Re: Protecting my web server
Also trim down your server.xml (over a number of days if necessary) to only what is necessary. If you only have to expose one webapp then only have one connector in that service, and one engine which has the only host inside it as the default and that has the only context inside it as your application. Then put liveDeploy=false and autoDeploy=false in the Host Then you can go into %tomcat_home%/conf/web.xml and set listings parameter to false so that nobody can see directory listings no matter what you do. As for monitoring I would suggest putting an Apache web server in front of your Tomcat server but if it's only for a short time this may be too much hassle. What you can do instead is to add an Access log valve to your Engine and monitor the contents of the access logs every day to see that there are no hack attempts coming in through port 80. Also you might download a free portscanner from the web to see what ports are open on your machine. Once you have found the open ports use Windows to close down the programs that are listening on them. Best of luck. Andoni. - Original Message - From: Richard [EMAIL PROTECTED] Newsgroups: gmane.comp.jakarta.tomcat.user Sent: Wednesday, November 24, 2004 6:14 AM Subject: Re: Protecting my web server Thanks a lot On Wed, 24 Nov 2004 07:58:37 +0200, Quinton Delpeche [EMAIL PROTECTED] wrote: On Wednesday 24 November 2004 07:49, Richard wrote: Hi Quinton, Can't really check, but the following guidelines are good: - Make sure your tomcat user does not have admin privileges on the server. (Not sure how to do this on Windows, I am a linux person). - Make sure your web-application doesn't have any funny code that might get exploited by a proficient hacker (i.e. shell commands run as ROOT). - Add a blank index.html to each directory of your web-app, this prevents users from getting directory listings on your server. - Ensure that you don't give away too much information in your URL (using ? and parameters). This can easily be prevented by implementing SSL and ensuring that the users have to log on first. How can you tell when your web-app is secure? Forgive me for asking too many questions, im just a newbie. No problem. I understand. :) Thanks Q -- Quinton Delpeche Internal Systems Developer Softline VIP Telephone: +27 12 420 7000 Direct:+27 12 420 7007 Facsimile: +27 12 420 7344 http://www.vippayroll.co.za/ For some reason, this fortune reminds everyone of Marvin Zelkowitz. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Protecting my web server
If a limited number of people need to see your machine and your know their ip addresses or domain names, you can use the RemoteAddresssValve. -Tim Richard wrote: Hello Guys, Please advise. For demo purposes I need to expose my machine to the web. I got a public IP and have hosted my dev version of my webapp at port 80. im using tomcat 5. This machine should be running 24/7 for a couple of days and I need to know how I can protect it. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Protecting my web server
Hello Guys, Please advise. For demo purposes I need to expose my machine to the web. I got a public IP and have hosted my dev version of my webapp at port 80. im using tomcat 5. This machine should be running 24/7 for a couple of days and I need to know how I can protect it. Thanks in advance Richard - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Protecting my web server
On Wednesday 24 November 2004 07:24, Richard wrote: Hello Guys, Hi, - If possible load a firewall on the server or before the server with port forwarding. - Close all ports that are not required 110 25 22 21 23 etc. - Disable all services that are not required. - Load a tripwire if possible. - Monitor your server closely. Please advise. For demo purposes I need to expose my machine to the web. I got a public IP and have hosted my dev version of my webapp at port 80. im using tomcat 5. This machine should be running 24/7 for a couple of days and I need to know how I can protect it. Thanks in advance Richard Q -- Quinton Delpeche Internal Systems Developer Softline VIP Telephone: +27 12 420 7000 Direct:+27 12 420 7007 Facsimile: +27 12 420 7344 http://www.vippayroll.co.za/ A novice was trying to fix a broken Lisp machine by turning the power off and on. Knight, seeing what the student was doing spoke sternly: You can not fix a machine by just power-cycling it with no understanding of what is going wrong. Knight turned the machine off and on. The machine worked. pgpzA8FltaNog.pgp Description: PGP signature
Re: Protecting my web server
