This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Securing tomcat"
From OWASP
| Line 16: | Line 16: | ||
* Create a tomcat user/group | * Create a tomcat user/group | ||
| − | * Download and unpack the core distribution (referenced as ''' | + | * Download and unpack the core distribution (referenced as '''CATALINA_HOME''' from now on) |
| − | * Change ''' | + | * Change '''CATALINA_HOME''' ownership to tomcat user and tomcat group |
| − | * Change files in ''' | + | * Change files in '''CATALINA_HOME'''/conf to be readonly |
| − | * Make sure tomcat user has read/write access to /tmp and write (yes, only write) access to ''' | + | * Make sure tomcat user has read/write access to /tmp and write (yes, only write) access to '''CATALINA_HOME'''/log |
| − | * Change the default HTTP port to something other than 8080, by editing the Connector port attribute within the Catalina Service (''' | + | * Change the default HTTP port to something other than 8080, by editing the Connector port attribute within the Catalina Service ('''CATALINA_HOME'''/conf/server.xml). This ensures less scripted attacks on your server, but in no way helps protect you from vulnerabilities. |
=== Windows === | === Windows === | ||
| Line 27: | Line 27: | ||
* Start the installation, click ''Next'' and ''Agree'' to the licence | * Start the installation, click ''Next'' and ''Agree'' to the licence | ||
* Untick ''native'', ''documentation'', ''examples'' and ''webapps'' then click ''Next'' | * Untick ''native'', ''documentation'', ''examples'' and ''webapps'' then click ''Next'' | ||
| − | * Choose an installation directory (referenced as ''' | + | * Choose an installation directory (referenced as '''CATALINA_HOME''' from now on), preferably on a different drive to the OS. |
| − | |||
* Change the default HTTP port to something other than 8080. This ensures less scripted attacks on your server, but in no way helps protect you from vulnerabilities. | * Change the default HTTP port to something other than 8080. This ensures less scripted attacks on your server, but in no way helps protect you from vulnerabilities. | ||
| − | |||
* Choose an administrator username (NOT admin) and a secure password that complies with your organisations password policy. | * Choose an administrator username (NOT admin) and a secure password that complies with your organisations password policy. | ||
* Complete tomcat installation, but do not start service. | * Complete tomcat installation, but do not start service. | ||
| Line 37: | Line 35: | ||
=== Common === | === Common === | ||
| − | * Remove everything from ''' | + | * Remove everything from '''CATALINA_HOME'''/webapps (ROOT, balancer, jsp-examples, servlet-examples, tomcat-docs, webdav) |
| − | * Remove everything from ''' | + | * Remove everything from '''CATALINA_HOME'''/server/webapps (host-manager, manager) |
* Replace default HTTP error pages (i.e. 404) ''can we specify a container wide location?'' | * Replace default HTTP error pages (i.e. 404) ''can we specify a container wide location?'' | ||
<error-page> | <error-page> | ||
| Line 49: | Line 47: | ||
<location>/error.jsp</location> | <location>/error.jsp</location> | ||
</error-page> | </error-page> | ||
| − | * Consider replacing ''' | + | * Consider replacing '''CATALINA_HOME'''/conf/server.xml with '''CATALINA_HOME'''/conf/server-minimal.xml - ''work out what we lose'' |
* ''is it easy to remove the version string from the server HTTP header (Apache-Coyote/1.1) ?'' | * ''is it easy to remove the version string from the server HTTP header (Apache-Coyote/1.1) ?'' | ||
| − | * Start Tomcat, deploy your applications into ''' | + | * Start Tomcat, deploy your applications into '''CATALINA_HOME'''/webapps and hope it works! |
| − | |||
| − | |||
| − | |||
| − | |||
== Logging == | == Logging == | ||
| − | * Audit trails | + | * TODO: Audit trails |
== User Input == | == User Input == | ||
| Line 73: | Line 67: | ||
* SSL for password or other sensitive data exchange (''bordering on application security, not specific to tomcat'') | * SSL for password or other sensitive data exchange (''bordering on application security, not specific to tomcat'') | ||
* SSL for connections (JDBC, LDAP, etc ..) | * SSL for connections (JDBC, LDAP, etc ..) | ||
| + | * The Tomcat documentation clearly explains how to [http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html enable SSL.] | ||
== Java Security == | == Java Security == | ||
=== Running Tomcat with a Security Manager=== | === Running Tomcat with a Security Manager=== | ||
| − | + | The default Tomcat configuration provides good protection for most requirements, but does not prevent a malicious application from compromising the security of other applications running in the same instance. To prevent this sort of attack, Tomcat can be run with a Security Manager enabled which strictly controls access to server resources. | |
| − | + | Tomcat documentation has a good section on [http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html enabling the Security Manager.] | |
| − | |||
| − | === | + | == Miscellaneous == |
| − | |||
| − | + | * TODO: Storing cleartext passwords in configuration files (article to add) | |
| − | + | [[Category:OWASP Java Project]] | |
Revision as of 08:33, 16 October 2006
Introduction
Most weaknesses in Apache Tomcat come from incorrect or inappropiate configuration. It is nearly always possible to make Tomcat more secure than the default out of the box installation. What follows documents best practices and recommendations on securing a production Tomcat server, whether it be hosted on a Windows or Unix based operating system. Please note that the section ordering is not a representation of the section importance.
