Tomcat Security Configuration

1. Close the server port:
Server.xml Default has the following line: <server port= "8005" shutdown= "Shutdown" >

This allows anyone to telnet to the server's 8005 port, enter "SHUTDOWN", and then enter, and the server is immediately turned off.
From a security point of view, we need to change this shutdown directive into a string that is not easily guessed by others, and can also change the port at the same time.
For example, modify the following: <server port= "8005" shutdown= "C1gstudio" >

This is only possible if you telnet to 8005 and enter "C1gstudio" to turn Tomcat off.
Note: This modification does not affect the execution of Shutdown.bat. You can shut down the server as you run Shutdown.bat.

2. Add a Firewall
A more secure way is to increase the firewall at the same time to restrict access to Tomcat's control and connector ports
You can view a list of network server sockets and other existing connections by running NETSTAT-A
Insert Rule
Iptables-a input-p tcp-m TCP--dport 8005-j DROP
Save Rule
Service Iptables Save
Overloading rules
Service Iptables Restart

3. Manage the security of the Tomcat console
The Tomcat console application file, by default in the {Tomcat installation directory}\server\webapps, has admin and manager two apps.
Its user password, as defined in the {Tomcat installation directory}\conf/tomcat-users.xml. Under the {Tomcat installation directory}\webapps
The Admin.xml and Manager.xml files define access by accessing/admin and/manager.
By default, you can log into the Tomcat console completely, causing serious security problems
Detection method: Open the link with IE http://[ip]:[port]/admin, the user name admin, password is empty login, if successful,
Indicates that there is a problem.
Workaround: You can remove the {Tomcat installation directory}\webapps Admin.xml and manager.xml files, or remove the user secret
You can also delete the application file.

4. Run the error page

If the page cannot be found, a 404 error appears, the server version number is displayed, and the server configuration is also at a glance.
In order to avoid this situation, you want to customize the settings error page.
Settings are as follows:
Open the \conf\web.xml file with Notepad and add the following to the second line of the file (before one line): <error-page> <error-code>404</error-code> <loca     tion>/404.jsp</location> </error-page> <error-page> <error-code>500</error-code> <location>/500.jsp</location> </error-page>

Create 404.jsp and 500.jsp files under the root directory

5. Multi-server security protection mode
When the actual directory of Web pages is shared between the Apache httpd Web server and Tomcat on the same host (or the same network file system),
Please be aware of the interaction between the individual safety protection modes. This is especially important when you have a "protected directory."
The server will have permission to read each other's files.
In these situations, be aware that Tomcat does not protect files such as. htaccess, and Apache does not protect the Web-inf or Meta-inf directories of WEB applications.
These situations can lead to significant security breaches, so we recommend that you take extra care when using these special directories.

To have Apache httpd protect Web-inf and Meta-inf directories, include the following in httpd.conf <locationmatch "/web-inf/" > allowoverride None Deny From all </LocationMatch> <locationmatch "/meta-inf/" > AllowOverride-None deny from all </locationmatch >

6. How to automatically list blocked catalog files
Conf/web.xml files <servlet>         <servlet-name>default</servlet-name>         <servlet-class>org.apache.catalina.servlets.defaultservlet</ servlet-class>         <init-param>              <param-name>debug</param-name>             <param-value>0</ param-value>         </init-param>         <init-param >             <param-name>listings</param-name>      & nbsp      <param-value>false</param-value>         </init-param >         <load-on-startup>1</load-on-startup>     </ servlet>   <param-value>false</param-value>

False here is not listed, true for the list of allowed

7. Run as a non-root user

8. Turn off 8009 ports
8009/TCP Open Ajp13

Port 8009 is the port of MOD_PROXY_AJP,MOD_JK communication between Tomcat and Apache, and it is off when not in use.

This paragraph in the Tomcatpath/conf/server.xml is commented out <!--<connector port= "8009" protocol= "ajp/1.3" redirectport= "8443"/> -

Tomcat is a free, open source Web application server under the Apache Software Foundation, which can run on multiple platforms, such as Linux and Windows, because of its stable performance, good scalability, and free features that are popular among users. Currently, many Internet applications and enterprise applications are deployed on TOMCAT servers, such as our company, ha.

We used to have a default configuration for Tomcat, so there are some security implications. Last week, all of the servers in the test environment were safely optimized for Tomcat, and some performance optimizations were made in the meantime, with a simple record sharing.

First, version security

Upgrade the current version of Tomcat to the latest stable version. Hence the name Incredibles, the latest stable version should take into account the two concepts of the latest and stable. A stable version, which takes time to precipitate, is up-to-date with respect to the stable version. Therefore, we will generally choose the current large version, the latest version forward several versions or push forward a few months out of the version.

