Tomcat安全配置

本周项目被报两个高危漏洞， 甚是丢脸。 都是与tomcat安全配置相关。也证明了自己对细节问题不求甚解，对安全问题缺乏敏感性。 抓紧时间看一遍tomcat官方推荐的安全配置。

CIS Apache Tomcat 7 Benchmark

1. Remove extraneous resources.
   a) remove extraneous files and directories
   rm -rf $CATALINA_HOME/webapps/js-examples, servlet-
   example, webdav, tomcat -
   docs,balancer,ROOT/admin,examples,
   manger application
   b) Disable Unused Connectors (server.xml)
   A non-ssl connector bound to port 8080
   A AJP 1.3 connector bound to port 8009

2. Limit Server Platform Information Leaks
   a) Alter the advertised server.info. server.number, server.built
   catalina.jar --> server.info
   这个主要影响403返回,尽量不暴露容器具体版本.防止针对性攻击.
   b) Disable x-powered-by http header and rename the server value for all connectors (server.xml)
   c) Disable client facing Stack Traces
   <error-page>
   <exception-type>java.lang.Throwable</exception-type>
   <location>/err.jsp</location>
   </error-page>
   错误信息设置,防止直接丢给requestor (web.xml)
   allowTrace = false (server.xml) 防止Trace HTTP request.

3. Protect shutdown prot
   Protect shutdown port 改变8005对应的值
   Disable the shutdown port 直接设置端口= -1

4. Protect tomcat configurations
   a) $CATALINA_HOME
   b) $CATALINA_BASE
   c)$CATALINA_HOME/conf /log /temp /bin /webapps
   d) catalina.policy, catalina.properties
   e) $CATALINA_HOME/conf/context.xml logging.properties server.xml tomcat-users.xml web.xml

5. Configure Realms.
   MemoryRealm, JDBCRealm, UserDatabaseRealm, JAASRealm. --- Server.xml
   LockOutRealm

6. Connector Security
   a) clientAuth = true 双向认证.
   b) SSLEnabled = true secure = true sslProtocol = "TLS"
   c) schema = https
   还有cipher suite控制, 只接受指定的cipher suite.

7. Establish and Protect Logging Facilities
   logging.properties $CATALINA_BASE\webapps<app_name>\WEB-INF\classes
   handlers=org.apache.juli.FileHandler ???
   context.xml <Valve className="org.apach.catalina.valves.AccessLogValve">
   限制log文件夹, pattern, size

8. Configure Catalina Policy
   catalina.properties

9. Application Deployment
   a) Starting tomcat with Security Manager
   b) Disabling auto deployment of applications
   server.xml autoDeploy = "false"
   c) Disable deploy on startup of applications
   server.xml deployOnStartup = "false"

10. Miscellaneous Configuration Settings
    a) Ensure Web content directory is on a separate partition from the tomcat system files
    b) Restrict access to the web administration.
    <Valve calssName ="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1"/>
    c) manager.xml 限制在本机
    d) webapps/manager/WEB-INF/web.xml
    <security-constraint>
    <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
    </secuirty-constraint>
    e) connectionTimeout
    f) maxHttpHeaderSize