[FX.php List] [OFF] Tomcat Security?

[Joel Shapiro]

Hi all

A client forwarded an email from their co's IT about a recent successful attack on one of their public-facing sites that had "exploited a vulnerability in Tomcat/STRUTS2".  The FM/CWP website that I work on for them is behind a firewall and reportedly not at risk of this, but I'm curious...  

Do people here do anything specific to maintain/bolster Tomcat security?


The co. forwarded the following steps that can be taken for sites at risk.  Do any of you normally do any of these?  (#4 especially surprised me. Is this not the default?)

<quote>
2. Patch, update, and secure your Tomcat and (other web platform) installs.
3. If these are vendor-supported and the vendor will not provide patches, it may be helpful to utilize web proxies, such as apache mod_security, to close off holes individually.
4. Pay close attention to your file system privileges!  Apache should run as an unprivileged user with write access to as few things as possible
5. Consider exfiltering on webservers (allow inbound to web_ports but only allow response traffic back outbound - this helps prevent attackers from downloading their toolkits from hacker sites) with your host based firewall
6. Consider chrooting your webserver, if you can
8. Ensure that your webserver is logging, and that your system logs (and web if possible) are being spooled to a remote syslog server
9. DON'T strip passwords from your SSL keys for auto-startup.
[JOEL: Omitted items were client-specific]

Resources which may help:
 * http://www.mulesoft.com/tomcat-security
 * https://www.owasp.org/index.php/Securing_tomcat
</quote>

Thanks,
-Joel