At present, the enterprise commonly used Tomcat version 6.0 and 7.0, version 8.0, although it has been a long time, but it is still not recommended.

In the upgrade version, there are two things to note:

1, try to avoid cross-major version of the upgrade

2. Back up the current old version of Tomcat Server.xml, catalina.sh, Web. XML, and Tomcat-users.xml files, and then after deploying the new version of Tomcat, overwrite the configuration files and then stop the old version. Start the new version to complete the upgrade operation.

Second, hidden version information

To avoid hackers attacking certain versions, we need to hide or disguise the version information of Tomcat.

The version information for the default Tomcat is as follows:

The display for this information is controlled by a jar package that is stored in the Lib directory under the Tomcat installation directory with the name Catalina.jar.

We can extract this jar package through the jar XF command to get two directories meta-inf and org, by modifying the ServerInfo field in the Org/apache/catalina/util/serverinfo.properties file to Implementation to change the version information of our Tomcat.

The file information is as follows:

[Root@localhost ~]#  cat org/apache/catalina/util/serverinfo.properties |grep-v ' ^$|# '
server.info=apache tomcat/7.0.53
server.number=7.0.53.0
Server.built=mar 06:20:16
Of course, there is another way to implement version information that hides or disguises Tomcat , but essentially the same as above, operate as follows:
[root@localhost ~]# cd/usr/local/apache-tomcat-7.0.53/lib
[root@localhost lib]# mkdir-p Org/apache/catalina/util
[root@localhost lib]# cd org/apache/catalina/util
[root@localhost util]# vim Serverinfo.properties
server.info=nolinux        # If you want to change to another version number, change the value of this place to another value.

Once modified, restart Tomcat to see the effect.

The effect is as follows:

Iii. Optimizing Web. xml

Servlets and other configuration files that apply to the entire Web application settings must conform to the standard format of the servlet specification. It allows you to configure the options for your Web app, and Tomcat will read this file when it is launched, completing some initialization of the system you are developing.

It can do the following things:

1. Provision of servlet-based related configurations

2. Increase the listener, monitor the session, or load some resources you wish to load when Tomcat starts. such as creating a database connection pool, etc.

3, set the session expiration time, tomcat default is 30 minutes

4, change the application of the default page, commonly used for index.html/index.jsp, etc.

5, add filters, do some of the filtering you want, such as the filter of sensitive words

6, add some jstl (standard tag library) definition, convenient in the JSP directly includ come in, directly use these tags

7, some configuration of struts,spring or hibernate, etc.

The following excerpt from the "Tomcat authoritative guide" in O ' REILLY:

The file format of Web. XML is defined in the servlet specification, so all Java servlet Container that conform to the servlet specification will use it. When Tomcat deploys the application (during activation, or after the application is loaded), it reads the generic conf/web.xml and then reads the Web-inf/web.xml in the Web application. In fact, depending on their location, we can know that the settings in the Conf/web.xml file apply to all Web applications, and that the settings in the web-inf/web.xml of some Web applications are applied only to the application itself.
If there is no web-inf/ Web. xml file, tomcat outputs a message that could not be found, but still deploys and uses it, and the author of the servlet specification wants to implement a method that can quickly and easily set a new scope for testing, so this web. XML is not necessary, but it is usually better to have each online application The program has a web-inf/web.xml of its own, even if it is only used for identification, but I think it is a good habit.

Because the servlet specification is primarily for web programmers, not for system administrators. Therefore, for operations, we may be more concerned about the site's default page, custom error page, prohibit column directory and other functions.

As a result, the normal production environment, is certainly not directly from Tomcat to the public network services, the front-end must have Apache or Nginx. Therefore, for the site's default home page and custom error pages, we are in the front-end Apache or Nginx. In addition, the company may be referred to the program Ape in the project Web-inf/web.xml to define.

In the new version of Tomcat, the column directory feature is automatically disabled by default.

Below, I list several common features that are represented in Web. xml:

Site default Home page:

Custom error page:

To define the session time-out:

Prohibit column directories:

Iv. optimization of Tomcat-user.xml

The file contains a manifest file for the user name, role, and password. Responsible for providing login and authentication management of manager project under WebApps.

In a production environment, we need to annotate the file in its entirety.

Note the effect is as follows:

V. Optimization of Server.xml

Tomcat's master configuration file, which contains many of the main elements, such as service, Connector, host, and so on, that create the software object, sort, and nesting of those elements set in the process pipeline, so that we can perform filtering, grouping, and so on.

If we want to optimize the file, we need to understand the structure of the file first.

Structure diagram of Server.xml:

This file describes how to start the Tomcat Server

<Server>
    <listener/>
    <GlobaNamingResources>
    </globanamingresources
    < Service>