Re: Hardening Tomcat 3.2.4
On Thursday 25 July 2002 10:23, [EMAIL PROTECTED] wrote: I posted a similar question a while ago and did not receive any answer from this list. May be, folks on this list are admins/ developers/programmers who are bothered mostly about application itself and not security. May be there is an overall security list where such questions may be posed. Anybody have suggestions where questions such as these may be directed? We are. But I think a good number of us are probably running UNIX, or some variant thereof. It is probably a good idea to pay some attention to security. A snippet from my access_log (same IP - somebody is curious!) -- [23/Jul/2002:11:49:38 -0800] GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 648 [23/Jul/2002:11:49:38 -0800] GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 648 [23/Jul/2002:11:49:38 -0800] GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 718 [23/Jul/2002:11:49:39 -0800] GET That's a script kiddy looking for nimda, code red, code red 2, or code green. To me, it's just a pain in the ass...flooding my bandwidth. Doesn't pose any real threat. But, there are certain versions of Tomcat 4.xx that may or may not be succeptible, and early versions of Apache 1.3.xx/Apache 2.xx for the unicode encoded urls, and of course IIS 4.0/5.0 if you're using the indexing server. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Hardening Tomcat 3.2.4
Think about the account you are running it under. -Original Message- From: Patel, Rajni M [mailto:[EMAIL PROTECTED]] Sent: 23 July, 2002 12:17 PM To: '[EMAIL PROTECTED]' Subject: Hardening Tomcat 3.2.4 Importance: High I have tomcat installed and running on a Windows NT 4.0 SP6a box and need to harden the installation. The things that I have thought about and I can do is: 1) Change the HTTP port in server.xml file from default value of 8080. 2) Remove the TOMCAT_HOME\examples directory 3) Remove the weapp\admin directory 4) Utilise a Firewall and restrict access to the NT box to IP Domain. Is there anything else that I could do, like modify the tomcat.policy file, but I'm a little unsure of what else needs to be done. Thanks in advance for your help. Rajni This message contains information that may be privileged or confidential and is the property of the Cap Gemini Ernst Young Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message . -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Hardening Tomcat 3.2.4
I posted a similar question a while ago and did not receive any answer from this list. May be, folks on this list are admins/ developers/programmers who are bothered mostly about application itself and not security. May be there is an overall security list where such questions may be posed. Anybody have suggestions where questions such as these may be directed? On a different thread, some relevant info was posted... http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg60278.html It is probably a good idea to pay some attention to security. A snippet from my access_log (same IP - somebody is curious!) -- [23/Jul/2002:11:49:38 -0800] GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 648 [23/Jul/2002:11:49:38 -0800] GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 648 [23/Jul/2002:11:49:38 -0800] GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 718 [23/Jul/2002:11:49:39 -0800] GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 687 [23/Jul/2002:11:49:39 -0800] GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 687 [23/Jul/2002:11:49:39 -0800] GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 721 [23/Jul/2002:11:49:39 -0800] GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 715 [23/Jul/2002:11:55:24 -0800] GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 648 [23/Jul/2002:11:55:24 -0800] GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 648 [23/Jul/2002:11:55:25 -0800] GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 718 [23/Jul/2002:11:55:25 -0800] GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 687 [23/Jul/2002:11:55:25 -0800] GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 687 [23/Jul/2002:11:55:25 -0800] GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 721 [23/Jul/2002:11:55:25 -0800] GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 715 -- Sexton, George wrote: Think about the account you are running it under. -Original Message- From: Patel, Rajni M [mailto:[EMAIL PROTECTED]] Sent: 23 July, 2002 12:17 PM I have tomcat installed and running on a Windows NT 4.0 SP6a box and need to harden the installation. The things that I have thought about and I can do is: 1) Change the HTTP port in server.xml file from default value of 8080. 2) Remove the TOMCAT_HOME\examples directory 3) Remove the weapp\admin directory 4) Utilise a Firewall and restrict access to the NT box to IP Domain. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Hardening Tomcat 3.2.4
