아파치 톰캣 보안 가이드

출처:https://geekflare.com/apache-tomcat-hardening-and-security-guide/

Apache Tomcat Hardening and Security Guide

Tomcat is one of the most popular Servlet and JSP Container servers. It’s used by some of following high traffic websites:

• LinkedIn.com
• Dailymail.co.uk
• Comcast.net
• Wallmart.com
• Reuters.com
• Meetup.com
• Webs.com

Below diagram shows the market position of Tomcat in terms of popularity and traffic compared.

Having default configuration may have much sensitive information, which helps hacker to prepare for an attack the Tomcat server. This practical guide provides you the necessary skill set to secure Apache Tomcat server.

It was great to see the overwhelming response on my article about Apache Web Server Hardening and Security Guide. In this article, I will talk about how to harden and secure Apache Tomcat server. Following are tested on Tomcat 6.x and I don’t see any reason it won’t work with Tomcat 5.x, 7.x or 8.x

Audience

This is designed for Middleware Administrator, Application Support, System Analyst or anyone working or eager to learn Tomcat Hardening and Security. Fair knowledge of Tomcat & UNIX command is mandatory.

BONUS (Download in PDF Format): Tomcat Security & Hardening Guide

Pre-requisite

We require some tool to examine HTTP Headers for verification. Let’s do this by install firebug add-on in Firefox.

• Open Firefox
• Access https://addons.mozilla.org/en-US/firefox/addon/firebug/
• Click on Add to Firefox

• Click on Install Now
• Restart Firefox
• You can see firebug icon at right top bar

We will use this icon to open firebug console to view HTTP Headers information.

There are many online tools also available which helps to check in HTTP header information. Below are some of them you can try out.

• www.seositecheckup.com
• www.apikitchen.com
• http://web-sniffer.net

Note: as a best practice, you must take backup of any file you are about to modify.

We will call Tomcat Installation folder as $tomcat throughout this guidelines.

1. Remove Server Banner

Removing Server Banner from HTTP Header is one of the first things to do as hardening. Having server banner expose the product you are using and leads to information leakage vulnerability.

Implementation:

• Go to $tomcat/conf folder
• Modify server.xml by using vi
• Add following under Connector port and save the file

Server =” “

Ex: –

<Connector port="8080" protocol="HTTP/1.1" 
connectionTimeout="20000" 
Server =" " 
redirectPort="8443" />

Verification:

• Open Firefox with firebug
• Access Tomcat application
• You will notice Server value is blank now.

2. Starting Tomcat with a Security Manager

Security Manager protects you from an untrusted applet running in your browser. Running Tomcat with a security manager is definitely better than running without one. Tomcat has very good documentation on Tomcat Security Manager. 

Implementation:

All you got to do is to start tomcat with –security argument.

Chandans:bin root# ./startup.sh -security
Using CATALINA_BASE:   /opt/tomcat
Using CATALINA_HOME:   /opt/tomcat
Using CATALINA_TMPDIR: /opt/tomcat/temp
Using JRE_HOME:        /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home
Using CLASSPATH:       /opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/tomcat-juli.jar
Using Security Manager Chandans:bin root#

3. Enable access log logging

The default configuration doesn’t capture access logs. The access log is very useful in troubleshooting to check request type, requester IP address, status code, etc.

Implementation:

• Go to $tomcat/conf
• Modify server.xml by using vi
• Go to the end of the file and uncomment Valve entry for valves.AccessLogValue

<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs" 
prefix="localhost_access_log."
suffix=".txt"
pattern="common" resolveHosts="false"/>

• Restart Tomcat server and you should see localhost_access_log is created under $tomcat/logs folder

4. Enforced HTTPS

It’s good to force redirect all HTTP requests to HTTPS to ensure web application data transmission are over SSL Certification.

Implementation:

• Go to $tomcat/conf folder
• Modify web.xml by using vi
• Add following before </web-app> syntax

<security-constraint> 
<web-resource-collection> 
<web-resource-name>Protected Context</web-resource-name> 
<url-pattern>/*</url-pattern>
</web-resource-collection> 
<user-data-constraint> 
<transport-guarantee>CONFIDENTIAL</transport-guarantee> 
</user-data-constraint> 
</security-constraint>

• Restart Tomcat and access web application to verify.

Note: ensure Tomcat is configured to run on SSL else it will break the application accessibility.

