tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Neale Rudd" <ne...@metawerx.net>
Subject Re: Tomee on port 80 on Linux in Production
Date Tue, 10 Jul 2012 16:53:48 GMT
Hi Zeeman,

http://manpages.ubuntu.com/manpages/hardy/man1/authbind.1.html
Amongst other tips mentioned:
authbind may not operate correctly with multithreaded programs.  It  is
       inherently  very  difficult  (if not impossible) to perform the kind 
of
       trickery  that  authbind  does   while   preventing   all 
undesirable
       interactions  between  authbind's  activities  and  those  of  (say) 
a
       threading runtime system.

For port-forwarding, most people either use dedicated hardware or iptables 
with a single DNAT target-rule to simply forward 80->8080 for the desired IP 
address (no need to use the FORWARD or REDIRECT targets).

As Anthony mentioned, this should be added to a startup script.

For security, you can chroot tomee, use HTTP DIGEST auth to prevent 
plain-text password transmission to the /tomee app or other apps if using 
HTTP, and enforce an internal policy of using SFTP/FTPES for file or 
sensitive data transfers requiring logins as opposed to plaintext protocols 
(eg: Tomcat Manager over HTTP, standard FTP).

If using /tomee, Tomcat Manager or other Realm-based container security, 
TC7+ (and TomEE) have a LockOutRealm which can be used to protect against 
single-IP brute-forcing.

Also of course lock down other obvious vulnerabilities on a fresh VPS or 
dedicated server as detailed on numerous guides on the net and ideally add 
some sort of automated IP blocking system, IP blacklisting and IDS as a 
first line of defence against bots.

To increase SSL security, see ssllabs.com and the TC7 docs for guides.

And as mentioned earlier, uninstall anything you don't *require for 
production*, on the OS, and on TomEE, to further limit the attack surface.

Best Regards,
Neale Rudd
Metawerx Java Hosting
www.metawerx.net


----- Original Message ----- 
From: "zeeman" <hamzah0@fastmail.us>
To: <users@openejb.apache.org>
Sent: Wednesday, July 11, 2012 1:02 AM
Subject: Re: Tomee on port 80 on Linux in Production


> Thank you guys. I don't see why Apache needs to be used, if Tomcat is not
> secure enough to run on its then we should not be using it. Apache can be
> used if static content or software load balancing are needed.
>
> The other two options are to use port forwarding as suggested by Anthony, 
> or
> authbind (allows unprivileged users to run port 80). After reading around
> online it seems that the later option is the more reliable and performant
> option. Forwarding by the OS will still take some extra time and 
> complicate
> server setup. Am I missing something?
>
> --
> View this message in context: 
> http://openejb.979440.n4.nabble.com/Tomee-on-port-80-on-Linux-in-Production-tp4656198p4656206.html
> Sent from the OpenEJB User mailing list archive at Nabble.com. 


Mime
View raw message