A firewall is probably the best way to harden tomcat. Or any web server for that matter, however for a one good you're going to probably end up paying a large sum of money. You could go on the cheaper side and only use a stateful port blocking firewall, but really to do it right you'll need a firewall that looks at data being sent to the server and then blocks on types of data rather than just the port. That and a good IDS system of some type, preferably with the ability to automajickally shutdown access from ip's on the internet when it detects questionable traffic. Cisco's IDS will link up to their PIX firewall to do this, but the PIX is only a stateful port blocking firewall. You'd need another better firewall to be sure of blocking everything in a more secure manner. --mikej -=- mike jackson [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 25, 2002 10:23 AM To: Tomcat Users List Subject: Re: Hardening Tomcat 3.2.4 I posted a similar question a while ago and did not receive any answer from this list. May be, folks on this list are admins/ developers/programmers who are bothered mostly about application itself and not security. May be there is an overall security list where such questions may be posed. Anybody have suggestions where questions such as these may be directed? On a different thread, some relevant info was posted... http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg60278.html It is probably a good idea to pay some attention to security. A snippet from my access_log (same IP - somebody is curious!) -- [23/Jul/2002:11:49:38 -0800] GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 648 [23/Jul/2002:11:49:38 -0800] GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 648 [23/Jul/2002:11:49:38 -0800] GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 718 [23/Jul/2002:11:49:39 -0800] GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 687 [23/Jul/2002:11:49:39 -0800] GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 687 [23/Jul/2002:11:49:39 -0800] GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 721 [23/Jul/2002:11:49:39 -0800] GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 715 [23/Jul/2002:11:55:24 -0800] GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 648 [23/Jul/2002:11:55:24 -0800] GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 648 [23/Jul/2002:11:55:25 -0800] GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 718 [23/Jul/2002:11:55:25 -0800] GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 687 [23/Jul/2002:11:55:25 -0800] GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 687 [23/Jul/2002:11:55:25 -0800] GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 721 [23/Jul/2002:11:55:25 -0800] GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 715 -- Sexton, George wrote: Think about the account you are running it under. -Original Message- From: Patel, Rajni M [mailto:[EMAIL PROTECTED]] Sent: 23 July, 2002 12:17 PM I have tomcat installed and running on a Windows NT 4.0 SP6a box and need to harden the installation. The things that I have thought about and I can do is: 1) Change the HTTP port in server.xml file from default value of 8080. 2) Remove the TOMCAT_HOME\examples directory 3) Remove the weapp\admin directory 4) Utilise a Firewall and restrict access to the NT box to IP Domain. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Hardening Tomcat 3.2.4
Oh, and then you'd of course want to remove all the webapps that you don't use. But that's kinda a no-brainer. --mikej -=- mike jackson [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 25, 2002 10:23 AM To: Tomcat Users List Subject: Re: Hardening Tomcat 3.2.4 I posted a similar question a while ago and did not receive any answer from this list. May be, folks on this list are admins/ developers/programmers who are bothered mostly about application itself and not security. May be there is an overall security list where such questions may be posed. Anybody have suggestions where questions such as these may be directed? On a different thread, some relevant info was posted... http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg60278.html It is probably a good idea to pay some attention to security. A snippet from my access_log (same IP - somebody is curious!) -- [23/Jul/2002:11:49:38 -0800] GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 648 [23/Jul/2002:11:49:38 -0800] GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 648 [23/Jul/2002:11:49:38 -0800] GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 718 [23/Jul/2002:11:49:39 -0800] GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 687 [23/Jul/2002:11:49:39 -0800] GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 687 [23/Jul/2002:11:49:39 -0800] GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 721 [23/Jul/2002:11:49:39 -0800] GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 715 [23/Jul/2002:11:55:24 -0800] GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 648 [23/Jul/2002:11:55:24 -0800] GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 648 [23/Jul/2002:11:55:25 -0800] GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 718 [23/Jul/2002:11:55:25 -0800] GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 687 [23/Jul/2002:11:55:25 -0800] GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 687 [23/Jul/2002:11:55:25 -0800] GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 721 [23/Jul/2002:11:55:25 -0800] GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 400 715 -- Sexton, George wrote: Think about the account you are running it under. -Original Message- From: Patel, Rajni M [mailto:[EMAIL PROTECTED]] Sent: 23 July, 2002 12:17 PM I have tomcat installed and running on a Windows NT 4.0 SP6a box and need to harden the installation. The things that I have thought about and I can do is: 1) Change the HTTP port in server.xml file from default value of 8080. 2) Remove the TOMCAT_HOME\examples directory 3) Remove the weapp\admin directory 4) Utilise a Firewall and restrict access to the NT box to IP Domain. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Hardening Tomcat 3.2.4