Software Versions
The first step is to make sure you are running the latest stable releases of software;
- Java Runtime Environment (JRE) or SDK
- Tomcat
- Third party libraries
This does not mean you have to upgrade all your production servers to a new (and potentially buggy) release which has just been made available to the public. What you must do is download the latest stable bugfix release that has continual support. For the JRE and Tomcat you should be looking at the last digits in the version number (5.5.X) as it represents the bugfix information. The bugs fixed in these releases are publicly available so if you don't upgrade you could be providing attackers with a very easy route to compromise your server.
Installation of Apache Tomcat 5.5
UNIX
- Create a tomcat user/group
- Download and unpack the core distribution (referenced as CATALINA_HOME from now on)
- Change CATALINA_HOME ownership to tomcat user and tomcat group
- Change files in CATALINA_HOME/conf to be readonly
- Make sure tomcat user has read/write access to /tmp and write (yes, only write) access to CATALINA_HOME/log
- Change the default HTTP port to something other than 8080, by editing the Connector port attribute within the Catalina Service (CATALINA_HOME/conf/server.xml). This ensures less scripted attacks on your server, but in no way helps protect you from vulnerabilities.
Windows
- Download the core windows service installer
- Start the installation, click Next and Agree to the licence
- Untick native, documentation, examples and webapps then click Next
- Choose an installation directory (referenced as CATALINA_HOME from now on), preferably on a different drive to the OS.
- Change the default HTTP port to something other than 8080. This ensures less scripted attacks on your server, but in no way helps protect you from vulnerabilities.
- Choose an administrator username (NOT admin) and a secure password that complies with your organisations password policy.
- Complete tomcat installation, but do not start service.
- TODO: filesystem security
Common
- Remove everything from CATALINA_HOME/webapps (ROOT, balancer, jsp-examples, servlet-examples, tomcat-docs, webdav)
- Remove everything from CATALINA_HOME/server/webapps (host-manager, manager)
- Replace default HTTP error pages (i.e. 404) can we specify a container wide location?
<error-page> <error-code>404</error-code> <location>/404.jsp</location> </error-page>
- Replace default error page (default is stacktrace) can we specify a container wide location?
<error-page> <exception-type>java.lang.Exception</exception-type> <location>/error.jsp</location> </error-page>
- Consider replacing CATALINA_HOME/conf/server.xml with CATALINA_HOME/conf/server-minimal.xml - work out what we lose
- is it easy to remove the version string from the server HTTP header (Apache-Coyote/1.1) ?
- Start Tomcat, deploy your applications into CATALINA_HOME/webapps and hope it works!
Logging
- TODO: Audit trails
User Input
User data, whether it be HTTP headers or parameters, should '"never"' be trusted. It is usually the responsibility of the application to validate data, but it is important that one poorly written application doesn't compromise Tomcat as a whole.
- global filters
- global error pages (see above)
- permission lockdown (see below)
Encryption
- SSL for password or other sensitive data exchange (bordering on application security, not specific to tomcat)
- SSL for connections (JDBC, LDAP, etc ..)
- The Tomcat documentation clearly explains how to enable SSL.
Java Security
Running Tomcat with a Security Manager
The default Tomcat configuration provides good protection for most requirements, but does not prevent a malicious application from compromising the security of other applications running in the same instance. To prevent this sort of attack, Tomcat can be run with a Security Manager enabled which strictly controls access to server resources. Tomcat documentation has a good section on enabling the Security Manager.
Miscellaneous
- TODO: Storing cleartext passwords in configuration files (article to add)