Hi Quinton / Guys, Im running on win xp sp2 and has turned on the bundled firewall. im currently scanning on sygate online scan. so far only port 80 is open. On Wed, 24 Nov 2004 07:29:58 +0200, Quinton Delpeche [EMAIL PROTECTED] wrote: On Wednesday 24 November 2004 07:24, Richard wrote: Hello Guys, Hi, - If possible load a firewall on the server or before the server with port forwarding. - Close all ports that are not required 110 25 22 21 23 etc. - Disable all services that are not required. - Load a tripwire if possible. - Monitor your server closely. Please advise. For demo purposes I need to expose my machine to the web. I got a public IP and have hosted my dev version of my webapp at port 80. im using tomcat 5. This machine should be running 24/7 for a couple of days and I need to know how I can protect it. Thanks in advance Richard Q -- Quinton Delpeche Internal Systems Developer Softline VIP Telephone: +27 12 420 7000 Direct:+27 12 420 7007 Facsimile: +27 12 420 7344 http://www.vippayroll.co.za/ A novice was trying to fix a broken Lisp machine by turning the power off and on. Knight, seeing what the student was doing spoke sternly: You can not fix a machine by just power-cycling it with no understanding of what is going wrong. Knight turned the machine off and on. The machine worked. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Protecting my web server
On Wednesday 24 November 2004 07:36, Richard wrote: Hi Quinton / Guys, Im running on win xp sp2 and has turned on the bundled firewall. im currently scanning on sygate online scan. so far only port 80 is open. Then your machine should be secure. Just make sure that all the latest security patches/updates have been installed. As long as only Port 80 is open you should be fine. As long as your web-application is secure you should also be fine. Good luck. :) Q -- Quinton Delpeche Internal Systems Developer Softline VIP Telephone: +27 12 420 7000 Direct:+27 12 420 7007 Facsimile: +27 12 420 7344 http://www.vippayroll.co.za/ Too much of a good thing is WONDERFUL. -- Mae West pgpI8JjfdQZdJ.pgp Description: PGP signature
Re: Protecting my web server
Hi Quinton, How can you tell when your web-app is secure? Forgive me for asking too many questions, im just a newbie. Thanks On Wed, 24 Nov 2004 07:46:35 +0200, Quinton Delpeche [EMAIL PROTECTED] wrote: On Wednesday 24 November 2004 07:36, Richard wrote: Hi Quinton / Guys, Im running on win xp sp2 and has turned on the bundled firewall. im currently scanning on sygate online scan. so far only port 80 is open. Then your machine should be secure. Just make sure that all the latest security patches/updates have been installed. As long as only Port 80 is open you should be fine. As long as your web-application is secure you should also be fine. Good luck. :) Q -- Quinton Delpeche Internal Systems Developer Softline VIP Telephone: +27 12 420 7000 Direct:+27 12 420 7007 Facsimile: +27 12 420 7344 http://www.vippayroll.co.za/ Too much of a good thing is WONDERFUL. -- Mae West - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Protecting my web server
On Wednesday 24 November 2004 07:49, Richard wrote: Hi Quinton, Can't really check, but the following guidelines are good: - Make sure your tomcat user does not have admin privileges on the server. (Not sure how to do this on Windows, I am a linux person). - Make sure your web-application doesn't have any funny code that might get exploited by a proficient hacker (i.e. shell commands run as ROOT). - Add a blank index.html to each directory of your web-app, this prevents users from getting directory listings on your server. - Ensure that you don't give away too much information in your URL (using ? and parameters). This can easily be prevented by implementing SSL and ensuring that the users have to log on first. How can you tell when your web-app is secure? Forgive me for asking too many questions, im just a newbie. No problem. I understand. :) Thanks Q -- Quinton Delpeche Internal Systems Developer Softline VIP Telephone: +27 12 420 7000 Direct:+27 12 420 7007 Facsimile: +27 12 420 7344 http://www.vippayroll.co.za/ For some reason, this fortune reminds everyone of Marvin Zelkowitz. pgpz8w8s1JXei.pgp Description: PGP signature
Re: Protecting my web server
Thanks a lot On Wed, 24 Nov 2004 07:58:37 +0200, Quinton Delpeche [EMAIL PROTECTED] wrote: On Wednesday 24 November 2004 07:49, Richard wrote: Hi Quinton, Can't really check, but the following guidelines are good: - Make sure your tomcat user does not have admin privileges on the server. (Not sure how to do this on Windows, I am a linux person). - Make sure your web-application doesn't have any funny code that might get exploited by a proficient hacker (i.e. shell commands run as ROOT). - Add a blank index.html to each directory of your web-app, this prevents users from getting directory listings on your server. - Ensure that you don't give away too much information in your URL (using ? and parameters). This can easily be prevented by implementing SSL and ensuring that the users have to log on first. How can you tell when your web-app is secure? Forgive me for asking too many questions, im just a newbie. No problem. I understand. :) Thanks Q -- Quinton Delpeche Internal Systems Developer Softline VIP Telephone: +27 12 420 7000 Direct:+27 12 420 7007 Facsimile: +27 12 420 7344 http://www.vippayroll.co.za/ For some reason, this fortune reminds everyone of Marvin Zelkowitz. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]