how to Harden tomcat web server

Hi Techrunnr subscribers, this document deals with how to harden tomcat web server.

Apache Tomcat, often referred to as Tomcat Server, is an open-source Java Servlet Container developed by the Apache Software Foundation.


1. Remove Server Banner
Removing Server Banner from HTTP Header is one of the first things to do as hardening.

Go to $tomcat_HOME/conf folder
Modify server.xml by using vi
Add following to Connector port

Server =” “

2. Disable Tomcat from displaying directory listings.

Listing the contents of directories with a large number of files can consume considerable system resources, and can therefore be used in a denial-of-service (DoS) attack. Setting listings leads to application under risk if it contains sensitive data.

3. Enable SSL/TLS
Serving web requests over HTTPS is essential to protect data between client and Tomcat. In order to make your web application accessible through HTTPS, you need to implement SSL certificate.

Assuming, you already have keystore ready with the certificate, you can add below line in server.xml file under Connector port section.

SSLEnabled=”true” scheme=”https” keystoreFile=”ssl/techunnr.jks” keystorePass=”hj67HJlM” clientAuth=”false” sslProtocol=”TLS”

4. Run Tomcat from non-privileged Account
It’s always good to use a separate non-privileged user for Tomcat. if it runs in root user, comprimised app can have access to system files.

Create a UNIX user, let’s say tomcat

useradd tomcat

Stop the Tomcat if running
Change $tomcat ownership to user tomcat

chown -R tomcat:tomcat tomcat/

Start the Tomcat and ensure it’s running with tomcat user

5. Starting Tomcat with a Security Manager
Security Manager protects you from an untrusted applet running in your browser.

Running Tomcat with a security manager is better than running without one.

All you got to do is to start tomcat with –security argument.

[root@techrunnr bin]# sh startup.sh -security

6. Enforce HTTPS
This is only applicable when you’ve SSL enabled. If not, it will break the application.

Once you’ve enabled SSL, it would be good to force redirect all HTTP requests to HTTPS for secure communication between user to Tomcat application server.

Go to $tomcat/conf folder
Modify web.xml by using vi
Add following before </web-app> syntax

<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

Save the file and restart the Tomcat

7. Add Secure & HttpOnly flag to Cookie
It is possible to steal or manipulate web application session and cookies without having a secure cookie. It’s a flag which is injected in the response header.

This is done by adding below line in session-config section of web.xml file

<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>

8. Remove default/unwanted Applications
By default, Tomcat comes with following web applications, which may or not be required in a production environment.

You can delete them to keep it clean and avoid any known security risk with Tomcat default application.

ROOT – Default welcome page
Docs – Tomcat documentation
Examples – JSP and servlets for demonstration
Manager, host-manager – Tomcat administration
They are available under $tomcat/webapps folder

9. Change SHUTDOWN port and Command
By default, tomcat is configured to be shutdown on 8005 port.

Do you know you can shutdown tomcat instance by doing a telnet to IP:port and issuing SHUTDOWN command?

techrunnr # telnet localhost 8005
Trying ::1… telnet:
connect to address ::1:
Connection refused Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
SHUTDOWN Connection closed by foreign host.
techrunnr #
Dangerous!

It’s recommended to change tomcat shutdown port and default command to something unpredictable.

Modify the following in server.xml

<Server port=”8005″ shutdown=”SHUTDOWN”>
8005 – Change to some other unused port

SHUTDOWN – Change to something complicated

Ex-

<Server port=”8867″ shutdown=”NOTGONNAGUESS”>

10. Replace default 404, 403, 500 page
Having default page for not found, forbidden, server error exposes version details.

Let’s look at default 404 page.

To mitigate, you can first create a general error page and configure web.xml to redirect to general error page.

Go to $tomcat/webapps/$application
Create an error.jsp file using vi editor

<html>
<head>
<title>Error Page</title>
</head>
<body> That’s an error! </body>
</html>

Go to $tomcat/conf folder
Add the following in web.xml file. Ensure you add before </web-app> syntax

<error-page>
<error-code>404</error-code>
<location>/error.jsp</location>
</error-page>
<error-page>
<error-code>403</error-code>
<location>/error.jsp</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/error.jsp</location>
</error-page>

Restart tomcat server to test it

11. Disable support for TRACE requests.

Though useful for debugging, enabling allowTrace can expose some browsers to an cross-site scripting XSS attack. This can be mitigated by disabling allowTrace in the server.xml file.

12. Disable sending of the X-Powered-By HTTP header.

If enabled, Tomcat will send information such as the Servlet and JSP specification versions and the full Tomcat version, among others. This gives attackers a workable starting point to craft an attack. To prevent this information leakage, disable the xpoweredBy attribute in the server.xml file.

13. Disable SSL v3 to prevent POODLE attacks.

POODLE is a SSL v3 protocol vulnerability discovered in 2014. An attacker can gain access to sensitive information such as passwords and browser cookies by exploiting this vulnerability; subsequently, SSL v3 (and SSL in general) should not be included in server.xml file under the sslEnabledProtocols attribute.

14. Enable logging of network traffic.

In general, logs should generated and maintained on all levels (e.g., user access, Tomcat internals, et al), but network traffic logging is especially useful for breach assessment and forensics. To set up your Tomcat application to create logs of network traffic, use/configure the AccessLogValve component.

15. Disable or limit the Tomcat Manager Webapp.

Tomcat Manager enables easy configuration and management of Tomcat instances through one web interface. Convenient, no doubt—for both authorized administrators and attackers. Alternative methods for administering Tomcat instances are therefore better, but if Tomcat Manager must be used, be sure to use its configuration options to limit your risk exposure.

 

Here is the document how to install Tomcat in linux server

© 2018, Techrunnr. All rights reserved.

#1
#2
#3
Questions Answered
Articles Written
Overall Points

Prabhin Prabharkaran

He is Technical professional. He is a person who loves to share tricks and tips on the Internet. He Posts what he does!!

Leave a Reply

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.