Re: how to harden tomcat?
Hi, One thing to look out for would be the use of JNI i.e. native calls. I'm not sure if there is a way of preventing someone from packaging a .so in a WAR and then loading it in to the app via code to bypass the lack of LD_LIBRARY_PATH (on *nix). didn't try it myself, but I guess /tomcat/conf/catalina.policy and it's java.security settings are the right place to look for these remaining problems. Cheers, Michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to harden tomcat?
Thanks Peter. On Thu, 24 Feb 2005 07:59:59 +1100, Peter Johnson [EMAIL PROTECTED] wrote: I haven't really come across hardening documents for Tomcat or any Java container for that matter. That is probably because Java by design is relatively secure as it runs within a virtual machine so it isn't possible to escape code etc and breakout into the OS kernel space. So basically run Tomcat as a specific user and tune the filesystem parameters to only allow access to the resources it needs (standard approach for every app Java or not). Now focus all your attention on the application code (not Tomcat but the webapp) make sure all database interactions are escaped properly etc etc etc One thing to look out for would be the use of JNI i.e. native calls. I'm not sure if there is a way of preventing someone from packaging a .so in a WAR and then loading it in to the app via code to bypass the lack of LD_LIBRARY_PATH (on *nix). The authentication / authorisation stuff (e.g. realms) is all to do with access to webapps. If you come across anything else I would be interested to know about it, especially if it is to do with securing Java in general. PJ Patrick Lacson wrote: Specifically authoritative articles on how to do this.. would be greatly appreciated. On Wed, 23 Feb 2005 11:24:12 -0800, Patrick Lacson [EMAIL PROTECTED] wrote: Does anybody have any links/documents on how to harden tomcat? thanks, -- Patrick - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Patrick - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to harden tomcat?
Hi, My beginners guide is here (for tomcat on linux), it covers Running not as root. Restricting the permissions of the tomcat directories. http://www.mythic-beasts.com/support/topic_vds_java.html I'd also recommend removing all the management utilities from the webbased front end and a completely facist host firewall that denies everything but port 80 / 22. Pete Stevens On Thu, 24 Feb 2005, Patrick Lacson wrote: Thanks Peter. On Thu, 24 Feb 2005 07:59:59 +1100, Peter Johnson [EMAIL PROTECTED] wrote: I haven't really come across hardening documents for Tomcat or any Java container for that matter. That is probably because Java by design is relatively secure as it runs within a virtual machine so it isn't possible to escape code etc and breakout into the OS kernel space. So basically run Tomcat as a specific user and tune the filesystem parameters to only allow access to the resources it needs (standard approach for every app Java or not). Now focus all your attention on the application code (not Tomcat but the webapp) make sure all database interactions are escaped properly etc etc etc One thing to look out for would be the use of JNI i.e. native calls. I'm not sure if there is a way of preventing someone from packaging a .so in a WAR and then loading it in to the app via code to bypass the lack of LD_LIBRARY_PATH (on *nix). The authentication / authorisation stuff (e.g. realms) is all to do with access to webapps. If you come across anything else I would be interested to know about it, especially if it is to do with securing Java in general. PJ Patrick Lacson wrote: Specifically authoritative articles on how to do this.. would be greatly appreciated. On Wed, 23 Feb 2005 11:24:12 -0800, Patrick Lacson [EMAIL PROTECTED] wrote: Does anybody have any links/documents on how to harden tomcat? thanks, -- Patrick - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Patrick - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Pete Stevens [EMAIL PROTECTED] http://www.ex-parrot.com/~pete/ Always buy a lottery ticket on a Friday or Saturday, otherwise you're more likely to be run over than claim the prize. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
how to harden tomcat?
Does anybody have any links/documents on how to harden tomcat? thanks, -- Patrick - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to harden tomcat?
Specifically authoritative articles on how to do this.. would be greatly appreciated. On Wed, 23 Feb 2005 11:24:12 -0800, Patrick Lacson [EMAIL PROTECTED] wrote: Does anybody have any links/documents on how to harden tomcat? thanks, -- Patrick -- Patrick - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to harden tomcat?
I haven't really come across hardening documents for Tomcat or any Java container for that matter. That is probably because Java by design is relatively secure as it runs within a virtual machine so it isn't possible to escape code etc and breakout into the OS kernel space. So basically run Tomcat as a specific user and tune the filesystem parameters to only allow access to the resources it needs (standard approach for every app Java or not). Now focus all your attention on the application code (not Tomcat but the webapp) make sure all database interactions are escaped properly etc etc etc One thing to look out for would be the use of JNI i.e. native calls. I'm not sure if there is a way of preventing someone from packaging a .so in a WAR and then loading it in to the app via code to bypass the lack of LD_LIBRARY_PATH (on *nix). The authentication / authorisation stuff (e.g. realms) is all to do with access to webapps. If you come across anything else I would be interested to know about it, especially if it is to do with securing Java in general. PJ Patrick Lacson wrote: Specifically authoritative articles on how to do this.. would be greatly appreciated. On Wed, 23 Feb 2005 11:24:12 -0800, Patrick Lacson [EMAIL PROTECTED] wrote: Does anybody have any links/documents on how to harden tomcat? thanks, -- Patrick - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]