Re: Security Questions Regarding Tomcat
Hmmm. Well take a look at this entry from the server.xml file: !-- Define a Proxied HTTP/1.1 Connector on port 8082 -- !-- See proxy documentation for more information about using this. -- !-- Connector port=8082 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false acceptCount=100 connectionTimeout=2 proxyPort=80 disableUploadTimeout=true / -- I did not add this and from what I can tell this comes with the default config. Any info? Roberto David Smith [EMAIL PROTECTED] 08/12/2005 11:40 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat This sounds really fishy. Tomcat does not by default have any connectors configured for port 80. There must be another service or you've modified your server.xml somehow. --David Robert V. Coward/CTR/OSAGWI wrote: Having a similar issue to this with Tomcat 5. Apparently T5 comes with a port 80 proxy server a special servlet container or something. Basically I have ipfilter running and only allow access to port 8080, but if you send a request to 80 tTomcat picks up and does some sort of internal redirect to port 8080. According to a netstat -a only port 808 is litening, but when I run nmap against it it show 80 and 8080. I'd like to have ipfileter take block all connections and redirect packets bound for port 80 to 8080. Inother words I want to do what the T5 server seems to be doing already. Anyone have any ideas? My network admin is giving me much grief about allowing port 8080 access to the web. Thanks Paul Singleton [EMAIL PROTECTED] 08/12/2005 10:08 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Alon Belman [EMAIL PROTECTED] Subject Re: Security Questions Regarding Tomcat Harrell, Ralph wrote: I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000. ...not in Linux and some (all?) Unix variants, anyway. (FWIW I think this root-only-below-1000 rule is an ill considered security kludge which has probably caused more trouble than it has circumvented) You could redirect port 443 to 8443 (and 80 to 8080) either in an external firewall/router or in iptables within your server, then start Tomcat as e.g. tomcat on its usual ports. Paul Singleton - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
But it's also commented out and not active. It's there as an example of a proxied port if you happen to be using Apache and mod_rewrite as a front end to tomcat. --David Robert V. Coward/CTR/OSAGWI wrote: Hmmm. Well take a look at this entry from the server.xml file: !-- Define a Proxied HTTP/1.1 Connector on port 8082 -- !-- See proxy documentation for more information about using this. -- !-- Connector port=8082 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false acceptCount=100 connectionTimeout=2 proxyPort=80 disableUploadTimeout=true / -- I did not add this and from what I can tell this comes with the default config. Any info? Roberto David Smith [EMAIL PROTECTED] 08/12/2005 11:40 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat This sounds really fishy. Tomcat does not by default have any connectors configured for port 80. There must be another service or you've modified your server.xml somehow. --David Robert V. Coward/CTR/OSAGWI wrote: Having a similar issue to this with Tomcat 5. Apparently T5 comes with a port 80 proxy server a special servlet container or something. Basically I have ipfilter running and only allow access to port 8080, but if you send a request to 80 tTomcat picks up and does some sort of internal redirect to port 8080. According to a netstat -a only port 808 is litening, but when I run nmap against it it show 80 and 8080. I'd like to have ipfileter take block all connections and redirect packets bound for port 80 to 8080. Inother words I want to do what the T5 server seems to be doing already. Anyone have any ideas? My network admin is giving me much grief about allowing port 8080 access to the web. Thanks Paul Singleton [EMAIL PROTECTED] 08/12/2005 10:08 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Alon Belman [EMAIL PROTECTED] Subject Re: Security Questions Regarding Tomcat Harrell, Ralph wrote: I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000. ...not in Linux and some (all?) Unix variants, anyway. (FWIW I think this root-only-below-1000 rule is an ill considered security kludge which has probably caused more trouble than it has circumvented) You could redirect port 443 to 8443 (and 80 to 8080) either in an external firewall/router or in iptables within your server, then start Tomcat as e.g. tomcat on its usual ports. Paul Singleton - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- === David Smith Network Operations Supervisor Department of Entomology