Mike Jackson wrote: A firewall is probably the best way to harden tomcat. Or any web server for that matter, however for a one good you're going to probably end up paying a large sum of money. You could go on the cheaper side and only use a stateful port blocking firewall, but really to do it right you'll need a firewall that looks at data being sent to the server and then blocks on types of data rather than just the port. Is iptables on Linux generally good enough(?), assuming the data is not all that critical. Other than its basic functions, haven't really looked at iptables to see whether it can interface with any IDS... das -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Hardening Tomcat 3.2.4
Is it possible to configure tomcat to listen only on the connector ports, and not any other port, such as 8080? Seems to me you could just delete the HTTP connector from port 8080 and that would make tomcat pretty hard to mess with. Any malformed requests at that point would go through apache first, assuming an apache+connector+tomcat configuration. John Turner [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 25, 2002 2:01 PM To: Tomcat Users List Subject: Re: Hardening Tomcat 3.2.4 Mike Jackson wrote: A firewall is probably the best way to harden tomcat. Or any web server for that matter, however for a one good you're going to probably end up paying a large sum of money. You could go on the cheaper side and only use a stateful port blocking firewall, but really to do it right you'll need a firewall that looks at data being sent to the server and then blocks on types of data rather than just the port. Is iptables on Linux generally good enough(?), assuming the data is not all that critical. Other than its basic functions, haven't really looked at iptables to see whether it can interface with any IDS... das -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Hardening Tomcat 3.2.4
The problem is that the webserver (iis is a good example of the problem) is still vunerable to strange requests. A firewall which inspects the contents of the packets can be configured to block access to the web server based on web apps. That's really the only way to truely harden a web server as I see it. However this doesn't always need to be a true firewall that does the work, it could be a specilized proxy that does the filtering. Then the point of presence is the proxy not the webserver, and you gain the benifit of caching at the proxy as well. But you're right, blocking access to ports it generally acceptable when you're not dealing with particularily sensitive data. --mikej -=- mike jackson [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 25, 2002 11:01 AM To: Tomcat Users List Subject: Re: Hardening Tomcat 3.2.4 Mike Jackson wrote: A firewall is probably the best way to harden tomcat. Or any web server for that matter, however for a one good you're going to probably end up paying a large sum of money. You could go on the cheaper side and only use a stateful port blocking firewall, but really to do it right you'll need a firewall that looks at data being sent to the server and then blocks on types of data rather than just the port. Is iptables on Linux generally good enough(?), assuming the data is not all that critical. Other than its basic functions, haven't really looked at iptables to see whether it can interface with any IDS... das -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Hardening Tomcat 3.2.4
I run Tomcat standalone. The rationale is that by eliminating Apache from the equation, another layer of complex code is eliminated increasing the security. It makes life easier also! (one less thing to configure) das Turner, John wrote: Is it possible to configure tomcat to listen only on the connector ports, and not any other port, such as 8080? Seems to me you could just delete the HTTP connector from port 8080 and that would make tomcat pretty hard to mess with. Any malformed requests at that point would go through apache first, assuming an apache+connector+tomcat configuration. John Turner [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 25, 2002 2:01 PM To: Tomcat Users List Subject: Re: Hardening Tomcat 3.2.4 Mike Jackson wrote: A firewall is probably the best way to harden tomcat. Or any web server for that matter, however for a one good you're going to probably end up paying a large sum of money. You could go on the cheaper side and only use a stateful port blocking firewall, but really to do it right you'll need a firewall that looks at data being sent to the server and then blocks on types of data rather than just the port. Is iptables on Linux generally good enough(?), assuming the data is not all that critical. Other than its basic functions, haven't really looked at iptables to see whether it can interface with any IDS... das -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Hardening Tomcat 3.2.4
