本周项目被报两个高危漏洞, 甚是丢脸。 都是与tomcat安全配置相关。也证明了自己对细节问题不求甚解,对安全问题缺乏敏感性。 抓紧时间看一遍tomcat官方推荐的安全配置。
CIS Apache Tomcat 7 Benchmark
-
Remove extraneous resources.
a) remove extraneous files and directories
rm -rf $CATALINA_HOME/webapps/js-examples, servlet-
example, webdav, tomcat -
docs,balancer,ROOT/admin,examples,
manger application
b) Disable Unused Connectors (server.xml)
A non-ssl connector bound to port 8080
A AJP 1.3 connector bound to port 8009 -
Limit Server Platform Information Leaks
a) Alter the advertised server.info. server.number, server.built
catalina.jar --> server.info
这个主要影响403返回,尽量不暴露容器具体版本.防止针对性攻击.
b) Disable x-powered-by http header and rename the server value for all connectors (server.xml)
c) Disable client facing Stack Traces
<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>/err.jsp</location>
</error-page>
错误信息设置,防止直接丢给requestor (web.xml)
allowTrace = false (server.xml) 防止Trace HTTP request. -
Protect shutdown prot
Protect shutdown port 改变8005对应的值
Disable the shutdown port 直接设置端口= -1 -
Protect tomcat configurations
a) $CATALINA_HOME
b) $CATALINA_BASE
c)$CATALINA_HOME/conf /log /temp /bin /webapps
d) catalina.policy, catalina.properties
e) $CATALINA_HOME/conf/context.xml logging.properties server.xml tomcat-users.xml web.xml -
Configure Realms.
MemoryRealm, JDBCRealm, UserDatabaseRealm, JAASRealm. --- Server.xml
LockOutRealm -
Connector Security
a) clientAuth = true 双向认证.
b) SSLEnabled = true secure = true sslProtocol = "TLS"
c) schema = https
还有cipher suite控制, 只接受指定的cipher suite. -
Establish and Protect Logging Facilities
logging.properties $CATALINA_BASE\webapps<app_name>\WEB-INF\classes
handlers=org.apache.juli.FileHandler ???
context.xml <Valve className="org.apach.catalina.valves.AccessLogValve">
限制log文件夹, pattern, size -
Configure Catalina Policy
catalina.properties -
Application Deployment
a) Starting tomcat with Security Manager
b) Disabling auto deployment of applications
server.xml autoDeploy = "false"
c) Disable deploy on startup of applications
server.xml deployOnStartup = "false" -
Miscellaneous Configuration Settings
a) Ensure Web content directory is on a separate partition from the tomcat system files
b) Restrict access to the web administration.
<Valve calssName ="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1"/>
c) manager.xml 限制在本机
d) webapps/manager/WEB-INF/web.xml
<security-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</secuirty-constraint>
e) connectionTimeout
f) maxHttpHeaderSize
网友评论