Shulou(Shulou.com)06/01 Report--

In this issue, Xiaobian will bring you about how to set up tomcat server security. The article is rich in content and analyzes and narrates from a professional perspective. After reading this article, I hope you can gain something.

1. Delete all files in webapps directory, disable tomcat admin interface

rm -rf /usr/local/tomcat/apache-tomcat-9.0.1/webapps/*

2. Comment or delete all user rights in the tomcat-users.xml file:

3. Hide version information, modify conf/server.xml

3. User Question:

nginx,httpd uses root to start guarding port 80, and child processes/threads switch to normal users through setuid() and setgid() functions. That is, the parent process owner is root user, and the child process and multithread owner is a non-root user. This user has no shell and cannot log on to the system through ssh and console.

Java JVM is system independent, is built on top of the OS, with what user to start Tomcat, then Tomcat will inherit the owner's permissions.

This causes a problem, Linux systems with ports smaller than 1024 can only be used by root, which is also Tomcat default port 8080. If you want to use port 80, you can only boot Tomcat using root. This raises a lot of security issues.

Create a user that can only be used to start tomcat:

groupadd -g 80 tomcat

adduser -o --home /tomcat --shell /sbin/nologin --uid 80 --gid 80 -c "Web server" tomcat

chown tomcat:tomcat -R /usr/local/tomcat/apache-tomcat-9.0.1/*

su - tomcat -c "/usr/local/tomcat/apache-tomcat-9.0.1/bin/startup.sh"

Make a port mapping, call port 8080 when visiting 80

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

Cancel Jump:

iptables -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

4. Turn off automatic deployment war

vim conf/server.xml

5. Hide 404 Appearing Version Information:

Unzip catalina.jar, jar xf catalina.jar under lib

vim /usr/local/tomcat/apache-tomcat-9.0.1/lib/org/apache/catalina/util/ServerInfo.properties

6. Change Close tomcat command

server.xml defines an administrative port that allows you to shut down Tomcat instances directly. After connecting to the port via telnet, we can shut down the Tomcat instance by typing SHUTDOWN (this is the default shutdown command)(note that although the instance is closed, the process still exists). Because the port and command to turn off Tomcat by default are simple. The default port is 8005 and the command is SHUTDOWN. The shutdown command needs to be modified a bit more complicated.

or disable port 8005

7. Separate tomcat from project users

To prevent Tomcat from being implanted in a web shell, you can modify the project file. So we want to separate Tomcat from the owner of the project, so that even if he is compromised, he cannot create and edit project files.

8. Add the following configuration to conf/web.xml

9. custom error page

web.xml is under an application, it should handle the 404 of this application, and http://localhost/accesses tomcat's own application, then this web.xml configuration should be configured in the application under webapp/Root/,

Root directory below the Tomcat application, which replaced their own on the line.

Add at/webapps/ROOT/WEB-INF/web.xml

Create an error.jsp file in the webapps directory

404 page

exception.jsp file

exception page

Test custom error pages in the browser:

Define session timeout and forbidden list

The above is how to set up tomcat server security shared by Xiaobian for everyone. If you happen to have similar doubts, you may wish to refer to the above analysis for understanding. If you want to know more about it, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.