The 15th chapter of the "White hat Talk web security" study Note Web server configuration security

15th. Web server configuration Security 15.1 ApacheSafety

It is important to use the "least privilege Principle" when installing Web Server on a Linux deployment . Try not to use root deployment.

15.2 NginxSafety

Nginx Security Configuration Guide Technical manual PDF Download

Free in http://linux.linuxidc.com/

user name and password are www.linuxidc.com

specific download directory in /pub/ Server Related tutorials /nginx/nginx Security Configuration Guide Technical manual /

Reference:http://my.oschina.net/jsan/blog/125838

15.3 JbossRemote Command Execution

15.4 TomcatRemote Command Execution

installing Tomcat Post-initialize configuration

when the first things you need to do after Tomcat completes the installation are as follows:

Remove all code below WebApps immediately after the first installation is complete

rm-rf/srv/apache-tomcat/webapps/*

comment or remove tomcat-users.xml all user rights, which looks like this:

# Cat Conf/tomcat-users.xml

<?xml version= ' 1.0 ' encoding= ' utf-8 '?><tomcat-users></tomcat-users>

Hidden Tomcat Version Information

Vim $CATALINA _home/conf/server.xml

<connector port= "protocol=" "http/1.1"            connectiontimeout= "20000"           redirectport= "8443"                               maxthreads= "8192"                               minsparethreads= "           "                   Maxsparethreads= "              "               acceptcount= " "                             enablelookups= "false"             server= "neo app srv 1.0"/>

Results:

# curl-i http://localhost:8080/HTTP/1.1 Requesttransfer-encoding:chunkeddate:thu, Oct 09:51:55 Gmtconne Ction:closeServer:Neo APP SRV 1.0

The server information has been changed to Server:neo APP SRV 1.0

Start User and port

do not use root user launch Tomcat program and C program is different. nginx,httpd use root user launch daemon 80 port, child process / thread will pass setuid (), Setgid () Span style= "font-family: ' The song Body '; > Two functions switch to normal user. That is, the parent process owner is root user, child process and multi-threaded owner is a non- root user, this user does not have shell, cannot pass Ssh with console login system, Java " JVM os Tomcat so Tomcat

This creates a problem, The Linux system is less than a 1024x768 port and only root can be used, which is why the Tomcat default port is 8080. If you want to use a port, you can only use root to start Tomcat. This has brought a lot of security problems.

The solution is to create a different user, such as:

Groupadd-g Daemon

Adduser-o--home/daemon--shell/sbin/nologin--uid--gid 80-c "Web Server" daemon

Note that/sbin/nologin means that the user cannot log in, and I do not assign a password to it, this user can only be used to start tomcat

Chown Daemon:daemon-r/srv/*

Su-daemon-c "/srv/apache-tomcat/bin/startup.sh"

next solve the port problem , the idea is to call 8080, or map port.

Here is the mapping scheme , jump 8080

Iptables-t nat-a prerouting-p tcp--dport 80-jredirect--to-port 8080

Cancel Jump

Iptables-t nat-d prerouting-p tcp--dport 80-jredirect--to-port 8080

View Rules

Iptables-t nat-l

The other is to call the 8080 scheme from the request.

This program can be used in Tomcat adds reverse proxies, such asnginx,apache,squid,varnish or F5, Array devices, etc.

Application Security

Turn off War automatic deployment unpackwars= "false" autodeploy= "false". Prevent malicious programs such as Trojan horses from being planted

application Deployment with tomcat boot , cannot use the same user.

my tomcat is installed in the/srv directory, andTomcat starts the user as daemon; The application is placed under the /www directory www owner is www user. The goal is that once Tomcat is implanted into the Web Shell program, it will not be able to create or edit anything under the/www directory.

AddUser--home/www-c "Web application" www

Jsessionid

Modify Cookie variable jsessionid, This cookie is used to maintain the Session relationship. I suggest you change to Phpsessid.

15.5 Http Parameter Pollution

Submit two identical parameters, different server will have different processing.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/88/76/wKioL1f4-fXhU3PrAAI8C1cED3M649.jpg "title=" 155. JPG "alt=" wkiol1f4-fxhu3praai8c1ced3m649.jpg "/>

This article is from the "dream to think XI" blog, please be sure to keep this source http://qiangmzsx.blog.51cto.com/2052549/1859565

The 15th chapter of the "White hat Talk web security" study Note Web server configuration security