Original Post address: https: //cloud.tencent.com/developer/article/1146827
1. Version : should download the latest stable version from the download page of the official Tomcat, be careful not to download the beta version. Tomcat official website address is:
http://tomcat.apache.org/
2. Use a non-root start: Tomcat is prohibited to start the system root account, to be the new normal user to start Tomcat. View grep tomcat command | tomcat start the process of checking accounts by ps aux.
Direct non-root user to start tomcat, applicable tomcat5 / 6/7/8, can only listen to more than 1024 ports, such as 8080. Operation scheme steps:
Step one: New User
useradd tomcat
Step two: Modify the tomcat directory and give the owner permissions
chown -R tomcat:tomcat apache-tomcat-*
chmod -R 770 apache-tomcat-*
Note: apache-tomcat- * for the tomcat directory name.
The third step: start tomcat
Switch to the system to start a normal user tomcat tomcat, before starting to ensure that the tomcat has stopped.
cd apache-tomcat-*/bin/
su tomcat
./startup.sh
After a successful start, you can see tomcat tomcat is now run as user permissions, as shown below:
Non-root privileges drawbacks of the program can only monitor port greater than 1024, so if you want tomcat listening port 80/443 and outside, you need to use iptables or apache / nginx for forwarding. Such as iptables rules:
iptables -A FORWARD -p tcp --destination-port 443 -jACCEPT
iptables -t nat -A PREROUTING -j REDIRECT -p tcp--destination-port 443 --to-ports 8443
iptables -A FORWARD -p tcp --destination-port 80 -jACCEPT
iptables -t nat -A PREROUTING -j REDIRECT -p tcp--destination-port 80 --to-ports 8080
3. Delete the default page: delete all under tomcat / webapps / directory files and directories. There are currently known webapps directory:
Tomcat/webapps/docs/
tomcat/webapps/examples/
tomcat/webapps/host-manager/
tomcat/webapps/manager/
tomcat/webapps/ROOT/
4. Directory Browsing: Tomcat server does not allow directory traversal, in order to prevent leakage of information systems and server information. Configuration item in tomcat / webapps / conf / web.xml file, specifically configured to:
|
<Param-name> listings </ param-name> <param-value> false </ param-value> Note: The default configuration directory browsing is prohibited |
|---|
Effects shots are as follows:
5.Tomcat logging: edit server.xml configuration file, ensuring logging function <HOST> tag, the configuration is as follows:
|
<Valve classname = "org.apache.catalina.valves.AccessLogValve" Directory = "logs" prefix = ". Localhost_access_log" Suffix = ". Txt" Pattern = "common" resloveHosts = "false" /> Note: The default tomcat has been opened logging |
|---|
6. Start Safe Mode: To limit access to scripts, Trojans guard webshell increase the safety parameter start is recommended to start, as in the following way to start Tomcat
|
Tomcat/bin/startup.sh -security |
|---|
Note: This option can greatly improve the security of the web server, but may cause problems due to insufficient permissions to run the program error, please use discretion businesses.
7. Prohibition error message: Tomcat will prompt an error message when the program fails, the server can leak sensitive information, you need to close the error message. You can specify the error page by the way does not display an error message to the user, modify tomcat / conf / web.xml, add the following configuration items:
|
<Error-page> <error-code> 500 </ error-code> <location> /500.jsp </ location> </ error-page> Note: appropriate error code may be increased according to their own needs, such as the common 500 , 404, etc., location options for the specified jump page, the jsp files need to generate their own. |
|---|
8. Delete jspx file parsing: Tomcat is the default file format can be resolved jspx suffix, jspx to resolve server brought great security risk, if not need to use jspx file parsing jspx proposed to delete the specific operation to modify the conf /web.xml file: Comment out the following code:
|
<url-pattern>*.jspx</url-pattern> |
|---|
9. directory permissions configuration file: Web directories and file owner can not start the main user belongs to the same tomcat. As account permission to start tomcat tomcat is, the web is a group of files and directories must be non-tomcat account.
Unified Web directory permissions set to 755, web unified file permissions set to 644. Only upload directory readable and writable directory permissions such unity is set to 777.
Share this article from the public micro-channel number - Tencent cloud security (TencentCloudSecurity)
In the original source and reprint information see article details, if infringement, please contact [email protected] deleted.
Original Published: 2014-08-01
This paper involved Tencent cloud from media-sharing plan , you are reading also welcome to join and share together.