Opening ports below 1024 on a *nix machine requires root privileges. If the application opening the port is exploited, then the exploiter would have full access to the machine since the application was run with root. The way to avoid this is to run the application without root privileges. Then the application has to open a port above 1024. Then the real port (<1024) has to be forwarded to the local one (>1024).
This solution would work on a wide variety of *nix machines that route with iptables. This solution is adequate not only for tomcat but for all kinds of applications and ports >1024.
- Check unprivileged user has java in its path. Check with java -version
- Check JAVA_HOME is set properly in the env of the unprivileged user.
- change 80 to 8080 in server.xml. Check if tomcat works with startup.sh. 8080 may be changed to any other port > 1024.
- execute the following to forward the port:
sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
- After restart, do step 4 again or make permanent (depends on the linux used).
The most valuable part of this howto is the iptables script in step 4. Everything else is a prerequisite.
Note: I have made this port short by design. There are many tutorials that are quite long and explain everything. This just worked with me. I read a lot to get it to work. All I wanted is a solution that works without much explanation.
Note: I'm not an administrator or a linux/unix specialist. I have found that this solution works and allows me to start tomcat without sudo. Use at your own risk.
I have also looked at jsvc but didn't like it because opening 80 requires root and this by itself is already a security problem. Bozho proposed this to be said here as an alternative. I have nor like it, neither tested it.
Thanks man! It helped me a lot.
You've saved my day. Thanks a lot!
Hi,
for me the most tricky part was to hide the 8080 port from outside.. But this does the trick:
sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 8080 -j REDIRECT --to-port 8081
sudo iptables -A INPUT -i eth0 -p tcp --dport 8081 -j DROP
I haven't thought about it, nor do I have the ability to work on it, but wouldn't it be easier to drop all 8080 packets on eth0?