Build a secure Tomcat server

Tomcat is an open source WebServerTomcat-based Web operations are highly efficient and can run smoothly on general hardware platforms. Therefore, it is favored by Web masters. However, in the default configurationSecurityRisks, which can be maliciously attacked. In addition, because of its simple functions, we need to further set it. The local machine willSecurityTomcat-based WebServerTo help you.

Environment Description

OS: Windows Server 2003

IP: 192.168.1.12

Tomcat: 6.0.18

1. Security Testing

(1). log on to the background

Deploy Tomcat on Windows Server 2003, and keep everything as default. Log on to the Tomcat background. The default background address is:

Http: // 192.168.1.12: 8080/manager/html. Enter this address in the browser, and press enter to bring up the logon dialog box. Enter the default username admin. The default password is blank. log on to the background successfully. (Figure 1)

(2). Obtain Webshell

There is a WAR file to deploy module in the background of Tomcat, through which you can upload WAR files. Tomcat can parse WAR files, decompress them, and generate web files. We pack a webshell in jsp format with WinRar and rename its suffix to WAR (in this example, gslw. war). In this way, a WAR package is generated. Finally, upload the file to the server. You can see that a directory named/gslw is added to the Tomcat background. Click the directory to open the Directory and run the jsp Trojan, in this way, a Webshell is obtained. (Figure 2)

(3). Test operations

Create Administrator

By default, the Tomcat service runs with the system permission. Therefore, the jsp Trojan inherits its permissions and can perform almost all operations on the Web server. For example, start a service, delete/create/modify a file, and create a user. The following example shows how to create an administrator. Run the "command line" module of the jsp Trojan and enter the command net user test test168/add and net localgroup administrators test/add respectively. In this way, a test user with administrator permissions is created, the password is test168. (Figure 3)

Remote Login

We can also further penetrate, such as logging on to the Web server through remote desktop. Run the netstat-ano command to check whether port 3389 of the server is disabled. We can use webshell to upload a tool that enables remote desktop on the Web server. Finally, we can successfully log on to the system, so far the entire Web has fallen. (Figure 4)

2. Security Defense

Through the test above, we can see that the security of the Tomcat server under the default configuration is very poor. How can we reinforce the security of Tomcat servers? We have strengthened the following aspects.

(1). Service downgrading

By default, Tomcat runs with System Service Permissions. Therefore, by default, almost all Web server administrators have Administrator permissions, which is different from that of IIS, posing a great security risk, therefore, our security settings start with Tomcat service downgrading.

First, create a common user, set the password for it, and set the password policy to "the password will never expire". For example, the user we created is atat_lw. Then, modify the access permission of Tomcat installation folder, grant Tomcat _lw the read, write, and execute permissions on the Tomcat folder, and grant Tomcat_lw the read-only access permission on the WebApps folder, if some Web applications require write access, they are granted with write access to that folder separately. (Figure 5)

"Start> Run" and enter services. msc open the Service Manager, find the Apache Tomcat service, double-click to open the service, click the "Logon" tab in the Properties window, and select "this account" under the logon identity ", enter the Tomcat_lw and password in the text box, click "OK", and restart the server. In this way, Tomcat runs with the permissions of the common user atat_lw. (Figure 6)

Sometimes, we need to run Tomcat in the command line. At this time, we can enter the command runas/user: atat_lw cmd.exe under the command and press enter and enter the password, in this way, a command line with the atat_lw permission is enabled. The last part is located in the binfile folder of Tomcat. input the command atat6.exe to start Tomcat with Tomcat_lw on the command line. (Figure 7)

In this way, the permissions of Tomcat run by the common user Tomcat_lw are greatly reduced. Even if attackers obtain webshells, they cannot go further, threatening the security of web servers.

(2). Change the port

The default port of Tomcat is 8080. Attackers can run the scanning tool to scan the port to obtain the Web server deployed with Tomcat and then launch attacks. Therefore, we can modify the default port during the security period. Find the server. xml file in the conf directory of the Tomcat installation path, open it in notepad, search 8080 for the corresponding field, and change 8080 to another number. In addition, it must be noted that when connectionTimeout = "20000" is a connection overhead, maxThreads = "150" is the maximum thread and can be modified as needed. (Figure 8)

(3). Forbidden list

We know that if improperly set in IIS, all files in the current Web directory will be listed, and Tomcat is no exception. If the browser can browse the Web directory on the client, there will be a large security risk. Therefore, we need to confirm that the column directory is forbidden in Tomcat settings. The setting file is web. xml, which is also in the conf directory. Open the file in notepad and search for init-param and find the following fields nearby:

<Init-param> <Param-name> listings </param-name> <Param-value> false </param-value> </Init-param>

Make sure that the value is false rather than true. (Figure 9)

(4). User Management

The admin. Its configuration file is a tomcat-users.xml, open the file with notepad and then modify. The role label indicates the permission, and the manager indicates the Administrator permission. The user label indicates the backend management user. You can see that the user name is admin, and we can change it to a strange user; we can see that there is a blank password behind the password, and we can set a complicated password for it. Finally, the tomcat-users.xml file after the configuration is modified is:

<? Xml version = 1.0 encoding = UTF-8?> <Tomcat-users> <Role rolename = "manager"/> <Role rolename = "admin"/> <User username = "gslw" password = "test168" roles = "admin, manager"/> </Tomcat-users>

(Figure 10)