Hardening non-root standalone Linux Tomcat install
Posted
by NoozNooz42
on Server Fault
See other posts from Server Fault
or by NoozNooz42
Published on 2010-06-09T14:50:47Z
Indexed on
2010/06/09
14:53 UTC
Read the original article
Hit count: 474
I want to know if you have any tips as to how to strengthen the security of a non-root install of Tomcat in standalone mode once Tomcat is already installed in a non-root account, in standalone mode.
I precise this because, for example, I'm not at all interested by the answers given here (because both Java and Tomcat requires root priviledges there to be installed and I've got zero interest in running jsvc):
http://serverfault.com/questions/43765
So far, here's what I've done for my non-root standalone Tomcat 6 install:
download and install the JRE .bin provided by Oracle/Sun (no need to be root here) (no need for a full JDK anymore right seen that Jasper [Tomcat's JSP engine] has its own compiler now right?)
download and tar -xzf tomcat 6 (no need to be root here)
set up transparent port-forwarding (must be root here)
Note that my distribution is a Debian one and I have exactly zero interest in downloading Debian package / backports / whatever... Because, once again, I DO NOT want to need to be root to install Java & Tomcat. The only moment I needed to be root was to configure the firewall to transparently do the port forwarding 80 <--> 8080 and 443 <--> 8443.
I then deleted all the default webapps but one:
cd ~/apache-tomcat-6.0.26/webapps
rm -rf docs
rm -rf examples/
rm -rf manager/
rm -rf ROOT/
What about the directory ~/apache-tomcat-6.0.26/webapps/host-manager, do I need it or can I delete it?
So, once I've installed Tomcat standalone in a non-root account (and taken into account that I don't want to enter the root password anymore and that I don't plan to install the whole Apache shebang), what more can I do?
Are there connectors I can disable? (how?)
© Server Fault or respective owner