Tomcat 9 safety reinforcement

Time:2022-5-7

Apache Tomcat 9 (9.0.53) – Security Considerations

NUM Reinforcement content explain remarks
1 Patch installation Use the latest version of Tomcat
2 directory right Modify Tomcat directory permission to run user
3 Running authority The user running Tomcat cannot be root
4 Delete files and directories unrelated to the project Delete the directory under webapps /
5 Delete console In Tomcat users Disable all users in XML tomcat-users.xml
6 Shutdown Port server.xml
7 Disable automatic deployment server.xml
8 Enable access logging localhost_access_log server.xml
9 System banner Hide telnet judgment information and HTTP request error information server.xml ,catalina.jar
10 Disable HTTP method Disable put, delete and other dangerous HTTP methods web.xml
11 Disable directory browsing web.xml
12 Error page 404 error, Java Lang.nullpointerexception error web.xml
13 Website Icon It’s not a security issue. It doesn’t have much impact. If not, some browsers report errors favicon.ico
14

5. Delete console

In Tomcat users Disable all users in XML. It is not enabled by default

6. Shutdown Port and Command

Recommended reinforcement method:

<Server port="18005" shutdown="stop">

Another method:
You can also set the port property to-1, close the shutdown port

<Server port="-1" shutdown="SHUTDOWN">

After shutdown, bin / shutdown SH will fail, promptSEVERE: No shutdown port configured. Shut down server through OS signal. Server not shut down.

7. Prohibit automatic deployment (deploy application in running Tomcat)

Set the deploy node’s property to ‘autohost’
If the deployonstartup property exists, change it to “false” as well

    <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="false">

8. Enable access logging

server.xml
The default configuration is as follows

     <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />

9. System banner

  1. Tomcat is prohibited from returning server information in the response header
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000"  
enableLookups="false" redirectPort="8443" server="Application Server"  />

server=""OK

  1. Hide error page return

server.xml
https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Error_Report_Valve
Modify error_ Report_ The valve property isfalseTo solve the problem of error reporting and leakage
Add the host part

<valve classname="org.apache.catalina.valves.ErrorReportValve" showreport="false" showserverinfo="false"/>

web.xml
Modify the defaultservlet configuration showserverinfo property tofalse

Alternatively, create a fileCATALINA_BASE/lib/org/apache/catalina/util/ServerInfo.properties, the content is:

server.info=Application Server

perhaps

get intoapache-tomcat-9.0.53/lib/Directory, as follows:

jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties

As above, fromcatalina.jardecompressionorg/apache/catalina/util/ServerInfo.propertiesDocument, the contents of which are as follows:

[[email protected]_1_5_centos lib]# cat org/apache/catalina/util/ServerInfo.properties  |grep -v '#'

server.info=Apache Tomcat/9.0.53
server.number=9.0.53.0
server.built=Sep 6 2021 19:09:00 UTC

modifyserver.infoandserver.number

Execute as follows, andorg/apache/catalina/util/ServerInfo.propertiesPack incatalina.jar

jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties

10. Disable HTTP method

Edit web Configure in the XML file and set the param value value of readonly to false
org. apache. catalina. servlets. Of defaultservlet

        <init-param>
            <param-name>readonly</param-name>
            <param-value>false</param-value>
        </init-param>

11. Prohibit directory browsing

conf/web.xml
Set the value of lists to false.

        <init-param>
            <param-name>listings</param-name>
            <param-value>false</param-value>
        </init-param>

12. Error page

conf/web.xml
Add child nodes to web app:

  <!-- == Error Pages == -->
    <error-page>
        <error-code>403</error-code>
        <location>/403.html</location>
    </error-page>

    <error-page>
        <error-code>404</error-code>
        <location>/404.html</location>
    </error-page>

    <error-page>
        <error-code>500</error-code>
        <location>/500.html</location>
    </error-page>

    <error-page>
        <exception-type>java.lang.NullPointerException</exception-type>
        <location>/error.</location>
    </error-page>

Create in webapps directoryROOT/404.html, define custom error messages. Examples are as follows:

<!doctype html>
<html lang="zh-cn">
<head>
  <meta charset="utf-8" />
  < title > HTTP status 404 - not found < / Title >
  <style type="text/css">body {font-family:Tahoma,Arial,sans-serif;text-align: center; padding: 50px; background-color:#2d2d2d; color:#fff;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style>
</head>
<body>
  <h1>HTTP status 404 - not found</h1>
  <hr />
  <p><b>Description < / b > the source server cannot find the representation of the target resource or is unwilling to disclose an existing resource representation</ p>
  <hr />
  <h3>Application Server</h3>
</body>
</html>

13. Change the Website Icon

Add 64 * 64 logo to<Tomcat_Home>/webapps/ROOT/favicon.ico