College of Agriculture Life Sciences Cornell University 2132 Comstock Hall Ithaca, NY 14853 Phone: 607.255.9571 Fax: 607.255.0939 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Duh. Thanks. I should have seen that. But I still do not understand how this is all working. Basically I want the to run a default deny ipfilter firewall on the host. Only allowing port 8080 and 8443 (or 4443 there seems to be some confusion with my apps guys on which one is ther real SSL proxy port) connections from internal. I then want to NAT (rdr) to redirect all incominf 80 and 443 connections to that 8080 and 8443 (or 4443) port internal. I suppose it is my lack of familiarity on ipfilter (this is so much easier to do using OBSD'd PF). I'd really like to see some other folks ipnat.conf and ipf.conf files if this is being done already. I'll do some more research and keep the group appraised of my progress. Thanks. Roberto David Smith [EMAIL PROTECTED] 08/15/2005 08:29 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat But it's also commented out and not active. It's there as an example of a proxied port if you happen to be using Apache and mod_rewrite as a front end to tomcat. --David Robert V. Coward/CTR/OSAGWI wrote: Hmmm. Well take a look at this entry from the server.xml file: !-- Define a Proxied HTTP/1.1 Connector on port 8082 -- !-- See proxy documentation for more information about using this. -- !-- Connector port=8082 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false acceptCount=100 connectionTimeout=2 proxyPort=80 disableUploadTimeout=true / -- I did not add this and from what I can tell this comes with the default config. Any info? Roberto David Smith [EMAIL PROTECTED] 08/12/2005 11:40 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat This sounds really fishy. Tomcat does not by default have any connectors configured for port 80. There must be another service or you've modified your server.xml somehow. --David Robert V. Coward/CTR/OSAGWI wrote: Having a similar issue to this with Tomcat 5. Apparently T5 comes with a port 80 proxy server a special servlet container or something. Basically I have ipfilter running and only allow access to port 8080, but if you send a request to 80 tTomcat picks up and does some sort of internal redirect to port 8080. According to a netstat -a only port 808 is litening, but when I run nmap against it it show 80 and 8080. I'd like to have ipfileter take block all connections and redirect packets bound for port 80 to 8080. Inother words I want to do what the T5 server seems to be doing already. Anyone have any ideas? My network admin is giving me much grief about allowing port 8080 access to the web. Thanks Paul Singleton [EMAIL PROTECTED] 08/12/2005 10:08 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Alon Belman [EMAIL PROTECTED] Subject Re: Security Questions Regarding Tomcat Harrell, Ralph wrote: I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000. ...not in Linux and some (all?) Unix variants, anyway. (FWIW I think this root-only-below-1000 rule is an ill considered security kludge which has probably caused more trouble than it has circumvented) You could redirect port 443 to 8443 (and 80 to 8080) either in an external firewall/router or in iptables within your server, then start Tomcat as e.g. tomcat on its usual ports. Paul Singleton - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- === David Smith Network Operations Supervisor Department of Entomology College of Agriculture Life Sciences Cornell University 2132 Comstock Hall Ithaca, NY 14853 Phone: 607.255.9571 Fax: 607.255.0939 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Robert V. Coward/CTR/OSAGWI wrote: Hmmm. Well take a look at this entry from the server.xml file: !-- Define a Proxied HTTP/1.1 Connector on port 8082 -- !-- See proxy documentation for more information about using this. -- !-- Connector port=8082 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false acceptCount=100 connectionTimeout=2 proxyPort=80 disableUploadTimeout=true / -- I did not add this and from what I can tell this comes with the default config. Any info? About what? This is in the Fine Manual -- see the Connector documentation under tomcat-docs/config/: --- Proxy Support The proxyName and proxyPort attributes can be used when Tomcat is run behind a proxy server. These attributes modify the values returned to web applications that call the request.getServerName() and request.getServerPort() methods, which are often used to construct absolute URLs for redirects. Without configuring these attributes, the values returned would reflect the server name and port on which the connection from the proxy server was received, rather than the server name and port to whom the client directed the original request. For more information, see the Proxy Support HOW-TO. --- Though this isn't particularly relevant to your situation, since as are many of the *examples* in the default server.xml, this entry is *commented out*. HTH! