Shulou(Shulou.com)06/01 Report--

What are the tomcat security specifications? For this problem, this article introduces the corresponding analysis and solutions in detail, hoping to help more small partners who want to solve this problem find a simpler and easier way.

Tomcat is an open source Web server, Tomcat based Web running efficiency is high, can run smoothly on the general hardware platform, therefore, quite popular Web webmaster favor. However, under the default configuration, there are certain security risks and can be maliciously attacked. Here are some ways to secure it:

version-safe

Upgrade to the latest stable release. For stability reasons, cross-release upgrades are not recommended.

service degradation

Do not use root to start tomcat, use a normal user to start Tomcat, the user name within the cluster is uniform UID

Port Protection

1 Change tomcat management port 8005, which has permission to shut down tomcat service, but requires port configuration between 8000 and 8999, and change shutdown command

2 If Tomcat is placed on the intranet, then the monitoring address for Tomcat service is the intranet address.

3 Modify the default ajp 8009 port to be less likely to conflict (greater than 1024), but require port configuration between 8000 and 8999

Disable the management side

1 Delete the default $CATALINA_HOME/conf/tomcat-users.xml file, restart tomcat will automatically generate a new file

2 Delete $CATALINA_HOME/webapps Download all directories and files by default

3 configure tomcat application root directory to a directory other than tomcat installation directory

Hide Tomcat version information

The display of this information is controlled by a jar package located in the $CATALINA_HOME/lib directory called catalina. jar,

Decompressing this jar package with jar xf will result in two directories META-INF and org ,

Modify the serverinfo field in org/apache/catalina/util/ServerInfo.properties file to change our tomcat version information

Turn off automatic war deployment

By default Tomcat is enabled for hot deployment of war packages. In order to prevent malicious programs such as Trojans from being implanted, we have to turn off automatic deployment.

Example of modification:

custom error page

Edit conf/web.xml and add the following to the tag:

404 /404.html 500 /500.html

Shielded directory files automatically listed

Edit the conf/web.xml file

default org.apache.catalina.servlets.DefaultServlet debug 0 listings false 1 false

false is not listed, true is allowed

Multiple virtual hosts

Tomcat hosting is strongly discouraged, and one instance per site is recommended. That is, you can start multiple Tomcats instead of starting a Tomcat that contains multiple virtual hosts.

Because Tomcat is multithreaded and shares memory, an application crash in any one virtual host affects all applications. Although the multi-instance approach incurs excessive overhead, it at least ensures application isolation and security.

Script permission reclamation

Control executable permissions for start.sh, catalina.sh, shutdown.sh in CATALINAHOME/bin directory

chmod−R744 CATALINA_HOME/bin/*

Separating Tomcat from project users

To prevent Tomcat from being implanted in a web shell, you can modify the project file. So we want to separate Tomcat from the owner of the project, so that even if he is compromised, he cannot create and edit project files.

server head rewrite

Add server="server_name" to HTTP Connector configuration, default is Apache-Copyte/1.1

By configuration, limit the IP source of access

Access Log Format Specification

Open Referer and User-Agent records in tomcat default access log

Standard configuration:

tomcat disables illegal HTTP methods

Edit configuration in web.xml file

org.apache.catalina.servlets. readonly true of DefaultServlet

When param-value is true, delete and put operations are not allowed.

tomcat user has remote administrative privileges

In tomcat-users.xml, modify the tomcat user role value to include manager, such as:

tomcat automatic logout time is no longer than 30 seconds

Edit server.xml and modify the automatic logout time to 30 seconds, as follows:

tomcat should set the minimum and maximum number of connections based on machine performance and business requirements

Edit the server.xml file to

An example is as follows:

minSpareThreads="25" means that there are so many empty threads waiting even if no one is using them

Set the number of connections according to the actual situation

Edit the server.xml file to

An example is as follows:

maxThreads="150" means processing up to 150 connections simultaneously

Configure the number of connections according to the actual situation

Tomcat Configuration Access Log

Modify server.xml to uncomment the following:

Configure Tomcat error page redirection

Edit the web.xml file and modify it as follows:

404/noFile.htm……… java.lang. NullPointerException/error.jsp The answers to the tomcat security specification are shared here. I hope the above content can be helpful to everyone. If you still have a lot of doubts, you can pay attention to the industry information channel to learn more.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.