Tomcat Security
Production environment tomcat specification
1. Change the service listening port
If Tomcat is placed on the intranet, the listening addresses for the Tomcat service are all intranet addresses
The standard configuration:
<Connector port="10000" server="webserver"/>
2. Telnet management port protection
Modifying the default 8005 management port is not easy to guess (greater than 1024), but requires the port to be configured between 8000 and 8999
Modify the SHUTDOWN command to other string
standard configuration:<Server port="8578" shutdown="dangerous">
3. Protection of AJP connection ports
Modify the default ajp 8009 port to be less likely to conflict (greater than 1024), but the port configuration is required to be between 8000~8999
Restricting access to the ajp port through iptables rules is only for online machines, the purpose is to prevent offline test traffic from being forwarded to the online tomcat server by mod_jk of apache
The standard configuration:
<Connector port="8349" protocol="AJP/1.3"/>
4. Disable the management side
Delete the default $CATALINA_HOME/conf/tomcat-users.xml file, restarting tomcat will automatically generate a new file
Delete all directories and files that are downloaded by default in $CATALINA_HOME/webapps
Configure the tomcat application root directory to a directory other than the tomcat installation directory
The standard configuration:
a. server.xmlConfigure
a direct modification of Hostnode information, indicating global configuration
<Host name="localhost" appBase="/data/www/tomcat_webapps" unpackWARs="true" autoDeploy="false"></Host>- 1
HostThe other is to add a node directly to the Contextnode and specify a specific item
<Context path="" docBase="/usr/local/tomcat/webapps/jenkins" debug="0" reloadable="false" crossContext="true">
</Context>
- 1
- 2
- 3
b. Add a new file in the $CATALINA_HOME/conf/Catalina/locathost directory test##20160506172651.xml
<Context displayName="test" docBase="/data/www/tomcat_webapps/test##20160506172651.war" reloadable="false" />
- 1
- 2
5. Hide the version information of Tomcat
The display of this information is controlled by a jar package, which is stored in the $CATALINA_HOME/lib directory and named catalina.jar. Decompressing the jar package through the jar xf command will get two directories META-INF and org, Modify the serverinfo field in the org/apache/catalina/util/ServerInfo.properties file to change the version information of our tomcat
$ cd $CATALINA_HOME/lib
$ jar xf catalina.jar
$ cat org/apache/catalina/util/ServerInfo.properties |grep -v '^$|#'
$ mkdir -p org/apache/catalina/util
$ vim ServerInfo.properties
server.info=nolinux # 把这个值改成其它值就行了
- 1
- 2
- 3
- 4
- 5
- 6
- 7
自定义错误页面:修改$CATALINA_HOME/conf/web.xml重定向 403/404/500等错误到指定的错误页面
6.降权启动
Tomcat启动用户权限必须非root权限,尽量降低tomcat启动用户的目录访问权限,如需直接对外使用80端口,可通过普通账号启动后,配置iptables规则进行转发,为了防止 Tomcat 被植入 web shell 程序后,可以修改项目文件。要将 Tomcat 和项目的属主做分离,即便被破坏也无法创建和编辑项目文件
7.文件列表访问控制
$CATALINA_HOME/conf/web.xml文件中的default部分的listings的配置必须为false(默认),表示不列出文件列表
8.访问限制
通过配置,限定访问的IP来源
全局设置限定IP和域名访问:
<Host name="localhost" appBase="/data/www/tomcat_webapps" unpackWARs="true" autoDeploy="false">
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.1.10,192.168.1.30,192.168.2.*" deny=""/>
<Valve className="org.apache.catalina.valves.RemoteHostValve" allow="www.test.com,*.test.com" deny=""/>
</Host>- 1
- 2
- 3
- 4
9.脚本权限回收
控制CATALINAHOME/bin目录下的start.sh、catalina.sh、shutdown.sh的可执行权限,chmod−R744CATALINAHOME/bin目录下的start.sh、catalina.sh、shutdown.sh的可执行权限,chmod−R744CATALINA_HOME/bin/*
10.访问日志格式规范
开启tomcat默认访问日志中Referer和User-Agent记录
标准配置:
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs" prefix="localhost_access_log"
suffix=".txt" pattern="%h %l %u %t "%r" %s %b %{Referer}i %{User-Agent}i %D"
resolveHosts="false" />- 1
- 2
- 3
- 4
11.Server header重写
在HTTP Connector配置中加入server的配置,server=”chuck-server”