Amazon Advises me to be Responsible with Tomcat
I just received an email from Amazon concerning proper Security around Tomcat. Here is part of the message:
You can avoid being vulnerable to attackers by following the below best practices to increase the security of your Tomcat installation:
Ensure that the version of Tomcat you are using is up to date and does not have any known or unaddressed security vulnerability. You can find a list of vulnerabilities by version on the Apache Tomcat website at: http://tomcat.apache.org/security.html.
If you have enabled administrator or manager user accounts with access to the Tomcat Manager application (managed within the tomcat-users.xml file), ensure they are given appropriately complex passwords and difficult to guess usernames. Additional information regarding configuring access to Tomcat Manager can be found here:
- For Tomcat 6.0, see http://tomcat.apache.org/tomcat-6.0-doc/manager-howto.html#Configuring_Manager_Application_Access
- For Tomcat 7.0, see http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Configuring_Manager_Application_Access
- For Tomcat 8.0, see http://tomcat.apache.org/tomcat-8.0-doc/manager-howto.html#Configuring_Manager_Application_Access
- Verify that you are implementing the recommended security guidelines for your Tomcat installation. For some of the later versions, you may find the following guides helpful:
- For Tomcat 6.0, see http://tomcat.apache.org/tomcat-6.0-doc/security-manager-howto.html
- For Tomcat 7.0, see http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html
- For Tomcat 8.0, see http://tomcat.apache.org/tomcat-8.0-doc/security-howto.html
- Subscribe to Apache Tomcat’s mailing list for the latest security updates by visiting: http://tomcat.apache.org/lists.html
Additional assistance and documentation related to AWS security best practices may be found at: http://media.amazonwebservices.com/Whitepaper_Security_Best_Practices_2010.pdf
