Who's the target audience? Things like: Change files in CATALINA_HOME/conf to be readonly (400) ... Rename CATALINA_HOME/conf/server.xml to CATALINA_HOME/conf/server-original.xml and rename CATALINA_HOME/conf/server-minimal.xml to CATALINA_HOME/conf/server.xml. The minimal configuration provides the same basic configuration, but without the nested comments is much easier to maintain and understand. Do not delete the original file as the comments make it useful for reference if you ever need to make changes - e.g. enable SSL.
won't work for dummies (due to missing rights) if they'll follow the guide step by step.
Make sure tomcat user has read/write access to /tmp and write (300 -
yes, only > write/execute) access to CATALINA_HOME/logs What is the sense of it? I mean if the tomcat user owns this directory why remove read access to it?
If you are on a Windows machine you will be able to change the port
attribute of >the connector within the Catalina service from 8080 to 80. This allows you to use >tomcat directly to serve all requests. Depending on your requirements it may not >be good enough to serve directly from Tomcat so you may like to consider;
* Use IIS / Apache running on port 80 and mod_jk to proxy requests to Tomcat
Using IIS in front, are you kidding ?:-)) It's like open your arms and welcome every single intruder on the net :-) Also by using apache in front of tomcat you rather loose security than gain it. At least this is my personal opinion :-) Overall a nice article which I think provides a good quick-start. regards Leon On 1/9/07, Darren <[EMAIL PROTECTED]> wrote:
I've been working on an article about securing tomcat for the Open Web Application Security Project (OWASP). The article details some quick and easy ways to improve the 'out of the box' security of tomcat from the perspective of a sysadmin. It's written with tomcat 5.5 in mind, but almost everything will apply to 6.0 when it is released. A lot of it will also apply to older versions of tomcat, but no specific testing has been done to establish this. Have a read of the article at https://www.owasp.org/index.php/ Securing_tomcat and reply to the list with any comments - good or bad!. Thanks, Darren --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
