Hardening Tomcat version 7.0

Hardening Tomcat version 7.0.56

1) Disable not-needed services using chkconfig command as part of Operating System Hardening.

2) Install latest stable release of Java

3) Remove all contents is Webapps directory

Set CATALINA_HOME variable first before executing below commands #CATALINA_HOME="/usr/local/apache-tomcat-7.0.56"

#rm -rf $CATALINA_HOME/webapps/docs

#rm -rf $CATALINA_HOME/webapps/examples

#rm –rf $CATALINA_HOME/server/webapps/host-manager

#rm –rf $CATALINA_HOME/server/webapps/manager

#rm -rf $CATALINA_HOME/conf/Catalina/localhost/host-manager.xml

#rm –rf $CATALINA_HOME/conf/Catalina/localhost/manager.xml

4) Run tomcat from Non-privileged account.  Add user tomcat_admin and group tomcat.

# groupadd tomcat; useradd -r tomcat_admin -G tomcat;.

5) Set below owner, group and others permission on Tomcat directories

chown tomcat_admin:tomcat $CATALINA_HOME

chmod g-w,o-rwx $CATALINA_HOME

chown tomcat_admin:tomcat $CATALINA_HOME/conf

chmod g-w,o-rwx $CATALINA_HOME/conf

chown tomcat_admin:tomcat $CATALINA_HOME/logs

chmod o-rwx $CATALINA_HOME/logs

chown tomcat_admin:tomcat $CATALINA_HOME/temp

chmod o-rwx $CATALINA_HOME/temp

chown tomcat_admin:tomcat $CATALINA_HOME/bin

chmod g-w,o-rwx $CATALINA_HOME/bin

chown tomcat_admin:tomcat $CATALINA_HOME/webapps

chmod g-w,o-rwx $CATALINA_HOME/webapps

chmod 770 $CATALINA_HOME/conf/catalina.policy

chown tomcat_admin:tomcat $CATALINA_HOME/conf/catalina.policy

chown tomcat_admin:tomcat $CATALINA_HOME/conf/catalina.properties

chmod g-w,o-rwx $CATALINA_HOME/conf/catalina.properties

chown tomcat_admin:tomcat $CATALINA_HOME/conf/context.xml

chmod g-w,o-rwx $CATALINA_HOME/conf/context.xml

chown tomcat_admin:tomcat $CATALINA_HOME/conf/logging.properties

chmod g-w,o-rwx $CATALINA_HOME/conf/logging.properties

chown tomcat_admin:tomcat $CATALINA_HOME/conf/server.xml

chmod g-w,o-rwx $CATALINA_HOME/conf/server.xml

chown tomcat_admin:tomcat $CATALINA_HOME/conf/tomcat-users.xml

chmod g-w,o-rwx $CATALINA_HOME/conf/tomcat-users.xml

chown tomcat_admin:tomcat $CATALINA_HOME/conf/web.xml

chmod g-w,o-rwx $CATALINA_HOME/conf/web.xml

6) Disable unused connectors for ports like 8080, etc.

7) Add parameters server="xxxxxx" and xpoweredBy="false" and allowTrace=”false” and Secure="true" in Connector description.

8) Do changes in ServerInfo.properties file in catalina.jar by extracting

  # jar xf $CATALINA_HOME /lib/catalina.jar org/apache/catalina/util/ServerInfo.properties

   change server.info attribute to “IIS” or some other server name

  # jar uf $CATALINA_HOME /lib/catalina.jar org/apache/catalina/util/ServerInfo.properties

9) Add a child element, <error-page>, to the <web-app> element, in the $CATALINA_HOME/conf/web.xml file if a generic error page exists to handle java.lang.Exception and java.lang.Throwable exceptions.

 The resulting entry will look as follows:

   <error-page>   

                <exception-type>java.lang.Throwable </exception-type>   

                <location>/error.jsp</location>

   </error-page>

   <error-page>   

                <exception-type> java.lang.Exception</exception-type>   

                <location>/error.jsp</location>

   </error-page>

10) Set the port to -1 in the $CATALINA_HOME/conf/server.xml file and shutdown value to some random uncommon value:

<Server port="-1" shutdown="R@Nd0m$10987">

This disables port 8005 bounded to localhost loopback address.

Note: Tomcat Shutdown script won’t run any longer. Use kill -9 <pid> to stop running tomcat process.

11) Go to file server.xml and add in Valve entry for valves.AccessLogValue

 resolveHosts="false"

12) Check context.xml and add usehttponly="true" in context tag, if not already

e.g. <context usehttponly="true">
...
</context>

13) Add these parameters to connector description in server.xml

SSLEnabled="true" scheme="https" clientAuth="false" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"

enableLookups="true" disableUploadTimeout="true"   acceptCount="100" debug="0"

ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,

                       TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,

                       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,

                       TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,

                       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,

                       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,

                       TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,

                       TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,

                       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,

                       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,

                       TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,

                       TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"

(Prevents POODLE attack)

*Setup Client-cert Authentication --> In the Connector element, set the clientAuth parameter to true.

* It does it "to prevent DNS spoofing"

14)  Default error page for HTTP error code 404, 403 and 500

Go to $tomcat/conf folder

Add following in web.xml by using vi. Ensure you add before </web-app> syntax

<error-page>

    <error-code>404</error-code>

    <location>/error.jsp</location>

</error-page>

<error-page>

    <error-code>403</error-code>

    <location>/error.jsp</location>

</error-page>

<error-page>

    <error-code>500</error-code>

    <location>/error.jsp</location>

</error-page>

15) Make sure the default servlet is configured not to serve index pages when a welcome file is not present. In CATALINA_HOME/conf/web.xml

 <servlet>

   <servlet-name>default</servlet-name>

   <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>

   <init-param>

     <param-name>debug</param-name>

     <param-value>0</param-value>

   </init-param>

   <init-param>

     <param-name>listings</param-name>

     <param-value>false</param-value>  <!-- make sure this is false -->

   </init-param>

   <load-on-startup>1</load-on-startup>

 </servlet>

16) Configure Log size limit in logging.properties

java.util.logging.FileHandler.limit=10000

17) In the $CATALINA_HOME/conf/server.xml file, change autoDeploy to false and  change deployOnStartup to false. 

autoDeploy="false"  deployOnStartup="false"

18)  Within $CATALINA_HOME/conf/server.xml, ensure each connector is configured to the connectionTimeout setting that is optimal based on hardware resources, load, and number of concurrent connections.

connectionTimeout="60000"

maxHttpHeaderSize=”8192”

19) If application is configured to use SSL, do the following

In $CATALINA_HOME/conf/web.xml, set the following: 

<user-data-constraint>  <transport-guarantee>CONFIDENTIAL</transport-guarantee> <user-data-constraint>

20)  In all context.xml, set the following: 

<Context ... allowLinking=”false” /> 

<Context ... privileged=”false” />

References: OWASP and other sites on Web. Make Sure to test this configuration in staging environment first.