This is a summary on how to secure your freshly booted Linode Debian distro and install Tomcat7 on top of oracle JVM.
Note: this is mostly a remainder to myself on how to do this, it contains information from multiple sources. Perhaps I have mixed up the order of some commands. If you have any suggestions or comments, feel free to do so =)
1) Setting you hostname
At your first login, you should ssh as root. Let’s define a beautiful hostname for us
# echo "plato" > /etc/hostname # hostname -F /etc/hostname
The second command tells the system to read the hosname from the -(F)ile.
2) Add you hostname to the list of know host in
# nano /etc/hosts
Add the following line
127.0.0.1 plato
3) Set your timezone with
# dpkg-reconfigure tzdata
4) Check for upgrades
# apt-get update # apt-get upgrade --show-upgraded
5) Create user alternative to root
It’s good practice to use the system with another user, but root. Let’s add it with the following command (it should prompt for additional information):
# adduser example_user
Let’s add the sudo application, so we can apply root commands while logged as the alternative user:
# apt-get install sudo
Not let’s (a)ppend the user to the sudoers (G)roup, so he can use sudo :
usermod -a -G sudo example_user
Now let’s
# logout
and ssh back in with new user.
6) Configure SSH with key authentication
SSH with key is much more secure, for it drastically reduces the risk of having your system invaded by brute-force. So let’s create a key on your local machine:
$ ssh-keygen
It generated the keys in the ~/.ssh folder, let’s send our public key to the server with:
$ scp ~/.ssh/id_rsa.pub example_user@123.456.78.90:
Now ssh back into the server and set your key as authorized keys:
$ mkdir .ssh $ mv id_rsa.pub .ssh/authorized_keys
Your key must have specific and secure permissions: be yours and read-only for you:
$ chown -R example_user:example_user .ssh $ chmod 700 .ssh $ chmod 600 .ssh/authorized_keys
7) Disable ssh with password
Now that we stored our key, let’s disable password login:
$ sudo nano /etc/ssh/sshd_config
by setting
PasswordAuthentication no PermitRootLogin no
Finally, let’s restart the service:
$ sudo service ssh restart
8) Creating firewall rules
Ok, we’ve set login only with priv-pub-keys, now let’s setup the firewall. First let’s (L)ist the current rules:
$ sudo iptables -L
Let’s create a file with the rules
$ sudo nano /etc/iptables.firewall.rules
and add the following basic rules:
*filter # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT -d 127.0.0.0/8 -j REJECT # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all outbound traffic - you can modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 8080 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allow SSH connections # # The -dport number should be the same port number you set in sshd_config # -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Allow ping -A INPUT -p icmp -j ACCEPT # Log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Drop all other inbound - default deny unless explicitly allowed policy -A INPUT -j DROP -A FORWARD -j DROP COMMIT
Notice that I’ve opened port 8080, which is Tomcat’s default. Let’s active the rules
$ sudo iptables-restore < /etc/iptables.firewall.rules
and double check by (L)isting them again:
$ sudo iptables -L
Let’s create script to recover iptable when system restarts
$ sudo nano /etc/network/if-pre-up.d/firewall
and add script
#!/bin/sh /sbin/iptables-restore < /etc/iptables.firewall.rules
and install Fail2ban, which will block recurrent failed logins from the same IP:
$ sudo apt-get install fail2ban
9) Installing Oracle Java 7
If you want to replace openjdk by the Oracle Java, I recommend using webupd8team repo – it’s easier to update. First remove the jdk you’ve got:
$ sudo apt-get remove openjdk-7-jdk
There is this small tool I like for managing repos. It set up the /etc/apt/sources.list correctly and downloads the key:
$ sudo apt-get install python-software-properties
So let’s add webupd8team repo, update the packages and install Oracle Java:
$ sudo add-apt-repository "deb http://ppa.launchpad.net/webupd8team/java/ubuntu precise main" $ sudo apt-get-update $ sudo apt-get install oracle-{java7,jdk}-installer
10) Installing Tomcat
So, at last, let’s install Tomcat and start the service!
$ sudo apt-get install tomcat7 tomcat7-{examples,docs,admin} $ /etc/init.d/tomcat7 start
If it misses the JAVA_HOME, edit
$ sudo nano /etc/default/tomcat
and modify the line
PATH_HOME=/usr/lib/jvm/java-7-oracle/
Add yourself an admin user for the tomcat
$ sudo nano /etc/tomcat7/tomcat-users.xml
by adding inside the node
<tomcat-users> ... <role rolename="manager-gui"> <user username="...youruser..." password="...yourpassword..." roles="manager-gui" /> </tomcat-users>
and restart your engines!
$ /etc/init.d/tomcat7 restart
You can now watch tomcat at work on your http://123.456.789.123:8080/ and configure it at http://123.456.789.123:8080/manager/html
If you need to increase tomcat7 memory size:
$ sudo nano /etc/default/tomcat
and change the line for mx memory
JAVA_OPTS="-Djava.awt.headless=true -Xmx630m -XX:+UseConcMarkSweepGC"
And that’s it! I hope this was useful to you!