Subsonic Forum

[TuckLive]

I would like to forward port 8080 on my router so I can listen to my Subsonic anywhere, but I would like some advice on how to lockdown Tomcat to keep my server safe. Any suggestions or links are appreciated.

[psych0munky]

I can provide some help.

You never specified if you were running Windows or a *nix. I would recommend a *nix because usually Tomcat services are installed to run as an unprivileged account and will NOT have read access to certain portions of your filesystem. IMHO windows is not quite as secure this way, but it really only matters if an exploit is found.

Anyways, here are some things I would recommend:
- run tomcat as a user that has no privileges to anything other than tomcat, the transcoding tools, your subsonic home and your music folder(s).
- ensure that the tomcat user only has read/write privs to your music folders. You might be able to turn off write privs if you have all your album cover art, or don't care for it.
- remember that anything in your music folders is as good as publicly available, so ensure that nothing else besides your music is stored there.
- ensure you keep your tomcat up-to-date...
- check out OWASP.org for tips on securing tomcat. The doc is a little dated but still relevant. I have applied most of these to my instance, except for the security manager, as I just haven't had time.
- Check out the Tomcat docs for you version for more ideas. http://tomcat.apache.org/tomcat-6.0-doc/index.html