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Understood. But I do not want to use Tomcat proxying services. I just want to host 8080 locally and let my ipfilter firewall block and proxy for me. Roberto Hassan Schroeder [EMAIL PROTECTED] 08/15/2005 08:41 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat Robert V. Coward/CTR/OSAGWI wrote: Hmmm. Well take a look at this entry from the server.xml file: !-- Define a Proxied HTTP/1.1 Connector on port 8082 -- !-- See proxy documentation for more information about using this. -- !-- Connector port=8082 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false acceptCount=100 connectionTimeout=2 proxyPort=80 disableUploadTimeout=true / -- I did not add this and from what I can tell this comes with the default config. Any info? About what? This is in the Fine Manual -- see the Connector documentation under tomcat-docs/config/: --- Proxy Support The proxyName and proxyPort attributes can be used when Tomcat is run behind a proxy server. These attributes modify the values returned to web applications that call the request.getServerName() and request.getServerPort() methods, which are often used to construct absolute URLs for redirects. Without configuring these attributes, the values returned would reflect the server name and port on which the connection from the proxy server was received, rather than the server name and port to whom the client directed the original request. For more information, see the Proxy Support HOW-TO. --- Though this isn't particularly relevant to your situation, since as are many of the *examples* in the default server.xml, this entry is *commented out*. HTH! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Robert V. Coward/CTR/OSAGWI wrote: Understood. But I do not want to use Tomcat proxying services. I just want to host 8080 locally and let my ipfilter firewall block and proxy for me. Then the default Tomcat configuration of listening on port 8080 is just what you need. I highly recommend making a copy of the original server.xml and then stripping out the examples before doing anything else; greatly improves readability. :-) If you're still uncertain about Tomcat's configuration, i.e., what port(s) it's listening on, you could run netstat and/or nmap before and after starting it, and compare the results. FWIW! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Got it. I've done that, and i figured out that i can not use ipfilter as a reflector. That is it is not very easy to use rdr to map packets from 192.168.0.20 port 80 - 192.168.0.20 port 8080. That is precisely what I wanted to do.force NAT to rewrite packets coming in on one port to another port and have tomcat answer normally. I got confused when I saw the proxying info inside the server.xml file. Looks like I'll have to get a real proxy server. Thanks. Roberto Hassan Schroeder [EMAIL PROTECTED] 08/15/2005 10:30 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat Robert V. Coward/CTR/OSAGWI wrote: Understood. But I do not want to use Tomcat proxying services. I just want to host 8080 locally and let my ipfilter firewall block and proxy for me. Then the default Tomcat configuration of listening on port 8080 is just what you need. I highly recommend making a copy of the original server.xml and then stripping out the examples before doing anything else; greatly improves readability. :-) If you're still uncertain about Tomcat's configuration, i.e., what port(s) it's listening on, you could run netstat and/or nmap before and after starting it, and compare the results. FWIW! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Regardless of what you put up in front of tomcat to act as the proxy host, you'll most likely need the proxyPort and proxyName attributes in your connector so tomcat can write urls correctly as needed (like in sending external redirects). I do this setup myself on some stuff when I'm using mod_rewrite to map servlet material into an Apache site. --David Robert V. Coward/CTR/OSAGWI wrote: Got it. I've done that, and i figured out that i can not use ipfilter as a reflector. That is it is not very easy to use rdr to map packets from 192.168.0.20 port 80 - 192.168.0.20 port 8080. That is precisely what I wanted to do.force NAT to rewrite packets coming in on one port to another port and have tomcat answer