tomcat server secure ?

Greetings,



I got a router, behind which my server sits.

The box is a Linux Redhat, iptables, snort running.
I am going to open a port on a non-standard number to give access to the
tomcat server.

My question is : is tomcat secure enough ?
tomcat version is 5.0.25
--
--
email : on se découvre pour m'écrire :)

Well, does everybody trust tomcat here :) ?

--
--
email : on se découvre pour m'écrire :)

Gabriel <cy_rainchapeau26@yahoo.fr> said:
>I got a router, behind which my server sits.

Ok, can be secure or not, depending on configuration.

>The box is a Linux Redhat, iptables, snort running.

Ok, can be secure or not, depending on configuration -- and also on
timeliness of security-related software updates, and on services running
on the machine.

>I am going to open a port on a non-standard number to give access to
>the tomcat server.

Standard or not, does not make a real difference (except if your provider
blocks the standard port).

>My question is : is tomcat secure enough ?
>tomcat version is 5.0.25

No known exploits seem to be published; unknowns are unknowns.

After that it also depends on
- security configuration of the JVM in which the Tomcat is run
(so, what all operations does the JVM allow for Tomcat)
- security of the application code run within the Tomcat (if not
used just for static content)


So, "My house is built of stone, has a wooden door and glass windows.
Is it secure against thieves?".
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

For the general lan configuration, I wholly agree.

> After that it also depends on
> - security configuration of the JVM in which the Tomcat is run
> (so, what all operations does the JVM allow for Tomcat)
> - security of the application code run within the Tomcat (if not
> used just for static content)
In fact, I was mainly interested in tomcat's inherent flaws (if any),
not the genereal setup since security depends on a lot of different
factors externals to tomcat.
>
the non-standard port is for usual scans which are not always complete
and look for common open ports and bash at them :)
>
> So, "My house is built of stone, has a wooden door and glass windows.
> Is it secure against thieves?".
depends of the lock, do you have a chimney, how thick is the door, what
is the wood used :)

thx for you input !
--
--
email : on se découvre pour m'écrire :)

Gabriel <cy_rainchapeau26@yahoo.fr> said:
>In fact, I was mainly interested in tomcat's inherent flaws (if any),
>not the genereal setup since security depends on a lot of different
>factors externals to tomcat.

I'd say Tomcat shouldn't be your greatest worry -- various sites use it
as a production platform. It's best to read pretty well through the
documents, though, and build your own minimised configuration to suit
what you're doing (f.ex. make sure you're not using InvokerServlet,
and disable the manager and admin apps if you're not using them).

The InvokerServlet is a potential problem by design, making it possible
to access through HTTP interface servlets that were designed to be
accessed only by other servlets (and seems to be disabled by default
in Tomcat 4.1.30 at least).

Manager and admin apps are not problems by themselves, but add to the
potentially vulnerable code base (providing password-protected online
access to server administrative functions).

To protect against flaws in your local code (and possibly also in Tomcat
core code), you might create rather strict security policies for the
Tomcat JVM, f.ex. only allow very limited filesystem access for Tomcat
as well as for your local apps.

And, of course, keeping up with (and reacting to) security advisories is
a necessity for keeping a system secure.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)