Hardening Tomcat version 7.0

Hardening Tomcat version 7.0.56
1) Disable not-needed services using chkconfig command as part of Operating System Hardening.

2) Install latest stable release of Java

3) Remove all contents is Webapps directory
Set CATALINA_HOME variable first before executing below commands #CATALINA_HOME="/usr/local/apache-tomcat-7.0.56"
#rm -rf $CATALINA_HOME/webapps/docs
#rm -rf $CATALINA_HOME/webapps/examples
#rm –rf $CATALINA_HOME/server/webapps/host-manager
#rm –rf $CATALINA_HOME/server/webapps/manager
#rm -rf $CATALINA_HOME/conf/Catalina/localhost/host-manager.xml
#rm –rf $CATALINA_HOME/conf/Catalina/localhost/manager.xml

4) Run tomcat from Non-privileged account.  Add user tomcat_admin and group tomcat.
# groupadd tomcat; useradd -r tomcat_admin -G tomcat;.

5) Set below owner, group and others permission on Tomcat directories
chown tomcat_admin:tomcat $CATALINA_HOME
chmod g-w,o-rwx $CATALINA_HOME
chown tomcat_admin:tomcat $CATALINA_HOME/conf
chmod g-w,o-rwx $CATALINA_HOME/conf
chown tomcat_admin:tomcat $CATALINA_HOME/logs
chmod o-rwx $CATALINA_HOME/logs
chown tomcat_admin:tomcat $CATALINA_HOME/temp
chmod o-rwx $CATALINA_HOME/temp
chown tomcat_admin:tomcat $CATALINA_HOME/bin
chmod g-w,o-rwx $CATALINA_HOME/bin
chown tomcat_admin:tomcat $CATALINA_HOME/webapps
chmod g-w,o-rwx $CATALINA_HOME/webapps
chmod 770 $CATALINA_HOME/conf/catalina.policy
chown tomcat_admin:tomcat $CATALINA_HOME/conf/catalina.policy
chown tomcat_admin:tomcat $CATALINA_HOME/conf/catalina.properties
chmod g-w,o-rwx $CATALINA_HOME/conf/catalina.properties
chown tomcat_admin:tomcat $CATALINA_HOME/conf/context.xml
chmod g-w,o-rwx $CATALINA_HOME/conf/context.xml
chown tomcat_admin:tomcat $CATALINA_HOME/conf/logging.properties
chmod g-w,o-rwx $CATALINA_HOME/conf/logging.properties
chown tomcat_admin:tomcat $CATALINA_HOME/conf/server.xml
chmod g-w,o-rwx $CATALINA_HOME/conf/server.xml
chown tomcat_admin:tomcat $CATALINA_HOME/conf/tomcat-users.xml
chmod g-w,o-rwx $CATALINA_HOME/conf/tomcat-users.xml
chown tomcat_admin:tomcat $CATALINA_HOME/conf/web.xml
chmod g-w,o-rwx $CATALINA_HOME/conf/web.xml

6) Disable unused connectors for ports like 8080, etc.

7) Add parameters server="xxxxxx" and xpoweredBy="false" and allowTrace=”false” and Secure="true" in Connector description.

8) Do changes in ServerInfo.properties file in catalina.jar by extracting
  # jar xf $CATALINA_HOME /lib/catalina.jar org/apache/catalina/util/ServerInfo.properties
   change server.info attribute to “IIS” or some other server name
  # jar uf $CATALINA_HOME /lib/catalina.jar org/apache/catalina/util/ServerInfo.properties

9) Add a child element, <error-page>, to the <web-app> element, in the $CATALINA_HOME/conf/web.xml file if a generic error page exists to handle java.lang.Exception and java.lang.Throwable exceptions.
 The resulting entry will look as follows:
   <error-page>   
                <exception-type>java.lang.Throwable </exception-type>   
                <location>/error.jsp</location>
   </error-page>
   <error-page>   
                <exception-type> java.lang.Exception</exception-type>   
                <location>/error.jsp</location>
   </error-page>

10) Set the port to -1 in the $CATALINA_HOME/conf/server.xml file and shutdown value to some random uncommon value:
<Server port="-1" shutdown="R@Nd0m$10987">
This disables port 8005 bounded to localhost loopback address.
Note: Tomcat Shutdown script won’t run any longer. Use kill -9 <pid> to stop running tomcat process.

