The Bonsai Framework also provides a pre-packaged portable and secured version of Tomcat. This document outlines the hardening steps taken.
Unzip
The steps begin with a tar.gz version of Tomcat from the Apache website and starts in the root directory of Tomcat.
sudo serveradmin # log in as the user who will be running the service tar -xvpf apache-tomcat-6.0.32 mkdir apache mv ./apache-tomcat-6.0.32/ ./apache/
To make scripts consistent, the BonsaiFramework uses a standard name as described in Portable Tomcat 6.x & Instances.
cd apache mv apache-tomcat-6.0.32 tomcat.0
Change Folder and File Permissions
Only svradm and members of the staff group should have access to work with Tomcat. As a sudo enabled user,
sudo chown -R serveradmin:staff ./tomcat.0/ sudo chmod 750 ./tomcat.0/
Remove Unnecessary Files
Delete sample applications,
cd /opt/apache/tomcat.0/webapps rm -rf docs examples
We recommend against using the Manager application,
# You should still be in the webapps directory rm -rf host-manager manager
Per p9 of Center for Internet Security, Security Configuration Benchmark for Apache Tomcat 5.5/6.0 Version 1.0.0.
Remove Unnecessary Ports
By default Tomcat listens to the following ports,
- 8080 - http port for the application server
- 8009 - http port use by mod_jk
In the BonsaiFramework we front Apache in front of Tomcat, as such we do not need 8080. Edit /opt/apache/tomcat.0/conf/server.xml and comment out 8080,
<!-- <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8643" /> -->
Per p11 of Center for Internet Security, Security Configuration Benchmark for Apache Tomcat 5.5/6.0 Version 1.0.0.
Remove Server Information Details
...
Clear Text Passwords
When configuring resources such as JDBC, Tomcat only supports clear text username and password in server.xml. By default, if untarred per the BonsaiFramework instructions, server.xml will only be readable by serveradmin.
Typical encryption or obfuscation generally do not provide much addition protection. These points and opinions are explained in detail by OSWASP and The Center for Internet Security.
I actually can think of a solution that uses the system's own hardware and a password to bind the encrypted value to the system.
References
http://blogs.mulesoft.org/is-your-tomcat-secure/ - looks like a good lead.
http://www.cisecurity.org/resources-publications/ - Security Benchmark