Summary for Configuring Linode & Tomcat7 + Oracle Java

This is a summary on how to secure your freshly booted Linode Debian distro and install Tomcat7 on top of oracle JVM.

Note: this is mostly a remainder to myself on how to do this, it contains information from multiple sources. Perhaps I have mixed up the order of some commands. If you have any suggestions or comments, feel free to do so =)

1) Setting you hostname

At your first login, you should ssh as root. Let’s define a beautiful hostname for us

# echo "plato" > /etc/hostname
# hostname -F /etc/hostname

The second command tells the system to read the hosname from the -(F)ile.

2) Add you hostname to the list of know host in

# nano /etc/hosts

Add the following line

127.0.0.1 plato

3) Set your timezone with

# dpkg-reconfigure tzdata

4) Check for upgrades

# apt-get update
# apt-get upgrade --show-upgraded

5) Create user alternative to root

It’s good practice to use the system with another user, but root. Let’s add it with the following command (it should prompt for additional information):

# adduser example_user

Let’s add the sudo application, so we can apply root commands while logged as the alternative user:

# apt-get install sudo

Not let’s (a)ppend the user to the sudoers (G)roup, so he can use sudo :

usermod -a -G sudo example_user

Now let’s

# logout 

and ssh back in with new user.

6) Configure SSH with key authentication

SSH with key is much more secure, for it drastically reduces the risk of having your system invaded by brute-force. So let’s create a key on your local machine:

$ ssh-keygen

It generated the keys in the ~/.ssh folder, let’s send our public key to the server with:

$ scp ~/.ssh/id_rsa.pub example_user@123.456.78.90:

Now ssh back into the server and set your key as authorized keys:

$ mkdir .ssh
$ mv id_rsa.pub .ssh/authorized_keys

Your key must have specific and secure permissions: be yours and read-only for you:

$ chown -R example_user:example_user .ssh
$ chmod 700 .ssh
$ chmod 600 .ssh/authorized_keys

7) Disable ssh with password

Now that we stored our key, let’s disable password login:

$ sudo nano /etc/ssh/sshd_config

by setting

PasswordAuthentication no
PermitRootLogin no

Finally, let’s restart the service:

$ sudo service ssh restart

8) Creating firewall rules

Ok, we’ve set login only with priv-pub-keys, now let’s setup the firewall. First let’s (L)ist the current rules:

$ sudo iptables -L

Let’s create a file with the rules

$ sudo nano /etc/iptables.firewall.rules

and add the following basic rules:

*filter

# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allow SSH connections
#
# The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Allow ping
-A INPUT -p icmp -j ACCEPT

# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

Notice that I’ve opened port 8080, which is Tomcat’s default. Let’s active the rules

$ sudo iptables-restore < /etc/iptables.firewall.rules

and double check by (L)isting them again:

$ sudo iptables -L

Let’s create script to recover iptable when system restarts

$ sudo nano /etc/network/if-pre-up.d/firewall

and add script

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules

and install Fail2ban, which will block recurrent failed logins from the same IP:

$ sudo apt-get install fail2ban

9) Installing Oracle Java 7

If you want to replace openjdk by the Oracle Java, I recommend using webupd8team repo – it’s easier to update. First remove the jdk you’ve got:

$ sudo apt-get remove openjdk-7-jdk

There is this small tool I like for managing repos. It set up the /etc/apt/sources.list correctly and downloads the key:

$ sudo apt-get install python-software-properties

So let’s add webupd8team repo, update the packages and install Oracle Java:

$ sudo add-apt-repository "deb http://ppa.launchpad.net/webupd8team/java/ubuntu precise main"
$ sudo apt-get-update
$ sudo apt-get install oracle-{java7,jdk}-installer

10) Installing Tomcat

So, at last, let’s install Tomcat and start the service!

$ sudo apt-get install tomcat7 tomcat7-{examples,docs,admin}
$ /etc/init.d/tomcat7 start

If it misses the JAVA_HOME, edit

$ sudo nano /etc/default/tomcat

and modify the line

PATH_HOME=/usr/lib/jvm/java-7-oracle/

Add yourself an admin user for the tomcat

$ sudo nano /etc/tomcat7/tomcat-users.xml

by adding inside the node

<tomcat-users>
...
<role rolename="manager-gui">
<user username="...youruser..." password="...yourpassword..." roles="manager-gui" />
</tomcat-users>

and restart your engines!

$ /etc/init.d/tomcat7 restart

You can now watch tomcat at work on your http://123.456.789.123:8080/ and configure it at http://123.456.789.123:8080/manager/html

If you need to increase tomcat7 memory size:

$ sudo nano /etc/default/tomcat

and change the line for mx memory

JAVA_OPTS="-Djava.awt.headless=true -Xmx630m -XX:+UseConcMarkSweepGC"

And that’s it! I hope this was useful to you!