For my own future reference, here are the steps I used to lock down an Amazon EC2 instance running the Railo image:
SSH in as the ubuntu user. It should use your existing Amazon key pair. If it doesn’t, go read up on how EC2 works.
Create a new user account and add the user to the admin group:
sudo adduser fred sudo adduser fred admin
Copy your SSH key over to the new user:
sudo mkdir -p /home/fred/.ssh sudo cp ~/.ssh/authorized_keys /home/fred/.ssh/ sudo chown -R fred:fred /home/fred/.ssh sudo chmod -R 0700 /home/fred/.ssh
Add your new user to /etc/sudoers.
export EDITOR=nano && sudo -E visudo fred ALL=(ALL) ALL
Logout. SSH back in as your new user.
Remove the Railo admin password and restart Railo:
sudo perl -p -i.bak -e 's/password=".+?"/password=""/g' /opt/railo/lib/railo-server/context/railo-server.xml /etc/init.d/railo_ctl restart
Reset your Railo Server password at http://./railo-context/admin/server.cfm. Set up a default password and reset all of the web context passwords.
Change the Mango admin password by logging into http://./admin with admin/railo4all. Create a new user account with your own name while you are in there.
Reset your mySQL password (current is railo4all) and make a new user:
mysql -u root -p mysql update user set password=password('newpassword') where user = 'root'; create user 'railo'@'127.0.0.1' identified by 'newpassword'; grant select, insert, update, delete, alter, index, drop, create on mango.* to 'railo'@'127.0.0.1'; flush privileges; \q
If you aren’t using ORM, your grant statement can be reduced to the first 4 CRUD operations.
Go into your Railo Web Admin at http://./railo-context/admin/web.cfm and change the Mango datasource to use user railo and the new password. Lock down permissions appropriately.
Set up Git, and make a repo to cover your web root:
sudo apt-get install -y git-core mkdir -p ~/git/www.git cd ~/git/www.git git init --bare git config core.bare false git config core.worktree /var/www git config receive.denycurrentbranch ignore sudo chown -R fred:fred /var/www cat > /var/www/.gitignore WEB-INF ~* *~ settings.xml git add /var/www git commit -m 'Created repo' cat > hooks/post-update #!/bin/sh GIT_WORK_TREE=/var/www GIT_DIR=/home/fred/git/www.git git checkout -q -f chmod +x hooks/post-update
You should now be able to clone this repo with something like fred@host:git/www.git. Committing and pushing to Git checks out the files to your web root, so you never need to transfer anything manually unless it’s too big to put in Git.
Fix SES URLs in Apache+Tomcat. You’ll need to edit /etc/apache2/apache2.conf to include a /*.cfm/* rule.