• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Rob Spoor
  • Tim Cooke
  • Junilu Lacar
Sheriffs:
  • Henry Wong
  • Liutauras Vilda
  • Jeanne Boyarsky
Saloon Keepers:
  • Jesse Silverman
  • Tim Holloway
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Mikalai Zaikin
  • Piet Souris

Administering a Linux Server

 
Ranch Hand
Posts: 751
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
We're gonna be migrating to Linux. We have SSH access to a dedicated server and I happen to have a few questions on my mind. I've used Linux before but I have no experience on securing my Linux box. So my questions are...


- Is it ok if I run my app server, database server as root?
- Could anyone provide me a checklist of at least the general and most important things to keep my server secure. I don't really need the details...
- Is it ok to have multiple apps hosted in one tomcat machine? What if I wanted an apache webserver running php apps to run on the same machine?

Thanks!
 
author and iconoclast
Posts: 24203
44
Mac OS X Eclipse IDE Chrome
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Never run an app server as root; by running as an ordinary user with limited privileges, you greatly enhance the security. This actually presents some difficulties with Java servers, as non-root processes aren't allowed to listen on "privileged sockets," the low-numbered ones that web servers and the like want to use. There are ways around this: Google "iptables tomcat" to find the workaround that I use myself.

The most important thing you can do to keep the server secure is to apply all the appropriate security patches. Most linux distos have some automated way to get and install patches; use it. For RedHat Enterprise, this is the "up2date" tool. For Fedora, it's "yum update". Keep an eye out for security advisories and check for patches regularly. As far as a checklist: there are an awful lot of things to know. Best to buy one or more books on securing Linux, and study up.

Can you have multiple apps? Yes, absolutely.

If you want to run Apache and Tomcat both on port 80, then the way to do it is to run Apache on port 80 and Tomcat on some other port, and either use mod_proxy to forward requests from Apache to Tomcat, or use mod_jk to "connect" the two servers directly. In either case, Apache is "in front" of Tomcat, and receives all requests directly, passing some of them on to Tomcat.

Both apache and Tomcat can manage multiple "virtual hosts", so that one machine can have multiple different Internet server names, each a seemingly distinct machine. Great fun to manage.
 
Saloon Keeper
Posts: 24325
167
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Check O'reilly & Associates - among others - and you'll find some good books on securing Unix and Linux.

Not only should you avoid running servers as root, some products, such as PostgreSQL refuse to run as root. Some servers, such as apache and bind start as root (in order to obtain low-number tcp/ip ports), then drop down to a non-root user for operations, but Java apps can't do that.

We recently set up some system with 4 CPUs in it and 4 Tomcats per CPU, all configured in a cluster. We used apache mod_jk to front-end the load-balancing process.
 
reply
    Bookmark Topic Watch Topic
  • New Topic