tomcat Security Specification of tomcat Security Hardening and Specification

tomcat is an open source Web server, and Web based on Tomcat has high running efficiency and can run smoothly on a common hardware platform, so it is favored by Web webmasters. However, under the default configuration, it has a certain security risk and can be attacked maliciously. Here are some safety reinforcement methods:

Version security

Upgrade to the latest stable version. For stability reasons, cross-version upgrade is not recommended.

Service power reduction

Do not use root user to start tomcat, use ordinary user to start Tomcat, and the user name system in the cluster is 1UID

Port protection

1 Change tomcat management port 8005, which has permission to shut down tomcat service, but requires port configuration between 8000 and 8999, and change the commands executed by shutdown
2 If Tomcat is placed in the intranet, the listening addresses for Tomcat services are all intranet addresses
3 Modify the default ajp 8009 port to be conflict-free (greater than 1024), but require port configuration between 8000 and 8999

Disable the management side

1 Delete the default $CATALINA_HOME/conf/tomcat-users. xml file and restart tomcat will automatically generate a new file
2 Remove all directories and files for $CATALINA_HOME/webapps download default
3 Configure the tomcat application root directory to a directory other than the tomcat installation directory

Hide version information of Tomcat

Display for this information is controlled by an jar packet stored in the $CATALINA_HOME/lib directory under the name catalina. jar,
Extracting the jar package with the jar xf command results in two directories, META-INF and org,
Modify the serverinfo field in the org/apache/catalina/util/ServerInfo. properties file to change the version information of our tomcat

Turn off war automatic deployment

The default Tomcat is enabled for hot deployment of war packages. In order to prevent malicious programs such as Trojans from being implanted, we should turn off automatic deployment.

Modify the instance:

< Host name="localhost" appBase=""
unpackWARs="false" autoDeploy="false" >

Customize Error Pages

Edit conf/web. xml in < /web-app > Add the following to the label:

<error-page>
  <error-code>404</error-code>
  <location>/404.html</location>
</error-page>
<error-page>
  <error-code>500</error-code>
  <location>/500.html</location>
</error-page>

Mask the automatic listing of directory files

Edit the conf/web. xml file

<servlet>
    <servlet-name>default</servlet-name>
    <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
    <init-param>
      <param-name>debug</param-name>
      <param-value>0</param-value>
    </init-param>
    <init-param>
      <param-name>listings</param-name>
      <param-value>false</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
  </servlet>
 
<param-value>false</param-value>

Here false is not listed, and true is allowed to be listed

Multi-virtual host

It is strongly recommended not to use Tomcat virtual hosting, and it is recommended to use 1 instance per site. That is, a plurality of Tomcat can be started instead of one Tomcat containing a plurality of virtual hosts.
Because Tomcat is multi-threaded and shared memory, any application crash in one virtual host will affect all applications. Although using multiple instances will incur too much overhead, it will at least ensure the isolation and security of the application.

Script permission recovery

Control the executable permissions of start. sh, catalina. sh, shutdown. sh in the CATALINAHOME/bin directory
chmod−R744 CATALINA_HOME/bin/*

Separate users of Tomcat and project

To prevent Tomcat from being embedded in the web shell program, you can modify the project file. So we have to separate Tomcat from the project owner, so that even if it is done, he can't create and edit the project file.

server head Rewrite

Add server configuration to HTTP Connector configuration server= "server_name", default is Apache-Copyote/1. 1
By configuration, limit the IP source of access

< Host name="localhost" appBase="/data/www/tomcat_webapps" unpackWARs="true" autoDeploy="false" >
< Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.1.10,192.168.1.30,192.168.2.*" deny=""/ >
< Valve className="org.apache.catalina.valves.RemoteHostValve" allow="www.test.com,*.test.com" deny=""/ >
< /Host >

Access log format specification
Enable Referer and User-Agent records in the tomcat default access log

Standard configuration:

< Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs" prefix="localhost_access_log"
suffix=".txt" pattern="%h %l %u %t & quot;%r & quot; %s %b %{Referer}i %{User-Agent}i %D"
resolveHosts="false" / >

tomcat Disable illegal HTTP methods

Edit the configuration in the web. xml file

org.apache.catalina.servlets.DefaultServlet Adj.  
<init-param> 
<param-name>readonly</param-name> 
<param-value>true</param-value> 
</init-param> 

When param-value is true, delete and put are not allowed to operate.

tomcat users have remote administration rights
In tomcat-users. xml, modify the role value of the tomcat user to include manager, such as:

< user username="tomcat" password="***"
roles="manager" >

tomcat automatic logout time is no more than 30 seconds
Edit server. xml to modify the automatic logout time to 30 seconds, as follows:

<Connector 
port="8080" maxHttpHeaderSize="8192" maxThreads="150" 
minSpareThreads="25" maxSpareThreads="75" ,  
enableLookups="false" redirectPort="8443" acceptCount="100" 
connectionTimeout="30000" disableUploadTimeout="true" />

tomcat should set the minimum number of connections and the maximum number of connections according to machine performance and business requirements

Edit the server. xml file,

Examples are as follows: < Connector port= "8080" minSpareThreads= "25" …/ >
minSpareThreads= "25" means that there are so many empty threads waiting even if no one is using them
Set the number of connections according to the actual situation

Edit the server. xml file,
Examples are as follows: < Connector port= "8080" maxThreads= "150" …/ >
maxThreads= "150" means that up to 150 connections are processed simultaneously
Configure the number of connections according to the actual situation

Tomcat Configuration Access Log
Modify server. xml to remove the comment mark for:

<Valve className= " org.apache.catalina.valves.AccessLogValve "  
Directory= " logs "  prefix= " localhost_access_log. "  Suffix= " .txt "  
Pattern= " common "  resloveHosts= " false " />

Configure Tomcat Error Page Redirection

Edit the web. xml file to read as follows:

<error-page> 
<error-code>404</error-code> 
<location>/noFile.htm</location> 
</error-page> 
 ......  
<error-page> 
<exception-type>java.lang.NullPointerException</exception-type>
<location>/ error.jsp</location> 
</error-page>

This article is introduced to this, and this site will share more knowledge for everyone in the follow-up.