Whatever web server which is acting as the front end to tomcat is still vulnerable to strange requests (ie code red and the like), that's what the higher end firewalls prevent. --mikej -=- mike jackson [EMAIL PROTECTED] -Original Message- From: Turner, John [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 25, 2002 11:02 AM To: 'Tomcat Users List' Subject: RE: Hardening Tomcat 3.2.4 Is it possible to configure tomcat to listen only on the connector ports, and not any other port, such as 8080? Seems to me you could just delete the HTTP connector from port 8080 and that would make tomcat pretty hard to mess with. Any malformed requests at that point would go through apache first, assuming an apache+connector+tomcat configuration. John Turner [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 25, 2002 2:01 PM To: Tomcat Users List Subject: Re: Hardening Tomcat 3.2.4 Mike Jackson wrote: A firewall is probably the best way to harden tomcat. Or any web server for that matter, however for a one good you're going to probably end up paying a large sum of money. You could go on the cheaper side and only use a stateful port blocking firewall, but really to do it right you'll need a firewall that looks at data being sent to the server and then blocks on types of data rather than just the port. Is iptables on Linux generally good enough(?), assuming the data is not all that critical. Other than its basic functions, haven't really looked at iptables to see whether it can interface with any IDS... das -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Hardening Tomcat 3.2.4
What's the ramification of tomcat failing? Can it even fail into a critical mode? tomcat doesn't run as root (at least, it shouldn't) and Tomcat itself is written in Java, with all of the security overhead that that entails. Tomcat is not a web server per se...that is, it isn't a general purpose webserver. So, assuming someone sends a malformed URL to tomcat...so what? What's the absolute worst that can happen? It won't fail as root, it doesn't run as root, and therefore any malicious code would be executed as tomcat-user, which in my case is a user that can't do much of anything. That's even assuming that there is a URL condition that would get past the Java security mechanism. I'm not saying that you can assume tomcat is invulnerable, I'm just trying to understand how much effort should be expended hardening tomcat when it's default configuration is pretty good as is, when used in conjunction with overall best-practices from a systems administration point of view (firewalls, logging, etc.). John Turner [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 25, 2002 2:14 PM To: Tomcat Users List Subject: Re: Hardening Tomcat 3.2.4 I run Tomcat standalone. The rationale is that by eliminating Apache from the equation, another layer of complex code is eliminated increasing the security. It makes life easier also! (one less thing to configure) das Turner, John wrote: Is it possible to configure tomcat to listen only on the connector ports, and not any other port, such as 8080? Seems to me you could just delete the HTTP connector from port 8080 and that would make tomcat pretty hard to mess with. Any malformed requests at that point would go through apache first, assuming an apache+connector+tomcat configuration. John Turner [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 25, 2002 2:01 PM To: Tomcat Users List Subject: Re: Hardening Tomcat 3.2.4 Mike Jackson wrote: A firewall is probably the best way to harden tomcat. Or any web server for that matter, however for a one good you're going to probably end up paying a large sum of money. You could go on the cheaper side and only use a stateful port blocking firewall, but really to do it right you'll need a firewall that looks at data being sent to the server and then blocks on types of data rather than just the port. Is iptables on Linux generally good enough(?), assuming the data is not all that critical. Other than its basic functions, haven't really looked at iptables to see whether it can interface with any IDS... das -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Hardening Tomcat 3.2.4
Yes, I understand that, but I think it's been proven so far that Apache is less susceptible to things like that. IIS is another issue, but then, that's not the topic. My point was that if tomcat can be configured to only accept requests from a webserver, the onus for hardening is no longer tomcat's problem. John Turner [EMAIL PROTECTED] -Original Message- From: Mike Jackson [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 25, 2002 2:12 PM To: Tomcat Users List Subject: RE: Hardening Tomcat 3.2.4 Whatever web server which is acting as the front end to tomcat is still vulnerable to strange requests (ie code red and the like), that's what the higher end firewalls prevent. --mikej -=- mike jackson [EMAIL PROTECTED] -Original Message- From: Turner, John [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 25, 2002 11:02 AM To: 'Tomcat Users List' Subject: RE: Hardening Tomcat 3.2.4 Is it possible to configure tomcat to listen only on the connector ports, and not any other port, such as 8080? Seems to me you could just delete the HTTP connector from port 8080 and that would make tomcat pretty hard to mess with. Any malformed requests at that point would go through apache first, assuming an apache+connector+tomcat configuration. John Turner [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 25, 2002 2:01 PM To: Tomcat Users List Subject: Re: Hardening Tomcat 3.2.4 Mike Jackson wrote: A firewall is probably the best way to harden tomcat. Or any web server for that matter, however for a one good you're going to probably end up paying a large sum of money. You could go on the cheaper side and only use a stateful port blocking firewall, but really to do it right you'll need a firewall that looks at data being sent to the server and then blocks on types of data rather than just the port. Is iptables on Linux generally good enough(?), assuming the data is not all that critical. Other than its basic functions, haven't really looked at iptables to see whether it can interface with any IDS... das -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
