Hardening guide for Tomcat 5.5 on Solaris 10 platform
Blog Has Moved
Link to the same post in the new blog: Hardening guide for Tomcat 5.5 on Solaris 10 platform
Pre-installation notes
This guide instruct how to install SUN JDK 1.6 build 15 and Tomcat 5.5 on SUN Solaris 10.
Installation phase
1. Login to the server using Root account.
2. Make sure the folder /usr/jdk exists:
ls /ad /usr/jdk
3. If the folder /usr/jdk doesn’t exists, manually create it:
mkdir /usr/jdk
4. Copy JDK 1.6 scripts (32bit and x64) into /usr/jdk
5. Move to /usr/jdk folder
cd /usr/jdk
6. Change the permissions on the JDK 1.6 (32bit) script:
chmod +x jdk-6u15-solaris-i586.sh
7. Run the command bellow to install JDK 1.6 (32bit):
./jdk-6u15-solaris-i586.sh
8. Change the permissions on the JDK 1.6 (x64) script:
chmod +x jdk-6u15-solaris-x64.sh
9. Run the command bellow to install JDK 1.6 (x64):
./jdk-6u15-solaris-x64.sh
10. Delete the file /usr/jdk/jdk-6u15-solaris-i586.sh and samples:
rm /usr/jdk/jdk-6u15-solaris-i586.sh
rm /usr/jdk/jdk-6u15-solaris-x64.sh
rm /usr/jdk/jdk1.6.0_15/src.zip
rm -r /usr/jdk/jdk1.6.0_15/demo
rm -r /usr/jdk/jdk1.6.0_15/sample
11. Remove the link for the Java
rm /usr/bin/java
12. Create new link for the Java (for x64 servers):
ln -s /usr/jdk/jdk1.6.0_15/bin/amd64/java /usr/bin
13. Reload the links into memory:
rehash
14. Mount Solaris 10 DVD, and move to the packages folder:
cd /cdrom/sol_10_1008_x86/Solaris_10/Product
15. Run the command bellow to install Tomcat packages:
pkgadd -d . SUNWtcatr SUNWtcatu
16. Remove the following default folders:
rm -r /usr/apache/tomcat55/webapps/tomcat-docs
rm /var/apache/tomcat55/webapps/tomcat-docs
rm /var/apache/tomcat55/webapps/ROOT/RELEASE-NOTES.txt
rm -r /var/apache/tomcat55/webapps/jsp-examples
rm -r /var/apache/tomcat55/webapps/servlets-examples
rm -r /var/apache/tomcat55/webapps/webdav
rm -r /var/apache/tomcat55/webapps/balancer
17. Copy the server.xml configuration file:
cp /var/apache/tomcat55/conf/server.xml-example /var/apache/tomcat55/conf/server.xml
Note: The above command should be written as one line.
18. Edit using VI, the file /var/apache/tomcat55/conf/server.xml
• Uncomment the section bellow:
org.apache.catalina.valves.AccessLogValve
• Replace the non-SSL HTTP/1.1 Connector:
From:
To:
19. Edit using VI, the file /var/apache/tomcat55/conf/web.xml and add the following sections, before the end of the “web-app” tag:
The role that is required to log in to the Manager Application
20. Edit using VI, the file /var/apache/tomcat55/conf/tomcat-users.xml and add the following lines:
Note: Specify complex password for the admin account (and document it).
21. Edit using VI, the file /var/apache/tomcat55/conf/Catalina/localhost/admin.xml
• Uncomment the section bellow:
org.apache.catalina.valves.RemoteAddrValve
• Replace the data of the value bellow:
From:
allow="127.0.0.1"
To:
allow="172.16.*.*"
Note: You may replace “172.16.*.*” with internal network segment.
Example: allow="128.117.140.62, 128.117.140.63, 128.117.140.99"
22. Edit using VI, the file /var/apache/tomcat55/conf/Catalina/localhost/manager.xml
• Inside the “Context” section, add the following line:
Note: You may replace “172.16.*.*” with internal network segment.
Example: allow="128.117.140.62, 128.117.140.63, 128.117.140.99"
23. Move to the folder /usr/apache/tomcat55/server/lib
cd /usr/apache/tomcat55/server/lib
24. Extract the file catalina.jar
jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
25. Edit using VI, the file /usr/apache/tomcat55/server/lib/org/apache/catalina/util/ServerInfo.properties
• Replace the string bellow from:
server.infoerver.info=Apache Tomcat/5.5.26
To:
server.infoerver.info=Secure Web server
• Replace the string bellow from:
server.number=5.5.26.0
To:
server.number=1.0.0.0
26. Move to the folder /usr/apache/tomcat55/server/lib
cd /usr/apache/tomcat55/server/lib
27. Repackage the file catalina.jar
jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties
28. Remove the folder bellow:
rm -r /usr/apache/tomcat55/server/lib/org
29. Create a user account for the Tomcat service:
mkdir /home/tomcat
groupadd tomcat
useradd -s /bin/sh -d /home/tomcat -g tomcat tomcat
chown tomcat:tomcat /home/tomcat/
passwd tomcat
passwd -l tomcat
30. Create using VI, the file /etc/init.d/tomcat with the following content:
#!/bin/sh
#
# Startup script for Tomcat
#
case "$1" in
start)
echo -n "Starting Tomcat"
JAVA_HOME="/usr/jdk/jdk1.6.0_15" ; export JAVA_HOME && su - tomcat -c /usr/apache/tomcat55/bin/startup.sh -security
;;
stop)
echo -n "Stopping Tomcat"
JAVA_HOME="/usr/jdk/jdk1.6.0_15" ; export JAVA_HOME && su - tomcat -c /usr/apache/tomcat55/bin/shutdown.sh
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {startstoprestart}"
exit 1
esac
exit 0
31. Change the permissions on the file /etc/init.d/tomcat
chmod u+x /etc/init.d/tomcat
32. Create soft link/symoblic links for system level startup
ln -s /etc/init.d/tomcat /etc/rc3.d/K01tomcat
ln -s /etc/init.d/tomcat /etc/rc3.d/S99tomcat
33. Reload the links into memory:
rehash
34. Change ownership of all server files to the tomcat user:
chown -R tomcat:tomcat /var/apache/tomcat55/*
chown -R tomcat:tomcat /usr/apache/tomcat55/*
posted by Eyal Estrin @ 9:55 PM
0 Comments
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home