11) Go to file server.xml and add in Valve entry for valves.AccessLogValue
 resolveHosts="false"

12) Check context.xml and add usehttponly="true" in context tag, if not already
e.g. <context usehttponly="true">...</context>

13) Add these parameters to connector description in server.xml
SSLEnabled="true" scheme="https" clientAuth="false" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"
enableLookups="true" disableUploadTimeout="true"   acceptCount="100" debug="0"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                       TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
                       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                       TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
                       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
                       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
                       TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
                       TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
                       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
                       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
                       TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
                       TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"
(Prevents POODLE attack)
*Setup Client-cert Authentication --> In the Connector element, set the clientAuth parameter to true.
* It does it "to prevent DNS spoofing"
14)  Default error page for HTTP error code 404, 403 and 500

Go to $tomcat/conf folder
Add following in web.xml by using vi. Ensure you add before </web-app> syntax
<error-page>
    <error-code>404</error-code>
    <location>/error.jsp</location>
</error-page>
<error-page>
    <error-code>403</error-code>
    <location>/error.jsp</location>
</error-page>
<error-page>
    <error-code>500</error-code>
    <location>/error.jsp</location>
</error-page>

15) Make sure the default servlet is configured not to serve index pages when a welcome file is not present. In CATALINA_HOME/conf/web.xml
 <servlet>
   <servlet-name>default</servlet-name>
   <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
   <init-param>
     <param-name>debug</param-name>
     <param-value>0</param-value>
   </init-param>
   <init-param>
     <param-name>listings</param-name>
     <param-value>false</param-value>  <!-- make sure this is false -->
   </init-param>
   <load-on-startup>1</load-on-startup>
 </servlet>

16) Configure Log size limit in logging.properties
java.util.logging.FileHandler.limit=10000

17) In the $CATALINA_HOME/conf/server.xml file, change autoDeploy to false and  change deployOnStartup to false. 
autoDeploy="false"  deployOnStartup="false"

18)  Within $CATALINA_HOME/conf/server.xml, ensure each connector is configured to the connectionTimeout setting that is optimal based on hardware resources, load, and number of concurrent connections.
connectionTimeout="60000"
maxHttpHeaderSize=”8192”

19) If application is configured to use SSL, do the following
In $CATALINA_HOME/conf/web.xml, set the following: 
<user-data-constraint>  <transport-guarantee>CONFIDENTIAL</transport-guarantee> <user-data-constraint>

20)  In all context.xml, set the following: 
<Context ... allowLinking=”false” /> 
<Context ... privileged=”false” />

References: OWASP and other sites on Web. Make Sure to test this configuration in staging environment first.


Comments

Post a Comment

Popular posts from this blog

"gnome-screenshot" (No such file or directory)"

Linux O/S: RHEL Server release 6.2 (Santiago) Kernel Version: 2.6.32-220.7.1.el6.x86_64 Problem:  When you try to take Print Screen it displays following error message "There was an error running gnome-screenshot: Failed to execute child process "gnome-screenshot" (No such file or directory)" Solution: You need to install package gnome-utils, by running command " yum -y install gnome-utils ". This will also install gnome-utils-libs package for dependencies.
Read more

An Incomplete Post...

Humans tend to forget that before being from any religion, they need to essentially be "HUMAN". There is no religion for animals, is there any? Religion is "set of daily practices" which was aimed at peaceful, healthy and prosperous life with an ideal, livable society with tendency to help each other. Let's stop getting fooled from all political parties who ask votes based on caste, reservation bills, minority quota, state, language and all other dividing factors. Those who are with development of nation, majorly committed to security of food and education to all below poverty levels.  Saw a video of respected Atal Ji quoting late Rajeev Gandhi, if Rs. 1 is released for aid of poor, only 19 Paise reaches to them, when asked why he told laughingly "Jab rupaiya chalta hai, to ghista hai". Well, remain aware of what's happening in country, and what reforms are needed, have a opinion, your "I do not care" attitude 'll n...
Read more

इंसान और खुदाई - मेरी द्वितीय हिंदी कविता

इक तरफ शोर है, इक तरफ तनहाई है, चाहूँ या ना चाहूँ, फिर तेरी धुंधली सी याद चली आयी है, तेरा ना हो पाने के एहसास ने, जब दिल को बेकरार किया, नजरों ने तब भीड़ में फिर, इक जानी सी शक्ल पायी है| किससे कहूँ, किसको सुनाऊं, तेरे ख्यालों ने कितनी रातें जगाई है, या बयाँ कर दूँ उन लब्जों को, जो तेरे अधखुले लबों की ख़ामोशी ने सुनाई है, ढूंढ़ता रहता हूँ अपने बिस्तर के सिलवटों में कहीं, अनजान बने, इक वही प्यारी मुस्कान, जो तुमसे छिपाकर तकिये के निचे दबाई है | वादों पर एतबार था दोनों को ही, फिर वक़्त ये किस मोड़ पे ले आयी है, नहीं सब कुछ इंसान के बस में, शायद इसी सच के इल्म का नाम खुदाई है || -- कृष्ण पाण्डेय
Read more