Hi Zeeman,
http://manpages.ubuntu.com/manpages/hardy/man1/authbind.1.html
Amongst other tips mentioned:
authbind may not operate correctly with multithreaded programs. It is
inherently very difficult (if not impossible) to perform the kind
of
trickery that authbind does while preventing all
undesirable
interactions between authbind's activities and those of (say)
a
threading runtime system.
For port-forwarding, most people either use dedicated hardware or iptables
with a single DNAT target-rule to simply forward 80->8080 for the desired IP
address (no need to use the FORWARD or REDIRECT targets).
As Anthony mentioned, this should be added to a startup script.
For security, you can chroot tomee, use HTTP DIGEST auth to prevent
plain-text password transmission to the /tomee app or other apps if using
HTTP, and enforce an internal policy of using SFTP/FTPES for file or
sensitive data transfers requiring logins as opposed to plaintext protocols
(eg: Tomcat Manager over HTTP, standard FTP).
If using /tomee, Tomcat Manager or other Realm-based container security,
TC7+ (and TomEE) have a LockOutRealm which can be used to protect against
single-IP brute-forcing.
Also of course lock down other obvious vulnerabilities on a fresh VPS or
dedicated server as detailed on numerous guides on the net and ideally add
some sort of automated IP blocking system, IP blacklisting and IDS as a
first line of defence against bots.
To increase SSL security, see ssllabs.com and the TC7 docs for guides.
And as mentioned earlier, uninstall anything you don't *require for
production*, on the OS, and on TomEE, to further limit the attack surface.
Best Regards,
Neale Rudd
Metawerx Java Hosting
www.metawerx.net
----- Original Message -----
From: "zeeman" <hamz...@fastmail.us>
To: <users@openejb.apache.org>
Sent: Wednesday, July 11, 2012 1:02 AM
Subject: Re: Tomee on port 80 on Linux in Production
Thank you guys. I don't see why Apache needs to be used, if Tomcat is not
secure enough to run on its then we should not be using it. Apache can be
used if static content or software load balancing are needed.
The other two options are to use port forwarding as suggested by Anthony,
or
authbind (allows unprivileged users to run port 80). After reading around
online it seems that the later option is the more reliable and performant
option. Forwarding by the OS will still take some extra time and
complicate
server setup. Am I missing something?
--
View this message in context:
http://openejb.979440.n4.nabble.com/Tomee-on-port-80-on-Linux-in-Production-tp4656198p4656206.html
Sent from the OpenEJB User mailing list archive at Nabble.com.
