美文网首页我爱编程
Tomcat安全配置

Tomcat安全配置

作者: duplicate_tony | 来源:发表于2018-05-23 21:51 被阅读0次

    本周项目被报两个高危漏洞, 甚是丢脸。 都是与tomcat安全配置相关。也证明了自己对细节问题不求甚解,对安全问题缺乏敏感性。 抓紧时间看一遍tomcat官方推荐的安全配置。

    CIS Apache Tomcat 7 Benchmark

    1. Remove extraneous resources.
      a) remove extraneous files and directories
      rm -rf $CATALINA_HOME/webapps/js-examples, servlet-
      example, webdav, tomcat -
      docs,balancer,ROOT/admin,examples,
      manger application
      b) Disable Unused Connectors (server.xml)
      A non-ssl connector bound to port 8080
      A AJP 1.3 connector bound to port 8009

    2. Limit Server Platform Information Leaks
      a) Alter the advertised server.info. server.number, server.built
      catalina.jar --> server.info
      这个主要影响403返回,尽量不暴露容器具体版本.防止针对性攻击.
      b) Disable x-powered-by http header and rename the server value for all connectors (server.xml)
      c) Disable client facing Stack Traces
      <error-page>
      <exception-type>java.lang.Throwable</exception-type>
      <location>/err.jsp</location>
      </error-page>
      错误信息设置,防止直接丢给requestor (web.xml)
      allowTrace = false (server.xml) 防止Trace HTTP request.

    3. Protect shutdown prot
      Protect shutdown port 改变8005对应的值
      Disable the shutdown port 直接设置端口= -1

    4. Protect tomcat configurations
      a) $CATALINA_HOME
      b) $CATALINA_BASE
      c)$CATALINA_HOME/conf /log /temp /bin /webapps
      d) catalina.policy, catalina.properties
      e) $CATALINA_HOME/conf/context.xml logging.properties server.xml tomcat-users.xml web.xml

    5. Configure Realms.
      MemoryRealm, JDBCRealm, UserDatabaseRealm, JAASRealm. --- Server.xml
      LockOutRealm

    6. Connector Security
      a) clientAuth = true 双向认证.
      b) SSLEnabled = true secure = true sslProtocol = "TLS"
      c) schema = https
      还有cipher suite控制, 只接受指定的cipher suite.

    7. Establish and Protect Logging Facilities
      logging.properties $CATALINA_BASE\webapps<app_name>\WEB-INF\classes
      handlers=org.apache.juli.FileHandler ???
      context.xml <Valve className="org.apach.catalina.valves.AccessLogValve">
      限制log文件夹, pattern, size

    8. Configure Catalina Policy
      catalina.properties

    9. Application Deployment
      a) Starting tomcat with Security Manager
      b) Disabling auto deployment of applications
      server.xml autoDeploy = "false"
      c) Disable deploy on startup of applications
      server.xml deployOnStartup = "false"

    10. Miscellaneous Configuration Settings
      a) Ensure Web content directory is on a separate partition from the tomcat system files
      b) Restrict access to the web administration.
      <Valve calssName ="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1"/>
      c) manager.xml 限制在本机
      d) webapps/manager/WEB-INF/web.xml
      <security-constraint>
      <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
      </secuirty-constraint>
      e) connectionTimeout
      f) maxHttpHeaderSize

    相关文章

      网友评论

        本文标题:Tomcat安全配置

        本文链接:https://www.haomeiwen.com/subject/myvdjftx.html