access to a tomcat from internet (security terms) - security

I have a tomcat 6.0.32 running in a ubuntu server 12.
It's used in a local enviroment, I mean, only in the private network where is hosted.
This tomcat runs an application developed in JSF using PrimeFaces 3.3.
Now, they want to have access from the outside of the enterprise, I mean, from Internet.
So my question is, What's the best way to do that (in security terms)?.. having another tomcat that publishes to the internet and communicates with the other tomcat who has the application ? it is that possible ? or what is the best solution ?
Thanks for any tip or help !

The best way to do this (in security terms), is to leave the Tomcat server running on the local network, but provide VPN access to the network. This way others can access the server from the internet if they're connected via VPN, but not just everyone will be able to access it.
That being said, is there a reason you are worried about externally facing your Tomcat? As long as your Tomcat and the host OS are both fully patched, you should be OK unless your web app itself has vulnerabilities. Keep those patches up to date though!
If you're worried about the security of your web app, you should probably consider hiring a professional penetration tester to take a look at things for you. That can be really expensive, so before you do that scan your app with some scanners like w3af, Wapiti, Nikto, and Burp Suite. Fix vulnerabilities that they find so the pen tester can find the really hard stuff :-)

Related

Is ngrok safe to use or can it be compromised?

Is ngrok a safe tool to use? I was reading a tutorial which recommended to use ngrok test API responses that I make to outside services that need to connect to my endpoints also.
There is no source code available for Version 2.0, considering it started as an open source project in 2014. I am suspect of any code that opens a tunnel to my localhost from the cloud. Pretty scary stuff especially without source code!
It opens up a tunnel to your dev machine, which is partially secured by obscurity (a hard to guess subdomain), and can be further secured by requiring a password. But you're still opening yourself up to ngrok itself, and the company is completely opaque (no address, no employees, no business name, no LinkedIn presence; all I can find is that it has 1-10 employees and is private; not even sure what country its based in). On top of that the code is not open-sourced. No reason to think they're not legit, but not a lot of information available to build trust.
You may be able to use ngrok and other local tunnel services with more security by encrypting the traffic. See https://security.stackexchange.com/questions/177280/end-to-end-encryption-for-localtunnel-ngrok-setup/177357#177357 for more information.
I found good rating, but vacuous information here:
http://www.scamadviser.com/is-ngrok.com-a-fake-site.html
The kicker for me is
https://developer.atlassian.com/blog/2015/05/secure-localhost-tunnels-with-ngrok/
where the Atlassian folks recommend it highly.
I think I am going to use it.
If anyone is concerning compromising their development environment, you can use Docker. There are many ngrok/docker projects but here is the one I chose: https://github.com/gtriggiano/ngrok-tunnel
for macOS, use "TARGET_HOST=docker.for.mac.localhost"
They now offer a service where you locally run only ssh, no need to run any of their code on your machine.
You run something like ssh -R 80:localhost:8501 tunnel.us.ngrok.com http. This connects to one of their hosts and forwards connections they receive back to your machine and the service you run on localhost:8501.
This seems secure to me, the only thing is that you don't know what information they collect and who is connecting to your exposed service. They print all connections, but it's their binary that does this and someone might well listen in without you noticing. You can check connections on your end, but you cannot be sure who it is that connects.
Ngrok is a convenient and highly secure utility for creating tunnels to locally hosted applications via a reverse proxy. This is a utility for publishing locally hosted applications on the web. style="letter-spacing: 0px;">Simply put, any locally hosted application provides a publicly accessible web URL to the . H. Either a Spring Boot or Nodejs based web application, or a webhook for a chat application, etc.

What is the difference between IIS and Websphere?

I know IIS is a web server and Websphere is an application server, but what exactly does that mean at a more granular level? For instance, why can't something created in Websphere exist in IIS and vice-versa? It's especially confusing when I see servers that are running both in tandem, as they seem to have some of the same traits.
Thanks in advance for the help!
They're designed to run different types of applications (different programming models) and provide very different services to to those applications. But you are right that conceptually they are not very different at all.
Of course IIS grew "up" into a pseudo application server, and WebSphere has the basics of a webserver in its guts.
When they're used together, IIS is generally used as a basic webserver + gateway (reverse proxy) as WAS is not really intended to run in the DMZ.
Not sure, Just find it.
To install the WebSphere plug-in on an IIS server
http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=%2Fcom.ibm.help.domino.admin85.doc%2FH_SETTING_UP_DOMINO_FOR_MICROSOFT_IIS_5182_STEPS.html

Recommendations for securing Internet-facing IIS Host?

