Tomcat security configuration in CentOS

Tomcat security configuration in CentOS
1. initialize the configuration after installation

After Tomcat is installed, you must do the following:

Delete all the codes in webapps immediately after the first installation.

rm -rf /srv/apache-tomcat/webapps/*

Comment or delete all user permissions for the tomcat-users.xml, which looks like:

# cat conf/tomcat-users.xml<?xml version='1.0' encoding='utf-8'?><tomcat-users></tomcat-users>

Hide Tomcat version information

vim $CATALINA_HOME/conf/server.xml    <Connector port="80" protocol="HTTP/1.1"               connectionTimeout="20000"               redirectPort="8443"maxThreads="8192"minSpareThreads="64"maxSpareThreads="128"acceptCount="128"enableLookups="false"                server="Neo App Srv 1.0"/># curl -I http://localhost:8080/HTTP/1.1 400 Bad RequestTransfer-Encoding: chunkedDate: Thu, 20 Oct 2011 09:51:55 GMTConnection: closeServer: Neo App Srv 1.0

The Server information has been changed to Server: Neo App Srv 1.0.

2. Start the user and Port

Do not use the root user to start tomcat. the Java program is different from the C program. Nginx and httpd use the root user to start port 80 of the daemon. The sub-process/thread switches to the common user through the setuid () and setgid () functions. That is, the parent process owner is the root user, and the sub-process and multi-thread owner are non-root users. This user does not have a shell and cannot log on to the system through ssh or the console, java's JVM is system-independent and is built on the OS. If you use a user to start Tomcat, Tomcat will inherit the permissions of the owner.

This causes a problem. In Linux, only the root user can use ports smaller than 1024, which is why the default Tomcat port is 8080. If you want to use port 80, you can only use root to start Tomcat. This poses many security problems.

The solution is to create a different user, such:

useradd user -p password

This common user can be used to start tomcat. Because my tomcat directory is under/usr/java/tomcat7/, you must grant permissions to this folder.

chown user -R /usr/java/tomcat7/*

Next, we can solve the port 80 problem by calling port 8080 or ing the port 80.

The following is an image shooting solution, which redirects from 80 to 8080.

Iptables-t nat-a prerouting-p tcp -- dport 80-j REDIRECT -- to-port 8080 cancel jump iptables-t nat-d prerouting-p tcp -- dport 80-j REDIRECT -- to-port 8080 view rules iptables-t nat-L

Another solution is to call 8080 from 80 requests.

This scheme can be used to add reverse proxies in the front of Tomcat, such as Nginx, Apache, Squid, Varnish, F5, Array, and so on.

3. Application Security

Disable Automatic war deployment unpackWARs = "false" autoDeploy = "false ". Prevent Trojans and other malicious programs

Application Deployment and tomcat startup cannot use the same user.

My tomcat is installed in the/srv directory, and the Tomcat startup user is daemon; the www owner is the www user under the/www directory for the application. The purpose is that once tomcat is implanted with a web shell program, it cannot create or edit any content in the/www directory.

adduser --home /www -c "Web Application" www

4. JSESSIONID

Modify the Cookie variable JSESSIONID, which is used to maintain the Session relationship. We recommend that you change it to PHPSESSID.