Apache Tomcat 9 (9.0.53) – Security Considerations
| NUM | Reinforcement content | explain | remarks |
|---|---|---|---|
| 1 | Patch installation | Use the latest version of Tomcat | |
| 2 | directory right | Modify Tomcat directory permission to run user | |
| 3 | Running authority | The user running Tomcat cannot be root | |
| 4 | Delete files and directories unrelated to the project | Delete the directory under webapps / | |
| 5 | Delete console | In Tomcat users Disable all users in XML | tomcat-users.xml |
| 6 | Shutdown Port | server.xml | |
| 7 | Disable automatic deployment | server.xml | |
| 8 | Enable access logging | localhost_access_log | server.xml |
| 9 | System banner | Hide telnet judgment information and HTTP request error information | server.xml ,catalina.jar |
| 10 | Disable HTTP method | Disable put, delete and other dangerous HTTP methods | web.xml |
| 11 | Disable directory browsing | web.xml | |
| 12 | Error page | 404 error, Java Lang.nullpointerexception error | web.xml |
| 13 | Website Icon | It’s not a security issue. It doesn’t have much impact. If not, some browsers report errors | favicon.ico |
| 14 |
5. Delete console
In Tomcat users Disable all users in XML. It is not enabled by default
6. Shutdown Port and Command
Recommended reinforcement method:
<Server port="18005" shutdown="stop">
Another method:
You can also set the port property to-1, close the shutdown port
<Server port="-1" shutdown="SHUTDOWN">
After shutdown, bin / shutdown SH will fail, prompt
SEVERE: No shutdown port configured. Shut down server through OS signal. Server not shut down.
7. Prohibit automatic deployment (deploy application in running Tomcat)
Set the deploy node’s property to ‘autohost’
If the deployonstartup property exists, change it to “false” as well
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="false">
8. Enable access logging
server.xml
The default configuration is as follows
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
9. System banner
- Tomcat is prohibited from returning server information in the response header
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000"
enableLookups="false" redirectPort="8443" server="Application Server" />
server=""OK
- Hide error page return
server.xml
https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Error_Report_Valve
Modify error_ Report_ The valve property isfalseTo solve the problem of error reporting and leakage
Add the host part
<valve classname="org.apache.catalina.valves.ErrorReportValve" showreport="false" showserverinfo="false"/>
web.xml
Modify the defaultservlet configuration showserverinfo property tofalse
Alternatively, create a fileCATALINA_BASE/lib/org/apache/catalina/util/ServerInfo.properties, the content is:
server.info=Application Server
perhaps
get intoapache-tomcat-9.0.53/lib/Directory, as follows:
jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
As above, fromcatalina.jardecompressionorg/apache/catalina/util/ServerInfo.propertiesDocument, the contents of which are as follows:
[[email protected]_1_5_centos lib]# cat org/apache/catalina/util/ServerInfo.properties |grep -v '#'
server.info=Apache Tomcat/9.0.53
server.number=9.0.53.0
server.built=Sep 6 2021 19:09:00 UTC
modifyserver.infoandserver.number
Execute as follows, andorg/apache/catalina/util/ServerInfo.propertiesPack incatalina.jar
jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties
10. Disable HTTP method
Edit web Configure in the XML file and set the param value value of readonly to false
org. apache. catalina. servlets. Of defaultservlet
<init-param>
<param-name>readonly</param-name>
<param-value>false</param-value>
</init-param>
11. Prohibit directory browsing
conf/web.xml
Set the value of lists to false.
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
12. Error page
conf/web.xml
Add child nodes to web app:
<!-- == Error Pages == -->
<error-page>
<error-code>403</error-code>
<location>/403.html</location>
</error-page>
<error-page>
<error-code>404</error-code>
<location>/404.html</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/500.html</location>
</error-page>
<error-page>
<exception-type>java.lang.NullPointerException</exception-type>
<location>/error.</location>
</error-page>
Create in webapps directoryROOT/404.html, define custom error messages. Examples are as follows:
<!doctype html>
<html lang="zh-cn">
<head>
<meta charset="utf-8" />
< title > HTTP status 404 - not found < / Title >
<style type="text/css">body {font-family:Tahoma,Arial,sans-serif;text-align: center; padding: 50px; background-color:#2d2d2d; color:#fff;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style>
</head>
<body>
<h1>HTTP status 404 - not found</h1>
<hr />
<p><b>Description < / b > the source server cannot find the representation of the target resource or is unwilling to disclose an existing resource representation</ p>
<hr />
<h3>Application Server</h3>
</body>
</html>13. Change the Website Icon
Add 64 * 64 logo to<Tomcat_Home>/webapps/ROOT/favicon.ico