I'm setting up an Internet-facing ASP.NET MVC application, on Windows 2008. It uses SQL Server 2008 for its database. I'm looking for best-practices for securing it.
I found this article, but it's a bit dated now. How much of that advice is still valuable?
Some background -- it's a personal site, behind my home NAT/firewall box; and I'll only forward ports 80 and 443 to it. The IIS server itself is a Windows 2008 host running on HyperV (I only have one physical box to spare).
One useful thing that's mentioned in that article (which had occurred to me already) is that the IIS box shouldn't be a member of the domain, so that an intruder can't easily get off the box. I'll be removing it from the domain in a moment :)
What other tips should I (and anyone deploying to a bigger environment) bear in mind?
I know that this isn't strictly a programming-related question (there's no source code in it!), but I guess that most programmers have to dabble in operations stuff when it comes to deployment recommendations.
You might take a look at these two tools:
Best Practices Analyzer for ASP.NET
SQL Server 2005 Best Practices Analyzer (even though you are using 2008, still might be of help)
I don't know about removing it from the domain, but I'd certainly disable LanMan hashes, keep the system fully patched, and use good password security. Make sure that any processes running in IIS run from least privileged accounts, i.e., don't run the worker processes under IDs that are in Local Administrators.
This will be of great help, certainly:
Microsoft Web Application Configuration Analyzer v2.0

Hosting a website on your own server

Is there a detailed guide which explains how to host a website on your own server on linux.
I have currently hosted it on one of the commerical web-hosts.
Also the domain is registered to a different vendor.
Thanks
This guide is probably more info than you really requested, but webserver information is in there. It's Gentoo-specific, but you can apply the same information with minor translations to any other distro.
I would look into installing apache
99% of linux distributions will have a package for it.
On ubuntu you can run:
sudo apt-get install apache2
Are you considering hosting a web page locally for the internet? Or is this just for development etc..
If it's for an internet server, you will need a stable internet connection with a good upstream.
You may also need a static IP address so you can setup DNS to point to the right place.
While I don't have an url to a good tutorial in english, I would just warn you that this is not something you should take lightly. Administrating a server involves getting your hands dirty in linux stuff and dealing with security can be pretty complex depending on your knowledge and requirements.
So if you know nothing about it, you should be very careful and if the website you host has is of any commercial importance you are probably better off hiring a server admin.
Just to point out; if this is a personal (home) server, as opposed to one in a corporate environment, then it's better not to bother hosting it - you won't necessarily have the bandwidth, and your ISP may not allow it.
As mentioned above, you will also need a static IP address, and you'll need to set up DNS records to point to the correct location, which your domain vendor may or may not help you with.
I think it depends on how familiar you are with linux. Certainly, many people do this for hobbyist websites.
There are many aspects involved - you should begin with something simple like getting apache running and visible to the outside world.

NHibernate and shared web hosting

Has anyone been able to get an NHibernate-based project up and running on a shared web host?
NHibernate does a whole lot of fancy stuff with reflection behind the scenes but the host that I'm using at the moment only allows applications to run in medium trust, which limits what you can do with reflection, and it's throwing up all sorts of security permission errors. This is the case even though I'm only using public properties in my mapping files, though I do have some classes defined as proxies.
Which companies offer decent (and reasonably priced) web hosting that allows NHibernate to run without complaining?
Update: It seems from these answers (and my experimentation -- sorry Ayende, but I still can't get it to work on my web host even after going through the article you linked to) is to choose your hosting provider wisely and shop around. It seems that WebHost4Life are pretty good in this respect. However, has anyone tried NHibernate with Windows shared hosting with 1and1? I have a Linux account with them already and I'm fairly satisfied on that front, and if I could get NHibernate to work seamlessly with Windows I'd probably stick with them.
I have had no issues with running NHibernate based apps on WebHost4Life, although I don't like them.
Getting NHibernate to run on medium trust is possible. A full description on how this can be done is found here:
http://blechie.com/WPierce/archive/2008/02/17/Lazy-Loading-with-nHibernate-Under-Medium-Trust.aspx
I ran my my own geek siteoff N2 (which uses NHibernate and Windsor Castle) and 4 pet NHibernate/Fluent projects on dailyrazor.com for a while.
You get a good deal for $5 a month, including unlimited SQL Server databases and subdomains and it runs off Plesk with FTP and remote SQL Server Management Studio access.
I'm using a Finnish host called Nebula that happily runs my NHibernate-leveraging applications. I had an issue once with trust levels; the machine.config on the host was configured to deny reflection but I successfully overrode it in the web.config.

Resources