normally. I got confused when I saw the proxying info inside the server.xml file. Looks like I'll have to get a real proxy server. Thanks. Roberto Hassan Schroeder [EMAIL PROTECTED] 08/15/2005 10:30 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat Robert V. Coward/CTR/OSAGWI wrote: Understood. But I do not want to use Tomcat proxying services. I just want to host 8080 locally and let my ipfilter firewall block and proxy for me. Then the default Tomcat configuration of listening on port 8080 is just what you need. I highly recommend making a copy of the original server.xml and then stripping out the examples before doing anything else; greatly improves readability. :-) If you're still uncertain about Tomcat's configuration, i.e., what port(s) it's listening on, you could run netstat and/or nmap before and after starting it, and compare the results. FWIW! -- === David Smith Network Operations Supervisor Department of Entomology College of Agriculture Life Sciences Cornell University 2132 Comstock Hall Ithaca, NY 14853 Phone: 607.255.9571 Fax: 607.255.0939 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Okay great. I'll check the docs on that once I get the server side stuff running right. Thanks for all the hel. Roberto David Smith [EMAIL PROTECTED] 08/15/2005 10:59 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat Regardless of what you put up in front of tomcat to act as the proxy host, you'll most likely need the proxyPort and proxyName attributes in your connector so tomcat can write urls correctly as needed (like in sending external redirects). I do this setup myself on some stuff when I'm using mod_rewrite to map servlet material into an Apache site. --David Robert V. Coward/CTR/OSAGWI wrote: Got it. I've done that, and i figured out that i can not use ipfilter as a reflector. That is it is not very easy to use rdr to map packets from 192.168.0.20 port 80 - 192.168.0.20 port 8080. That is precisely what I wanted to do.force NAT to rewrite packets coming in on one port to another port and have tomcat answer normally. I got confused when I saw the proxying info inside the server.xml file. Looks like I'll have to get a real proxy server. Thanks. Roberto Hassan Schroeder [EMAIL PROTECTED] 08/15/2005 10:30 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: Security Questions Regarding Tomcat Robert V. Coward/CTR/OSAGWI wrote: Understood. But I do not want to use Tomcat proxying services. I just want to host 8080 locally and let my ipfilter firewall block and proxy for me. Then the default Tomcat configuration of listening on port 8080 is just what you need. I highly recommend making a copy of the original server.xml and then stripping out the examples before doing anything else; greatly improves readability. :-) If you're still uncertain about Tomcat's configuration, i.e., what port(s) it's listening on, you could run netstat and/or nmap before and after starting it, and compare the results. FWIW! -- === David Smith Network Operations Supervisor Department of Entomology College of Agriculture Life Sciences Cornell University 2132 Comstock Hall Ithaca, NY 14853 Phone: 607.255.9571 Fax: 607.255.0939 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Security Questions Regarding Tomcat
I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000. Ralph B. Harrell UNC Charlotte Manager, Oracle Database Administration [EMAIL PROTECTED] (704) 687-2951 -Original Message- From: Alon Belman [mailto:[EMAIL PROTECTED] Sent: Thursday, August 11, 2005 4:20 PM To: Tomcat Users List Subject: Re: Security Questions Regarding Tomcat copied share to meb/robo laters! On 8/11/05, LFM [EMAIL PROTECTED] wrote: Tim, Thanks for the reply, but I can't get in working: In conf/server.xml I added server=TEST, as shown: !-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8180 -- Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8180 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 connectionTimeout=2 useURIValidationHack=false server=TEST/ Stopped, started Tomcat. nc'ed to localhost, but still got the old server header. $ nc localhost 8180 GET / HTTP/1.0 HTTP/1.1 302 Moved Temporarily Location: http://localhost.localdomain:8180/index.jsp Content-Length: 0 Date: Thu, 11 Aug 2005 20:15:38 GMT Server: Apache-Coyote/1.1 Connection: close What I'm I doing wrong? Thanks! Leandro On Thu, 2005-08-11 at 15:56 -0400, Tim Funk wrote: The Server header can be configured in the Connector declaration. server='Sun Solaris IIS/6.0' To limit the HTTP methods this can be done a few ways; 1) Use a servlet filter 2) Use web.xml and security constraints on those method types 3) ??? -Tim LFM wrote: Hi! I'm hardening a Web Server running Tomcat for a client, but I'm having difficulty in finding information on how to accomplish the following tasks (bored of googling so I decided to ask here): 1. Remove/modify the banner presented by the coyote connector on the server header of an http reply. 