Shulou(Shulou.com)06/01 Report--

How to use Tomcat, the middleware of Linux security reinforcement, for this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

Previously sorted out about the host system reinforcement (Linux security reinforcement, Windows security reinforcement). As a matter of fact, I still like sun target planes.... )

Next, I would like to sort out and explore the reinforcement of middleware or web containers, as well as the reinforcement of mainstream databases.

Let's start with some of the basics of web.

The general order of web access is as follows

Web browser-> web Server (narrow)-> web Container-> Application Server-> Database Server

So when something goes wrong, all kinds of attack positions come.

The general business choices are as follows:

Small projects, personal development generally use tomcat.

Linux systems generally use jetty or apachehpptd

Large-scale projects will use jboss or webloigc, commercial projects generally use weblgoic,webshere, and others include jboss, glasshfish, etc.

Web server:

Response page, dealing with http protocol

IIS 、 Apache 、 nginx 、 Lighttpd

Web container:

Tomcat (with JSP container, servlet container), IIS (with ASP container)

Interaction between operating system and application

Application Server:

IIS,Tomcat,WebLogic,WebSphere is both an application server and a web server.

Middleware: providing containers and services for applications

This time it is tomcat's Linux reinforcement.

Tomcat is a middleware software of apache, which can provide parsing services of jsp or php.

Reinforcement is still divided into five aspects: identity authentication, access control, security audit, resource control and intrusion prevention.

Most of the reinforcement is modified based on the xml configuration file, and the plan should be made according to the actual needs.

To find the configuration file directory, Linux can use find /-name * tomcat*.

Note: all are for reference operation configuration.

01

Identity authentication

1. Delete redundant accounts:

Modify the tomcat configuration file / conf/tomcat-users.xml configuration file to delete accounts that have nothing to do with work.

For example, tomcat1 has nothing to do with operation, maintenance and other work. Delete the account and note as follows:

.

two。 Password complexity:

The password requires at least 8 digits in length and includes at least 3 of the 4 categories of numbers, lowercase letters, uppercase letters and special symbols.

Modify tomcat configuration file / conf/tomcat-users.xml configuration file

Requires that the usr1 password must meet the complexity requirements.

3. Different users have different accounts:

It is reasonable to have two or more.

Modify tomcat configuration file / conf/tomcat-users.xml configuration file, modify or add account:

4. Non-root startup service:

Ps-ef | greptomcat | grep-v "grep"

The startup user of the tomcat process should not be root

Start the tomcat service with a normal user.

02

access control

Minimum privilege:

Edit the tomcat configuration file / conf/tomcat-user.xml configuration file, under the profile node, modify the user role permissions, and authorize tomcat to have remote administration rights:

1. Tomcat6

2. Tomcat7

03

Security audit

Edit the tomcat configuration file server.xml configuration file, add logging to the label, and unmark the comments on the following:

Classname: This MUSTbe set to org.apache.catalina.valves.AccessLogValve to use thedefault access log valve

Directory: the directory where log files are placed. There is a logs folder under tomcat, which is dedicated to log files and can also be changed to other paths.

Prefix: this is the name prefix of the log file, the log name is localhost_access_log.2008-10-22.txt, and the prefix is this localhost_access_log.

Suffix: file suffix.

In Pattern:common mode, relevant information such as access source IP, local server IP, log server IP, access method, number of bytes sent, local receiving port, access URL address and so on will be recorded in the log file.

ResolveHosts: when the value is true, tomcat translates the server IP address into the host name via DNS. If it is false, write the server IP address directly.

04

Intrusion prevention

1. HTTP encryption protocol

Cat/usr/apache-tomcat-5.5.23//conf/server.xml | sed'//d' | sed'/ ^ $/ d' | sed'//d' | sed'/ ^\ smatching impulse d' | grep "keystoreFile"

(1) generate a certificate using the keytool tool that comes with JDK:

$JAVA_HOME/bin/keytool-genkey-alias tomcat-keyalg RSA-keystore/path/to/my/keystore

The directory: / path/to/my needs to be created by users.

(2) modify the / conf/server.xml configuration file under the tomcat installation directory to use HTTPS, and add the following line:

Where the value of keystorePass is the password entered when the keystore was generated.

(3) restart the tomcat service

two。 Disable illegal HTTP request method

Edit the web.xml file

Check to see if org.apache.catalina.servlets.DefaultServlet has the following configuration:

Readonly

False

Change false to true. The readonly parameter defaults to true, that is, delete and put operations are not allowed.

05

Resource control

1. Overtime logout

The unit is millisecond

/ conf/server.xml configuration file, modify connectionTimeout to 30 seconds:

two。 Error page redirection

(1) Edit tomcat configuration file / conf/web.xml file:

Add the following before the last line:

four hundred and four

/ noFile.htm

Java.lang.NullPointerException

/ error.jsp

The configuration between the first one makes it possible to direct the error of the jsp page not found to the noFile.htm page, or you can add a lot of error codes to the page in a similar way, such as 403500, etc.

The second configuration enables you to go to the java.lang.NullPointerException error page when there is a java.lang.NullPointerException guide on the jsp page, and you also need to add the following content to the first jsp page:

A typical error.jsp error page is written as follows:

Error page

There was a mistake:

Error message:

Stack Trace is:

When a NullPointerException exception occurs, tomcat imports the web page into error.jsp and prints out an error message.

Restart the tomcat service

3. Modify the default port

Modify the tomcat profile server.xml profile to change the default management port to non-8080:

Restart the tomcat service

4. Prohibit catalog listing

Edit the tomcat profile web.xml profile:

Listings

True

Change true to false.

Restart the tomcat service

5. Prevent malicious service shutdown

Edit tomcat profile conf/server.xml profile

The value of shutdown is a complex string:

6. Number of connections setting

Edit the tomcat profile server.xml file:

MaxThreads= "150th" means a maximum of 150 connections are processed at the same time.

MinSpareThreads= "25" means that there are so many empty threads waiting even if no one is using it.

MaxSpareThreads= "75" means that up to 75 threads can be empty if.

AcceptCount= "100" when the number of simultaneous connections reaches maxThreads, you can also receive queued connections, and those who exceed this connection will directly return a rejected connection.

7. Modify banner

Modify the following parameters in the Serverinfo.properties request in / lib/catalina.jar (modify to mask the real version information):

Server.info=X

Server.build=BuildDate

Server.number=X

The answer to the question about how to use Tomcat, the middleware of Linux security reinforcement, is shared here. I hope the above content can be of some help to everyone. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.