A firewall is probably the best way to harden tomcat. Or any web server for that matter, however for a one good you're going to probably end up paying a large sum of money. You could go on the cheaper side and only use a stateful port blocking firewall, but really to do it right you'll need a firewall that looks at data being sent to the server and then blocks on types of data rather than just the port. That and a good IDS system of some type, preferably with the ability to automajickally shutdown access from ip's on the internet when it detects questionable traffic. Cisco's IDS will link up to their PIX firewall to do this, but the PIX is only a stateful port blocking firewall. You'd need another better firewall to be sure of blocking everything in a more secure manner.
--mikej -=----- mike jackson [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 25, 2002 10:23 AM To: Tomcat Users List Subject: Re: Hardening Tomcat 3.2.4 I posted a similar question a while ago and did not receive any answer from this list. May be, folks on this list are admins/ developers/programmers who are bothered mostly about application itself and not security. May be there is an "overall security" list where such questions may be posed. Anybody have suggestions where questions such as these may be directed? On a different thread, some relevant info was posted... http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg60278.html It is probably a good idea to pay some attention to security. A snippet from my access_log (same IP - somebody is curious!) ---------------------------------------------- [23/Jul/2002:11:49:38 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 648 [23/Jul/2002:11:49:38 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 648 [23/Jul/2002:11:49:38 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 718 [23/Jul/2002:11:49:39 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687 [23/Jul/2002:11:49:39 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687 [23/Jul/2002:11:49:39 -0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 721 [23/Jul/2002:11:49:39 -0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 715 [23/Jul/2002:11:55:24 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 648 [23/Jul/2002:11:55:24 -0800] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 648 [23/Jul/2002:11:55:25 -0800] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 718 [23/Jul/2002:11:55:25 -0800] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687 [23/Jul/2002:11:55:25 -0800] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 687 [23/Jul/2002:11:55:25 -0800] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 721 [23/Jul/2002:11:55:25 -0800] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 715 ---------------------------------------------- "Sexton, George" wrote: > Think about the account you are running it under. > -----Original Message----- > From: Patel, Rajni M [mailto:[EMAIL PROTECTED]] > Sent: 23 July, 2002 12:17 PM > I have tomcat installed and running on a Windows NT 4.0 SP6a box and need to > harden the installation. > > The things that I have thought about and I can do is: > > 1) Change the HTTP port in server.xml file from default value of 8080. > 2) Remove the TOMCAT_HOME\examples directory > 3) Remove the weapp\admin directory > 4) Utilise a Firewall and restrict access to the NT box to IP Domain. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>