Date sent: Fri, 28 Mar 2008 16:07:26 -0400 From: "Hyatt, Gordon" <[EMAIL PROTECTED]> Subject: Securing Tomcat on FC8 To: users@tomcat.apache.org Send reply to: Tomcat Users List <users@tomcat.apache.org>
> I've just finished reading the Tomcat Security chapter of O'Reilly's > Tomcat, The Definitive Guide that covers Tomcat 4 and have been left > with many questions. > > First, a little background: I've setup a new web server on FC8 x86_64 If security is a concern for you then dump Fedora as your Linux distro. Fedora is not meant to be run on productions systems. If you are looking for a free but well supported (as in security patches) for an extended period of time I would recommend CentOS which is a clone of Red Hat Enterprise Linux. Others also recommend debian. > running Sun Java 1.6.0_05 and tomcat 5.5.26. I'm very familiar with > Tomcat on Windows (developed and deployed there for many years), and > am now moving to Linux for various reasons. I have some experience on > Linux and am looking to improve. The server is in my company's data > center and only ports 80 and 443 are visible to the outside. The > local Linux guru is out this week and next, so I thought I'd at least > start. > > Because this will be a web server, Tomcat will need to listen on ports > 80 and 443. In order to do so, as I understand it, Tomcat needs to be > run as root - something with which I'm not very comfortable. So the > main question is: > > How do I get Tomcat to listen on 80 and 443 without running as root? > Use jsvc. http://tomcat.apache.org/tomcat-5.5-doc/setup.html > I thought of running Tomcat in a chroot jail, but that won't > completely work, as it still needs to run as root for listening on > these privileged ports. I've also thought about setting up port > forwarding from 80 and 443 to, say, 8180 and 8543. > > I guess I'm looking for some advice/pointers/references for the "best" > way to secure tomcat. > > Any suggestions? > This is a guide which has been quoted/linked by others on this list and has some good tips. http://www.owasp.org/index.php/Securing_tomcat -Steve O. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]