Hi
I am going to install apache tomcat in FC6 environment.
I'll be securing this installation using some predefined methods.
Before I start up with the secure installation of webserver, I wanted to know
what type of security holes in FC6 (after scanning it through nessus and nmap) would
be a direct threat on the secure installation of apache and are mandatory to be fixed.

Regards,
Jas

I am going to install apache tomcat in FC6 environment.
What is the purpose of the box (before you answer count services first)?
Will the network location of the box be secured and isolated during the build phase?


I'll be securing this installation using some predefined methods.
Please post your list of steps to take?

What is the purpose of the box (before you answer count services first)?

The box would just be used as a dedicated webserver.

Will the network location of the box be secured and isolated during the build phase?
Not really

Steps taken to secure the apache tomcat webserver described on a high level are as follows:-

1. Run jsvc tool to unbind tomcat process from connector ports (80/443) and make it run as a deamon process.

2. Update firewall rules to close all outgoing communication from the webserver except related/established. Only allow TCP connection (reject everything except communication on ports 80/443). I'm not sure about what else i'll be doing with the firewall rules. These are a few things that I have in my mind of a very high level.

3. Make any incoming request to the webserver secure using server side certificates. This I'll essentially do using SSL.

4. Make a chroot jail (its usage is pretty obvious i think)

5. Use some decent Intrusion Detection System and keep checking its log on time to time basis so that I'm aware of any unwanted intrusion that occured even after making my webserver secure through aforementioned steps.

Thanks,
Jas

OK. The first thing to question would be distro choice. RHEL and RHEL-alikes like CentOS are more geared towards stable production environment use with a longer support cycle compared to FC. Next, since this sole purpose is "webserver", there's a lot you can strip post-install or chosing custom install. Less SW means a smaller footprint wrt vulns and less maintenance which in turn means more stability and (hopefully) less downtime.


You could restrict access (firewall) to your management IP (ranges) during the install/configuration/test phases.


Filtering should be both inbound and outbound, minimally discard private ranges (bogons) and could contain limiting rules if you make the webserver face the network directly. Adding logging rules helps troubleshooting and auditing.


It really depends on the context the webserver is placed in and you have to remember successfully securing a box depends on applying multiple layers of protection and adjusting when necessary (no "fire and forget"). O.S.-wise you have access to SELinux which can improve O.S. and service level security by for instance denying the Apache user access to D/L tools like wget. Service-wise you have for instance mod_security (O'Reilly link) and wrt network a (reverse) proxy also is an option to help restrict access. Next to those deploying an IDS is always a good choice. Don't forget the system-side of things and do load a filesystem integrity checker (Aide, Samhain). I'm sure I haven't touched all of it, so do check out the LQ FAQ: Security references if you can.

HTH