linux & tomcat security configuration

Linux server security
[b]Configure
account password policy[/b]
The minimum length of the mandatory password, the components, such as the password needs to be set to more than 6 digits, must be composed of numbers and letters;

SSH session timeout disconnect
modify /etc/ssh /sshd_config
ClientAliveInterval 60 //unit seconds
ClientAliveCountMax 20 //refers to judge a timeout if it is found that the client does not respond. This parameter sets the number of allowed timeouts, which means that the allowed timeout is 1200 seconds = 20 minutes.

Limit
login to /etc/pam.d /sshd Increase
session required pam_limits.so

to limit the number of logins
/etc/security/limits.conf Increase
redhat hard maxlogins 2 //hard parameter is a hard limit on the number of redhat user logins. The number of logins cannot reach 2, that is, you can only log in once.

Software firewall to open ports and
modify /etc/sysconfig/iptables
-A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT (allow port 80 to pass through the firewall) Which ip has been logged in to the server grep "Failed password for root" /var/log/secure | awk '{print $9}' | uniq -c | sort -nr



# awk segmentation, uniq -c tick weight + display repetitions, sort -nr descending order (-r) + numerical sorting (-n)

find ./ -type f -name "messages*" | xargs grep "root" | more

 View the user's last login time
last //The current user's latest login record
lastlog //View the user's last login time Web container
security Tomcat
v7.0 security Application deletes all default applications in the webapp directory. Clear all cached content under work/Catalina/localhost. Log record changes modify the default in conf/server.xml: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt"      pattern="% h %l %u %t "%r" %s %b" />











ip, user, time, session, url, Http return code, number of bytes returned For the
specific format, please refer to http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html
Connection configuration
modification conf/server <Connector port="80" protocol="HTTP/1.1" .... in .xml
(see http://tomcat.apache.org/tomcat-7.0-doc/config/http.html)
maximum queue length acceptCount=” 100”
acceptorThreadCount
address
connectionTimeout
connectionUploadTimeout
keepAliveTimeout
Maximum number of connections: maxConnections=”10000”
maxExtensionSize
maxHttpHeaderSize
maxKeepAliveRequests maxThreads
minSpareThreads
Connection
timeout 30s: connectionTimeout="20000"
Default page settings Modify <error-page> 404 and 500
in conf/web.xml
point to a specific error page
Add jsp specific exception handling:
<error-page>
<exception-type>java.lang.NullPointerException</exception-type>
<location>/error.jsp</location> 
</error-page>
Add <% to the jsp page @ page errorPage="/error.jsp" %>
The typical error.jsp error page is written as follows: 
<%@ page contentType="text/html;charset=GB2312"%>
<%@ page isErrorPage="true" %>
<html>
<head><title>Error page</title></head>
<body>
Error:</p> Error message:<%=exception.getMessage() %><br> 
Stack Trace is : <pre><font color="red">
<% java.io.CharArrayWriter cw = new java.io.CharArrayWriter();
java.io. PrintWriter pw = new java.io.PrintWriter(cw,true);
exception.printStackTrace(pw);
out.println(cw.toString()); %>
</font></pre>
</body>
</html>

Disable the display of file list and modify <init-param> <param-name>listings</param-name> <param-value>
in conf/web.xml false</param-value> </init-param> The firewall blocks port 8005. The default value in conf/server.xml is: <Server port="8005" shutdown="SHUTDOWN">, which needs to be blocked by the firewall.  Java manipulates file permission control to modify the configuration in conf/catalina.policy