Also trim down your server.xml (over a number of days if necessary) to only what is necessary.
If you only have to expose one webapp then only have one connector in that service, and one engine which has the only host inside it as the default and that has the only context inside it as your application. Then put liveDeploy="false" and autoDeploy="false" in the <Host> Then you can go into %tomcat_home%/conf/web.xml and set "listings" parameter to "false" so that nobody can see directory listings no matter what you do. As for monitoring I would suggest putting an Apache web server in front of your Tomcat server but if it's only for a short time this may be too much hassle. What you can do instead is to add an Access log valve to your <Engine> and monitor the contents of the access logs every day to see that there are no hack attempts coming in through port 80. Also you might download a free portscanner from the web to see what ports are open on your machine. Once you have found the open ports use Windows to close down the programs that are listening on them. Best of luck. Andoni. ----- Original Message ----- From: "Richard" <[EMAIL PROTECTED]> Newsgroups: gmane.comp.jakarta.tomcat.user Sent: Wednesday, November 24, 2004 6:14 AM Subject: Re: Protecting my web server > Thanks a lot > > > On Wed, 24 Nov 2004 07:58:37 +0200, Quinton Delpeche > <[EMAIL PROTECTED]> wrote: > > On Wednesday 24 November 2004 07:49, Richard wrote: > > > Hi Quinton, > > > > Can't really check, but the following guidelines are good: > > > > -> Make sure your tomcat user does not have admin privileges on the server. > > (Not sure how to do this on Windows, I am a linux person). > > > > -> Make sure your web-application doesn't have any funny code that might get > > exploited by a proficient hacker (i.e. shell commands run as ROOT). > > > > -> Add a blank index.html to each directory of your web-app, this prevents > > users from getting directory listings on your server. > > > > -> Ensure that you don't give away too much information in your URL (using ? > > and & parameters). This can easily be prevented by implementing SSL and > > ensuring that the users have to log on first. > > > > > How can you tell when your web-app is secure? > > > Forgive me for asking too many questions, im just a newbie. > > > > No problem. I understand. :) > > > > > Thanks > > > > > > Q > > -- > > Quinton Delpeche > > Internal Systems Developer > > Softline VIP > > > > Telephone: +27 12 420 7000 > > Direct: +27 12 420 7007 > > Facsimile: +27 12 420 7344 > > > > http://www.vippayroll.co.za/ > > > > For some reason, this fortune reminds everyone of Marvin Zelkowitz. > > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]