Good post Christopher ;) It makes me remember this doc which is not bad for securing Tomcat : https://www.owasp.org/index.php/Securing_tomcat
But it lacks some important information on Windows rights which could be more restricted (I'll try to post something about it one day). And others like : -disabling deploy-on-startup / auto-deployment then a hacker cannot push its own war file (but more work to push your own, trusted wars, never seen such config in production till now but it makes sense) -disabling Jasper for existing JSPs then a hacker cannot modify a JSP ( http://tomcat.apache.org/tomcat-7.0-doc/jasper-howto.html#Production_Configuration ), but this has no effect on a newly hacker-created JSP which still can be browsed/compiled/executed. However this last one problem can be addressed by the Security Manager for disabling file creation (example : http://blog.river-tiger.com/tomcat-against-hacking) A.T. 2015-02-26 14:43 GMT+01:00 Christopher Schultz <ch...@christopherschultz.net>: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Aurélien, > > On 2/26/15 5:23 AM, Aurélien Terrestris wrote: >> I agree with Leon. > > As do I. Apache httpd can change the attack surface somewhat, but if > requests can still come from an untrusted remote client through to the > application server, then you still have to protect the application server. > >> That said, a service account with low privileges only gives >> filesystem protection ; interesting data is usually stored in the >> database and you won't be more protected against SQL injections or >> even against a modified jsp stored by the hacker (like in some old >> STRUTS vulnerabilities). > > Absolutely. SQL injections /should not/ be a problem with > properly-written Java programs given how easy parameterized queries > are with JDBC, but of course it's also easy to do it the wrong way > and open yourself up. In this situation, it's the application that > needs to be audited and not the container. > >> If you can't buy a real WAF, you still can configure Apache with >> ModSecurity or even try the LUA experimental module ( >> http://blog.river-tiger.com/cheapest-application-firewall ) but >> don't expect high performance with it. > > I had never heard of the LUA hack. I'll have to look into it. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJU7yLsAAoJEBzwKT+lPKRYgpMQALkhWLIO1r78d/jY/VixmTVI > dNCszRrUl8JTwPMEmrr/Wk3aeq23850XxxmugHMss/bOXk1yh12OFh0i8isMWKsV > l/KOLL11x7ToNBknVwHKh+OEU2TcMjXEHtc65a9komC90BDGHAsgT12xFOrRcJ4k > mL8GEDW7xJbZocHHrfqc2Q0ZU3rw2eR8+gTgtf/y8YlCzrwlHvULEjfgtdD/h3fq > 9uKn9Rp7Ebn4pmW1iarWXVsKf0l7buayMNBksshcJppSLLXaklefyas6fYC1LyuP > /6TDpAIMWZuzDVZtDU4dzNpDy6F+DZEa0ErOK/1+CrfU0/t6uMJ9iJpM9PUs4p3g > VXOWR1Bs6NG+mgGJLL3VYrUiww0CbhtllAX7CbZpYrFBERXA++xkhQPOZRP5bhcg > 0DfUhS07JNYC8qmPPyXyeiuYYYhtjxanRBU+JxNa5hBlYqUklBHdMFNKhjaOe7+y > scEEraNBw5x0KyfS3B+lVlmUX5iku0fgyQnxSGwR3Mt604qLn4ZXR04Tb9K282ve > uhLa9F14qBGoGe5RIvs0MkvMEG9UpO9de6HuddE0CWa49Km5QCloEmM4WcwuDJNC > Loc9RnHBTQEfQQuRHctKzCVgPRsNBcwSCKz9G12man7EBK9fkvve1L/ItKrt7V/T > 1rKQjsU1kX1yAH+f7Epy > =UPaz > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
