Tomcat deploys security configuration, make a backup record before modifying the configuration! Make a backup record before modifying the configuration! Make a backup record before modifying the configuration!
Enable logging to facilitate troubleshooting and analysis and location when security incidents occur
1. Modify the conf/server.xml file in the Tomcat root directory.
2. Uncomment the Valve node under the Host node (add it if there is none).
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t "%r" %s %b" />
3. Restart Tomcat
Prohibiting Tomcat from displaying the directory file list, allowing the display of the directory file list will cause directory traversal vulnerabilities
1. Modify the configuration file conf/web.xml under the Tomcat directory, and set the value of listings to false.
<param-name>listings</param-name>
<param-value>false</param-value>
Avoid configuring manager-gui weak passwords for tomcat
tomcat-manger is a web application hot deployment function provided by Tomcat. This function has high authority and will directly control Tomcat applications. You should try to avoid using this function. If you have special requirements, please make sure to configure a strong password for this function.
1. Edit the configuration file conf/tomcat-user.xml under the root directory of Tomcat, and modify the password attribute value of the user node to a complex password. The password should meet the complexity requirements :
1. More than 8 characters in length
2. Contains three of the following four types of characters:
English uppercase letters (A to Z)
English lowercase letters (a to z)
10 basic numbers (0 to 9)
non-alphabetic characters (such as !, $, #, %, @, ^, &)
3. Avoid using public weak passwords, such as: abcd.1234, admin@123, etc.
Disable display of abnormal debugging information (recommended to close in production environment)
When a runtime error occurs during request processing, Apache Tomcat will display debugging information to the requester. It is recommended not to provide such debug information to the requester.
1. Add a child node to the web-app in the conf/web.xml file under the Tomcat root directory: java.lang.Throwable/error.jsp, create error.jsp under the webapps directory, and define custom error messages to prohibit automatic
deployment , configure automatic deployment, it is easy to deploy malicious or untested applications, it should be disabled
1. Modify the configuration file conf/server.xml under the Tomcat directory, and set the autoDeploy attribute of the host node to "false". The host's deployOnStartup attribute (if there is no deployOnStartup configuration can be ignored) is "true", then change it to "false"
Tomcat directory permission detection
The owner of the tomcat directory (catalina.home, catalina.base directory) should be changed to a non-administrator running user
1. Find the catalina.base and catalina.home directories of tomcat, right-click properties, select the security tab, click advanced, and change the owner It is the user who starts tomcat. catalina.base and catalina.home, you can run tomcat.exe print to see
Delete project irrelevant files and directories
Tomcat installation provides sample applications, documents, and other programs and directories that may not be used for production, and there are great security risks. It is recommended to remove them. 1. Please delete
Tomcat sample programs and directories, management console, etc., that is, webapps from the Tomcat root directory directory, remove or delete the docs, examples, host-manager, and manager directories.
Tomcat process running permission detection
When running a service, it is best to avoid running it as an administrator or system user as much as possible, so as to reduce the chance of an attacker gaining control over the server.
1. Create a new ordinary user to start tomcat
2. Run service.bat install in the tomcat/bin directory to register tomcat as a service
3. Open the task manager and select the service tab, right-click the tomcat service, and select Open Service
4. Right-click Apache Tomcat Select Properties, in the Login tab, click Browse after this account, and select the user who starts tomcat