2. Limit the HTTP methods available. (I wan't to disable trace, put, delete). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Harrell, Ralph wrote: I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000. ...not in Linux and some (all?) Unix variants, anyway. (FWIW I think this root-only-below-1000 rule is an ill considered security kludge which has probably caused more trouble than it has circumvented) You could redirect port 443 to 8443 (and 80 to 8080) either in an external firewall/router or in iptables within your server, then start Tomcat as e.g. tomcat on its usual ports. Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.10.7/70 - Release Date: 11/Aug/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Having a similar issue to this with Tomcat 5. Apparently T5 comes with a port 80 proxy server a special servlet container or something. Basically I have ipfilter running and only allow access to port 8080, but if you send a request to 80 tTomcat picks up and does some sort of internal redirect to port 8080. According to a netstat -a only port 808 is litening, but when I run nmap against it it show 80 and 8080. I'd like to have ipfileter take block all connections and redirect packets bound for port 80 to 8080. Inother words I want to do what the T5 server seems to be doing already. Anyone have any ideas? My network admin is giving me much grief about allowing port 8080 access to the web. Thanks Paul Singleton [EMAIL PROTECTED] 08/12/2005 10:08 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Alon Belman [EMAIL PROTECTED] Subject Re: Security Questions Regarding Tomcat Harrell, Ralph wrote: I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000. ...not in Linux and some (all?) Unix variants, anyway. (FWIW I think this root-only-below-1000 rule is an ill considered security kludge which has probably caused more trouble than it has circumvented) You could redirect port 443 to 8443 (and 80 to 8080) either in an external firewall/router or in iptables within your server, then start Tomcat as e.g. tomcat on its usual ports. Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.10.7/70 - Release Date: 11/Aug/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Robert V. Coward/CTR/OSAGWI wrote: Apparently T5 comes with a port 80 proxy server a special servlet container or something. Basically I have ipfilter running and only allow access to port 8080, but if you send a request to 80 tTomcat picks up and does some sort of internal redirect to port 8080. Sorry, but that's simply not the case. The Connector definitions in $CATALINA_HOME/conf/server.xml control what ports (and IPs) Tomcat is listening on. I'm not familiar with 'ipfilter', but there should be a way to list the current rule set (equiv to `iptables -L`) to see what's going on. FWIW! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
See the Commons-Daemon project on the Jakarta site for starting tomcat as a non-root answer. --David Harrell, Ralph wrote: I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000. Ralph B. Harrell UNC Charlotte Manager, Oracle Database Administration [EMAIL PROTECTED] (704) 687-2951 -Original Message- From: Alon Belman [mailto:[EMAIL PROTECTED] Sent: Thursday, August 11, 2005 4:20 PM To: Tomcat Users List Subject: Re: Security Questions Regarding Tomcat copied share to meb/robo laters! On 8/11/05, LFM [EMAIL PROTECTED] wrote: Tim, Thanks for the reply, but I can't get in working: In conf/server.xml I added server=TEST, as shown: !-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8180 -- Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8180 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 connectionTimeout=2 useURIValidationHack=false server=TEST/ Stopped, started Tomcat. nc'ed to localhost, but still got the old server header. $ nc localhost 8180 GET / HTTP/1.0 HTTP/1.1 302 Moved Temporarily Location: http://localhost.localdomain:8180/index.jsp Content-Length: 0 Date: Thu, 11 Aug 2005 20:15:38 GMT Server: Apache-Coyote/1.1 Connection: close What I'm I doing wrong? Thanks! Leandro On Thu, 2005-08-11 at 15:56 -0400, Tim Funk wrote: The Server header can be configured in the Connector declaration. server='Sun Solaris IIS/6.0' To limit the HTTP methods this can be done a few ways; 1) Use a servlet filter 2) Use web.xml and security constraints on those method types 3) ??? -Tim LFM wrote: Hi! I'm hardening a Web Server running Tomcat for a client, but I'm having difficulty in finding information on how to accomplish the following tasks (bored of googling so I decided to ask here): 1. Remove/modify the banner presented by the coyote connector on the server header of an http reply. 2. Limit the HTTP methods available. (I wan't to disable trace, put, delete). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