5. Add Secure flag in cookie

It is possible to steal or manipulate web application session and cookies without having a Secure flag in HTTP Header as Set-Cookie.

Implementation:

• Go to $tomcat/conf folder
• Modify server.xml by using vi
• Add following in Connector port

Secure=”true

Ex:

<Connector port="8080" protocol="HTTP/1.1" 
connectionTimeout="20000" 
Server=" " 
Secure="true" 
redirectPort="8443" />

Verification:

• Open Firefox with firebug
• Access your application and check HTTP response header, you should see Secure flag

6. Add HttpOnly in cookie

Best practice to have this enabled at application code level. However, due to bad programming or developer’s unawareness, it comes to Web Infrastructure.

Implementation:

• Go to $tomcat/conf folder
• Modify context.xml by using vi
• Add following  in Context directive

usehttponly=”true”

Ex:-

<context usehttponly="true">
...
</context>

7. Enable Secure Socket Layer (SSL)

To enable Tomcat to listen over HTTPS protocol, you must configure tomcat with SSL. If you are new to SSL, you can refer to Beginner’s Guide to SSL. This assumes you have SSL Certificate imported under keystore.

Implementation:

• Go to $tomcat/conf folder
• Modify server.xml by using vi
• Add following under Connector port

SSLEnabled=”true” scheme=”https” keystoreFile="conf/keystore" keystorePass="password"

Ex:

<Connector port="8080" protocol="HTTP/1.1" 
connectionTimeout="20000" 
Server=" " 
Secure="true" 
SSLEnabled="true" scheme="https" keystoreFile="conf/keystore" keystorePass="password" clientAuth=”false” sslProtocol=”SSLv3” 
redirectPort="8443" />

8. Run Tomcat from non-privileged account

It’s good to use a separate non-privileged user for Tomcat. The idea here is to protect other services running in case of any security hole.

Implementation:

• Create a UNIX user
• Change $tomcat ownership to newly created UNIX user

9. Remove default/unwanted applications

By default, Tomcat comes with following web applications, which may or not be required in a production environment. You can delete them to keep it clean and avoid any known security risk with Tomcat default application.

• ROOT – Default welcome page
• Docs – Tomcat documentation
• Examples – JSP and servlets for demonstration
• Manager, host-manager – Tomcat administration

10. Change SHUTDOWN port and Command

By default, tomcat is configured to be shutdown on 8005 port. Do you know you can shutdown tomcat instance by doing a telnet to IP:port and issuing SHUTDOWN command?

Chandans # telnet localhost 8005
Trying ::1... telnet:
connect to address ::1:
Connection refused Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SHUTDOWN Connection closed by foreign host.
Chandans #

You see having default configuration leads to high-security risk. It’s recommended to change tomcat shutdown port and default command to something unpredictable.

Implementation:

• Go to $tomcat/conf folder
• Modify server.xml by using vi

<Server port="8005" shutdown="SHUTDOWN">

8005 – Change to some other unused port

SHUTDOWN – Change to something complicated

Ex-

<Server port="8867" shutdown="NOTGONNAGUESS">

11. Replace default 404, 403, 500 page

Having default page for not found, forbidden, server error exposes Tomcat version and that leads to security risk if you are running with vulnerable version. Let’s look at default 404 page.

To mitigate, you can first create a general error page and configure web.xml to redirect to general error page.

Implementation:

• Go to $tomcat/webapps/$application
• Create an error.jsp file

#vi error.jsp 
<html>
<head> 
<title>404-Page Not Found</title>
</head>
<body> That's an error! </body>
</html>

• Go to $tomcat/conf folder
• Add following in web.xml by using vi. Ensure you add before </web-app> syntax

<error-page> 
<error-code>404</error-code> 
<location>/error.jsp</location>
</error-page>
<error-page> 
<error-code>403</error-code> 
<location>/error.jsp</location>
</error-page>
<error-page> 
<error-code>500</error-code> 
<location>/error.jsp</location>
</error-page>

• Restart tomcat server. Now, let’s test it.

As you can see tomcat information is no more exposed.

You can do this for java.lang.Exception as well. This will help in not exposing tomcat version information if any java lang exception.

Just add following in web.xml and restart tomcat server.

<error-page> 
<exception-type>java.lang.Exception</exception-type> 
<location>/error.jsp</location>
</error-page>

I hope above guide gives you an idea no securing Tomcat. If you like this, please share with your friends.