What's the ramification of tomcat failing? Can it even fail into a critical mode? tomcat doesn't run as root (at least, it shouldn't) and Tomcat itself is written in Java, with all of the security overhead that that entails.
Tomcat is not a "web server" per se...that is, it isn't a general purpose webserver. So, assuming someone sends a malformed URL to tomcat...so what? What's the absolute worst that can happen? It won't fail as root, it doesn't run as root, and therefore any malicious code would be executed as tomcat-user, which in my case is a user that can't do much of anything. That's even assuming that there is a URL condition that would get past the Java security mechanism. I'm not saying that you can assume tomcat is invulnerable, I'm just trying to understand how much effort should be expended "hardening" tomcat when it's default configuration is pretty good as is, when used in conjunction with overall best-practices from a systems administration point of view (firewalls, logging, etc.). John Turner [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 25, 2002 2:14 PM To: Tomcat Users List Subject: Re: Hardening Tomcat 3.2.4 I run Tomcat standalone. The rationale is that by eliminating Apache from the equation, another layer of complex code is eliminated increasing the security. It makes life easier also! (one less thing to configure) das "Turner, John" wrote: > Is it possible to configure tomcat to listen only on the connector ports, > and not any other port, such as 8080? Seems to me you could just delete the > HTTP connector from port 8080 and that would make tomcat pretty hard to mess > with. Any malformed requests at that point would go through apache first, > assuming an apache+connector+tomcat configuration. > > John Turner > [EMAIL PROTECTED] > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Thursday, July 25, 2002 2:01 PM > To: Tomcat Users List > Subject: Re: Hardening Tomcat 3.2.4 > > Mike Jackson wrote: > > A firewall is probably the best way to harden tomcat. Or any web server > > for that matter, however for a one good you're going to probably end up > > paying a large sum of money. You could go on the cheaper side and only > use > > a stateful port blocking firewall, but really to do it right you'll need > > a firewall that looks at data being sent to the server and then blocks > > on types of data rather than just the port. > > Is iptables on Linux generally good enough(?), assuming the data > is not all that critical. Other than its basic functions, haven't > really looked at iptables to see whether it can interface with > any IDS... > > das > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>