This sounds really fishy. Tomcat does not by default have any connectors configured for port 80. There must be another service or you've modified your server.xml somehow. --David Robert V. Coward/CTR/OSAGWI wrote: Having a similar issue to this with Tomcat 5. Apparently T5 comes with a port 80 proxy server a special servlet container or something. Basically I have ipfilter running and only allow access to port 8080, but if you send a request to 80 tTomcat picks up and does some sort of internal redirect to port 8080. According to a netstat -a only port 808 is litening, but when I run nmap against it it show 80 and 8080. I'd like to have ipfileter take block all connections and redirect packets bound for port 80 to 8080. Inother words I want to do what the T5 server seems to be doing already. Anyone have any ideas? My network admin is giving me much grief about allowing port 8080 access to the web. Thanks Paul Singleton [EMAIL PROTECTED] 08/12/2005 10:08 AM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Alon Belman [EMAIL PROTECTED] Subject Re: Security Questions Regarding Tomcat Harrell, Ralph wrote: I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000. ...not in Linux and some (all?) Unix variants, anyway. (FWIW I think this root-only-below-1000 rule is an ill considered security kludge which has probably caused more trouble than it has circumvented) You could redirect port 443 to 8443 (and 80 to 8080) either in an external firewall/router or in iptables within your server, then start Tomcat as e.g. tomcat on its usual ports. Paul Singleton - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
I don't know -- I can see some value to the root only ports below 1024. It prevents non-privileged users from stealing trusted service ports in a mainframe environment -- not that that's a reality anymore. The best way to handle this in a production environment is to use the commons-daemon project at the Jakarta site. --David Paul Singleton wrote: Harrell, Ralph wrote: I would like to be able to start TOMCAT as a non-root user but am unable to as we are running SSL and use port 443 and non-root users do not have the permission to use ports under 1000. ...not in Linux and some (all?) Unix variants, anyway. (FWIW I think this root-only-below-1000 rule is an ill considered security kludge which has probably caused more trouble than it has circumvented) You could redirect port 443 to 8443 (and 80 to 8080) either in an external firewall/router or in iptables within your server, then start Tomcat as e.g. tomcat on its usual ports. Paul Singleton - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Tim, list: Where can I find documentation regarding limting HTTP methods using security-constraints? All I was able to do was requiere authentication in order to use some HTTP methods but I would like to limit them like it can be donde with the directive Limit in Apache. I will also appreciate any pointers to documentation regarding Tomcat Security, especially about hardening. Regards, Leandro. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Leandro Meiners wrote: Where can I find documentation regarding limting HTTP methods using security-constraints? The Security section of the Servlet 2.4 Spec (SRV.12) has some good examples -- highly recommended :-) FWIW! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Security Questions Regarding Tomcat
Hi! I'm hardening a Web Server running Tomcat for a client, but I'm having difficulty in finding information on how to accomplish the following tasks (bored of googling so I decided to ask here): 1. Remove/modify the banner presented by the coyote connector on the server header of an http reply. 2. Limit the HTTP methods available. (I wan't to disable trace, put, delete). Regards! Leandro -- LFM [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
