommend against using the Manager application,
# You should still be in the webapps directory rm -rf host-manager manager
Remove Unnecessary Ports
By default Tomcat listens to the following ports,
- 8080 - http port for the application server
- 8009 - http port use by mod_jk
In the BonsaiFramework we front Apache in front of Tomcat, as such we do not need 8080. Edit /opt/apache/
References
http://blogs.mulesoft.org/is-your-tomcat-secure/ - looks like a good lead.
http://www.cisecurity.org/resources-publications/ - Security Benchmark