Create restricted user on Debian server

bash security shell user-accounts

That's the right track, but you'll want to indicate that it's a system user so that /etc/shadow won't have any aging information. From the useradd man page:

-r, --system

      Create a system account.

      System users will be created with no aging information in /etc/shadow, and their numeric identifiers are choosen in the
      SYS_UID_MIN-SYS_UID_MAX range, defined in /etc/login.defs, instead of UID_MIN-UID_MAX (and their GID counterparts for the creation of
      groups).

      Note that useradd will not create a home directory for such an user, regardless of the default setting in /etc/login.defs
      (CREATE_HOME). You have to specify the -m options if you want a home directory for a system account to be created.

So you'll want something along the lines of:

useradd -s /usr/sbin/nologin -r -M tomcat

You can also create a home directory if you want, maybe something that belongs to the service, for example:

useradd -s /usr/sbin/nologin -r -M -d /etc/nginx nginx

Related

Are there any generic KVM over IP cards/chips for motherboards without any such capability?
Keeping configs, user ids, groups and passwords consistent across Linux-servers
DRBD status :- UpToDate/Diskless
OpenVPN certificate removal and connecting with no certificate file on server
Where is the Create New Connection button in the Connections panel in IIS 8?
What is the danger in having a fully used SWAP in an Ubuntu server?
postfix error unused parameter
In a Win7 computer that belongs to a domain, how do I append DNS search list entries?
What is the context of Mark Twain's "If you don't like the weather…" quote?
The meaning of "People say that life is the thing, but I prefer reading."
What do references like "Docc Rom." and similar mean? [closed]
I'm 25 (years old)