tomcat加固
1.版本选择
大于 9.0.37 大于 8.5.57 大于 7.0.103
2.删除不必要的组件
删除webapps目录下的dosc、examples、host-manager、manager、ROOT目录
3.权限控制
使用非root运行tomcat,例如建立tomcat用户来运行tomcat
4.关闭不必要的端口服务
关闭AJP 注释掉conf/server.xml中的AJP配置:
<!-- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> -->
修改/conf/server.xml,在Connector节点添加server字段,示例如下:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
server="XXXXXX"/>
将 $CATALINA_HOME/lib/catalina.jar::org/apache/catalina/util/ServerInfo.properties
修改成如下: server.info=sinosig server.number=1 server.built=2020
6.关闭自动部署
将 /conf/server.xml中的Host部分修改成如下所示
<Host name="localhost" appBase="webapps" unpackWARs="false" autoDeploy="false">
7.自定义错误信息
在/conf/web.xml中的</web-app>前添加如下信息:
<error-page>
<error-code>404</error-code>
<location>/404.html</location>
</error-page>
<error-page>
<error-code>403</error-code>
<location>/403.html</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/500.html</location>
</error-page>
然后在tomcat根目录建立404.html、403.html、500.html
8.关闭AJP管理
注释掉/conf/server.xml中的
<!--<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />-->
9.开启Http-Only
编辑 conf/context.xml 增加 Http-Only属性:
<Context usehttponly="true">
<!-- Default set of monitored resources -->
<WatchedResource>WEB-INF/web.xml</WatchedResource>
<!-- Uncomment this to disable session persistence across Tomcat restarts -->
<!--
<Manager pathname="" />
-->
<!-- Uncomment this to enable Comet connection tacking (provides events
on session expiration as well as webapp lifecycle) -->
<!--
<Valve className="org.apache.catalina.valves.CometConnectionManagerValve" />
-->
</Context>
10.修改shutdown字符串
编辑conf/server.xml 将 <Server port=“8005” shutdown=“SHUTDOWN”> 中的“SHUTDOWN” 修改为复杂的随机数:
<Server port=“8005” shutdown=“j^&&Up?HHJYT$@”>
11.开启访问日志
修改 conf/server.xml 确保在Host字段中的日志配置配置开启:
<valve classname=”org.apache.catalina.valves.AccessLogValve”
Directory=”logs” prefix=”localhost_access_log.” Suffix=”.txt”
Pattern=”common” resloveHosts=”false”/>