The Server header can be configured in the Connector declaration. server='Sun Solaris IIS/6.0' To limit the HTTP methods this can be done a few ways; 1) Use a servlet filter 2) Use web.xml and security constraints on those method types 3) ??? -Tim LFM wrote: Hi! I'm hardening a Web Server running Tomcat for a client, but I'm having difficulty in finding information on how to accomplish the following tasks (bored of googling so I decided to ask here): 1. Remove/modify the banner presented by the coyote connector on the server header of an http reply. 2. Limit the HTTP methods available. (I wan't to disable trace, put, delete). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Tim, Thanks for the reply, but I can't get in working: In conf/server.xml I added server=TEST, as shown: !-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8180 -- Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8180 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 connectionTimeout=2 useURIValidationHack=false server=TEST/ Stopped, started Tomcat. nc'ed to localhost, but still got the old server header. $ nc localhost 8180 GET / HTTP/1.0 HTTP/1.1 302 Moved Temporarily Location: http://localhost.localdomain:8180/index.jsp Content-Length: 0 Date: Thu, 11 Aug 2005 20:15:38 GMT Server: Apache-Coyote/1.1 Connection: close What I'm I doing wrong? Thanks! Leandro On Thu, 2005-08-11 at 15:56 -0400, Tim Funk wrote: The Server header can be configured in the Connector declaration. server='Sun Solaris IIS/6.0' To limit the HTTP methods this can be done a few ways; 1) Use a servlet filter 2) Use web.xml and security constraints on those method types 3) ??? -Tim LFM wrote: Hi! I'm hardening a Web Server running Tomcat for a client, but I'm having difficulty in finding information on how to accomplish the following tasks (bored of googling so I decided to ask here): 1. Remove/modify the banner presented by the coyote connector on the server header of an http reply. 2. Limit the HTTP methods available. (I wan't to disable trace, put, delete). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
copied share to meb/robo laters! On 8/11/05, LFM [EMAIL PROTECTED] wrote: Tim, Thanks for the reply, but I can't get in working: In conf/server.xml I added server=TEST, as shown: !-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8180 -- Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8180 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 connectionTimeout=2 useURIValidationHack=false server=TEST/ Stopped, started Tomcat. nc'ed to localhost, but still got the old server header. $ nc localhost 8180 GET / HTTP/1.0 HTTP/1.1 302 Moved Temporarily Location: http://localhost.localdomain:8180/index.jsp Content-Length: 0 Date: Thu, 11 Aug 2005 20:15:38 GMT Server: Apache-Coyote/1.1 Connection: close What I'm I doing wrong? Thanks! Leandro On Thu, 2005-08-11 at 15:56 -0400, Tim Funk wrote: The Server header can be configured in the Connector declaration. server='Sun Solaris IIS/6.0' To limit the HTTP methods this can be done a few ways; 1) Use a servlet filter 2) Use web.xml and security constraints on those method types 3) ??? -Tim LFM wrote: Hi! I'm hardening a Web Server running Tomcat for a client, but I'm having difficulty in finding information on how to accomplish the following tasks (bored of googling so I decided to ask here): 1. Remove/modify the banner presented by the coyote connector on the server header of an http reply. 2. Limit the HTTP methods available. (I wan't to disable trace, put, delete). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Questions Regarding Tomcat
Setting the server header is a tomcat 5.5 feature. -Tim LFM wrote: Tim, Thanks for the reply, but I can't get in working: In conf/server.xml I added server=TEST, as shown: !-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8180 -- Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8180 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 connectionTimeout=2 useURIValidationHack=false server=TEST/ Stopped, started Tomcat. nc'ed to localhost, but still got the old server header. $ nc localhost 8180 GET / HTTP/1.0 HTTP/1.1 302 Moved Temporarily Location: http://localhost.localdomain:8180/index.jsp Content-Length: 0 Date: Thu, 11 Aug 2005 20:15:38 GMT Server: Apache-Coyote/1.1 Connection: close What I'm I doing wrong? Thanks! Leandro On Thu, 2005-08-11 at 15:56 -0400, Tim Funk wrote: The Server header can be configured in the Connector declaration. server='Sun Solaris IIS/6.0' To limit the HTTP methods this can be done a few ways; 1) Use a servlet filter 2) Use web.xml and security constraints on those method types 3) ??? -Tim LFM wrote: Hi! I'm hardening a Web Server running Tomcat for a client, but I'm having difficulty in finding information on how to accomplish the following tasks (bored of googling so I decided to ask here): 1. Remove/modify the banner presented by the coyote connector on the server header of an http reply. 2. Limit the HTTP methods available. (I wan't to disable trace, put, delete). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]