Shulou(Shulou.com)06/01 Report--

For this security reinforcement, Tomcat is the hardest hit area. So sort out the security reinforcement of Tomcat.

1. It's a clich é to upgrade to the latest stable version. Tomcat currently supports version 6. 0 and 7. 0.

1) for the sake of stability, cross-version upgrade is not recommended. If the previous version is 6.0 series, it is best to use the latest version of the series.

2) deploy the latest Tomcat in the statistics directory, copy the files and webapp in the conf directory, then modify the server.xml, modify the listening port for testing, and then close Tomcat and change it back to the port. You can then stop the old Tomcat and open the new Tomcat at release time, and the upgrade is complete.

two。 Hardening from the listening port

1) if the Tomcat does not need to provide external services, listen in the local loop and put the Nginx in front of it. If you need to provide external access, such as hanging multiple Tomcat from a Nginx, use iptables on the server to allow access to only the IP of the load balancer.

2) now we generally call Tomcat without Apache through AJP protocol, so the AJP port can be closed.

3) in the new version of Tomcat, the SHUTDOWN port listens at 127.0.0.1 by default, so there is no need to modify it. If you still want to harden it, you can replace the SHUTDOWN with another string.

3. Customize the error page to hide Tomcat information

Edit the conf/web.xml to add the following to the tag:

404 / 404.html 500 / 500.html

4. Disable the Tomcat management page

1) delete all the original contents of Tomcat under the webapps directory

2) Delete the host-manager.xml and manager.xml files under conf/Catalina/localhost/

5. Start Tomcat with an ordinary user

Useradd-M-s / bin/false tomcatchown-R tomcat.tomcat / usr/local/src/apache-tomcat-6.0.37su-tomcat- c "/ usr/local/src/apache-tomcat-6.0.37/bin/catalina.sh start"

6. Disable Tomcat column directories

This is disabled by default in the new version and can be edited in conf/web.xml

Listings false

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.