LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-10-2007, 04:53 PM   #1
jsbali
LQ Newbie
 
Registered: Mar 2007
Posts: 2

Rep: Reputation: 0
security holes in FC6 directly effecting a secure installation of apache tomcat


Hi
I am going to install apache tomcat in FC6 environment.
I'll be securing this installation using some predefined methods.
Before I start up with the secure installation of webserver, I wanted to know
what type of security holes in FC6 (after scanning it through nessus and nmap) would
be a direct threat on the secure installation of apache and are mandatory to be fixed.

Regards,
Jas
 
Old 03-11-2007, 01:14 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I am going to install apache tomcat in FC6 environment.
What is the purpose of the box (before you answer count services first)?
Will the network location of the box be secured and isolated during the build phase?


I'll be securing this installation using some predefined methods.
Please post your list of steps to take?
 
Old 03-11-2007, 11:15 PM   #3
jsbali
LQ Newbie
 
Registered: Mar 2007
Posts: 2

Original Poster
Rep: Reputation: 0
What is the purpose of the box (before you answer count services first)?

The box would just be used as a dedicated webserver.

Will the network location of the box be secured and isolated during the build phase?
Not really

Steps taken to secure the apache tomcat webserver described on a high level are as follows:-

1. Run jsvc tool to unbind tomcat process from connector ports (80/443) and make it run as a deamon process.

2. Update firewall rules to close all outgoing communication from the webserver except related/established. Only allow TCP connection (reject everything except communication on ports 80/443). I'm not sure about what else i'll be doing with the firewall rules. These are a few things that I have in my mind of a very high level.

3. Make any incoming request to the webserver secure using server side certificates. This I'll essentially do using SSL.

4. Make a chroot jail (its usage is pretty obvious i think)

5. Use some decent Intrusion Detection System and keep checking its log on time to time basis so that I'm aware of any unwanted intrusion that occured even after making my webserver secure through aforementioned steps.

Thanks,
Jas
 
Old 03-12-2007, 04:26 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by jsbali
What is the purpose of the box (before you answer count services first)?

The box would just be used as a dedicated webserver.
OK. The first thing to question would be distro choice. RHEL and RHEL-alikes like CentOS are more geared towards stable production environment use with a longer support cycle compared to FC. Next, since this sole purpose is "webserver", there's a lot you can strip post-install or chosing custom install. Less SW means a smaller footprint wrt vulns and less maintenance which in turn means more stability and (hopefully) less downtime.


Quote:
Originally Posted by jsbali
Will the network location of the box be secured and isolated during the build phase?
Not really
You could restrict access (firewall) to your management IP (ranges) during the install/configuration/test phases.


Quote:
Originally Posted by jsbali
2. Update firewall rules to close all outgoing communication from the webserver except related/established. Only allow TCP connection (reject everything except communication on ports 80/443). I'm not sure about what else i'll be doing with the firewall rules. These are a few things that I have in my mind of a very high level.
Filtering should be both inbound and outbound, minimally discard private ranges (bogons) and could contain limiting rules if you make the webserver face the network directly. Adding logging rules helps troubleshooting and auditing.


Quote:
Originally Posted by jsbali
5. Use some decent Intrusion Detection System and keep checking its log on time to time basis so that I'm aware of any unwanted intrusion that occured even after making my webserver secure through aforementioned steps.
It really depends on the context the webserver is placed in and you have to remember successfully securing a box depends on applying multiple layers of protection and adjusting when necessary (no "fire and forget"). O.S.-wise you have access to SELinux which can improve O.S. and service level security by for instance denying the Apache user access to D/L tools like wget. Service-wise you have for instance mod_security (O'Reilly link) and wrt network a (reverse) proxy also is an option to help restrict access. Next to those deploying an IDS is always a good choice. Don't forget the system-side of things and do load a filesystem integrity checker (Aide, Samhain). I'm sure I haven't touched all of it, so do check out the LQ FAQ: Security references if you can.

HTH
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Tomcat - Apache Ant Installation crazycondor Debian 1 12-20-2006 05:37 AM
Apache Ant - Tomcat Installation crazycondor Linux - Newbie 1 12-16-2006 11:27 PM
LXer: Apache shot with security holes LXer Syndicated Linux News 0 01-09-2006 04:46 PM
security settings for Tomcat or Apache ihasircioglu Programming 1 03-04-2004 07:02 PM
Known RedHat Security holes? Volcom Linux - Security 2 06-13-2003 09:44 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:33 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration