閱讀750 返回首頁    go 阿裏雲 go 技術社區[雲棲]

tomcat 安全

1. 刪除默認 $CATALINA_HOME/webapps 下 (ROOT, balancer, jsp-examples, servlet-examples, tomcat-docs, webdav) 目錄

2. 刪除 $CATALINA_HOME/server/webapps (host-manager, manager) 注, 如需 CACTI, MRTG 監控 TOMCAT 流量,或者利用該管理目錄進行部署管理而不需要重啟 TOMCAT

3. 刪除 CATALINA_HOME/conf/Catalina/localhost/host-manager.xml 與 $CATALINA_HOME/conf/Catalina/localhost/manager.xml  (低版本)

4. CATALINA_HOME/conf/web.xml

 <servlet>
   <servlet-name>default</servlet-name>
   <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
   <init-param>
     <param-name>debug</param-name>
     <param-value>0</param-value>
   </init-param>
   <init-param>
     <param-name>listings</param-name>
     <param-value>false</param-value>  <!-- make sure this is false -->
   </init-param>
   <load-on-startup>1</load-on-startup>
 </servlet>

 

5. 隱藏服務器版本信息, 當出現 404 錯誤頁麵,通常會暴漏服務器版本信息 

[root@tomcat_a ~]# curl -I https://localhost:8080
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Tue, 17 Sep 2013 01:27:36 GMT


修改 $CATALINA_HOME/lib/catalina.jar

解壓包

[root@tomcat_a lib]# jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties

 

修改配置文件注,當前文件解壓在當前目錄下

[root@tomcat_a lib]# vi org/apache/catalina/util/ServerInfo.properties
server.info=hello kitty
server.number=hello kitty
server.built=www.mini189.cn

 

重新打包

[root@tomcat_a lib]# jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties


重啟 TOMCAT 生效

 

6. 修改 Server 檢測返回信息, 該信息會導致漏洞檢測工具報警 HTTP 版本過低

原效果

[root@tomcat_a bin]# curl -I https://localhost:8080
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Tue, 17 Sep 2013 01:46:51 GMT

修改

root@tomcat_a /]# vi $CATALINA_HOME/conf/server.xml

    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" server="hello kitty" />

 

重啟後生效, 新效果

[root@tomcat_a /]# curl -I https://localhost:8080
HTTP/1.1 200 OK
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Tue, 17 Sep 2013 01:50:29 GMT
Server: hello kitty

 

7. 保護 8005 端口

注意, 8005 端口用於遠程關閉 TOMCAT 部署

參考 $CATALINA_HOME/conf/server.xml

<Server port="8005" shutdown="SHUTDOWN">

確保端口受到防火牆保護




 




 

最後更新:2017-04-03 16:49:07

  上一篇:go SQL中truncate、delete與drop區別
  下一篇:go Java中CallableStatement調用Oracle存儲過程總結