Tomcat Security Settings

1. Disable the server port:
Server. XML has the following line by default:

In this way, anyone can telnet to port 8005 of the server, enter "shutdown", Press enter, and the server is immediately shut down.
From the security perspective, we need to change the shutdown command into a string that is not easily guessed by others. At the same time, we can change the port.
For example, modify as follows:
In this way, Tomcat can be closed only when telnet to 8005 and "c1gstudio" is entered.
Note: This modification does not affect the execution of shutdown. bat. You can shut down the server by running shutdown. bat.

2. Add a firewall
A safer way is to add a firewall to restrict access to Tomcat control and connector ports.
You can run netstat-a to view the list of network server sockets and other existing connections.
Insert rule
Iptables-A input-p tcp-m tcp -- dport 8005-J Drop
Save rule
Service iptables save
Reload rules
Service iptables restart

3. Handle Tomcat console Security
The application files of the Tomcat console are located under the {tomcat installation directory}/Server/webapps by default. There are two applications: Admin and manager.
Its user password, defined in the {tomcat installation directory}/CONF/tomcat-users.xml. Under {tomcat installation directory}/webapps
The admin. xml and manager. xml files define that you can access/admin and/manager.
By default, you can log on to the Tomcat console, causing serious security problems.
Test method: use IE to open the link http: // [IP]: [port]/admin, and use the username admin. If the password is empty,
It indicates that there is a problem.
Solution: Delete the admin. xml and manager. xml files under {tomcat installation directory}/webapps, or remove user passwords.
You can also delete an application file.

4. webpage with running error

If the web page cannot be found, the 404 error is displayed. The server version number is displayed, and the server configuration is clear at a glance,
To avoid this, you need to customize the error page.
The settings are as follows:
Open the/CONF/Web. xml file in notepad and add the following content to the last line (before a line) of the file:

404
/404.jsp

500
/500.jsp

Create the 404. jsp and 500. jsp files in the root directory.

5. multi-server security protection mode
When the Apache httpd Web server and tomcat on the same host (or the same Network File System) share the actual directory of the webpage,
Pay attention to the interaction between individual security protection modes. This is especially important when you have a "protected directory.
The server will have the permission to read files from each other.
In these cases, note that Tomcat does not protect files such as. htaccess, and Apache does not protect web applications.ProgramThe WEB-INF or META-INF directory.
These situations may cause major security vulnerabilities. Therefore, we recommend that you be especially careful when using these special directories.

To have Apache httpd protect the WEB-INF and META-INF directories, add the following content to httpd. conf:

AllowOverride none
Deny from all

AllowOverride none
Deny from all

6. Disable Automatic listing of directory files
Conf/Web. xml file

Default
Org. Apache. Catalina. servlets. DefaultServlet

Debug 0

 

Listings false
1

 

False: false: not listed. True: sufficient.

 

7. Run as a non-Root User

 

Reprinted: http://blog.c1gstudio.com/archives/865