By default, the Tomcat service has the management backend feature enabled after the installation. Through the management backend feature, you can directly upload war packages to deploy and manage the site. Usually, due to personnel negligence, an empty or weak password may be used for the management backend, allowing hackers or criminals to exploit the vulnerability to directly upload Webshell scripts, compromising the server. The http://iP:8080/manager/html/ is the commonly used Tomcat management backend address.
After a hacker logs on to the Tomcat management backend with the guessed password, he or she can then upload Webshell scripts to break into the server.
This type of vulnerability is a huge risk to the business system, so we recommend that you apply the following security configurations to your Tomcat management backend:
If your business does not require the Tomcat management backend feature, we recommend that you use the Security Group Firewall or directly delete all the manager and host-manager folders under the webapps deployment directory of Tomcat. Then, comment out all the code in the tomcat-users.xml file under the conf directory of Tomcat.
If your business system requires the Tomcat management backend feature for new code release and management, we recommend that you configure a strong password, and modify the default admin user. To configure a strong password, set a password of no fewer than 10 characters comprised of upper case letters, special symbols and numbers.
To enable Tomcat access log, modify the conf/server.xml file to enable the following comment-out codes:
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
After enabling access log, restart the Tomcat service, and then you can see the access log at tomcat_home/logs.
To harden the default account security, modify the tomcat-user.xml file under the conf installation directory, re-set a complex password and save the file.
The new password takes effect after you restart the Tomcat service.
Modify the default port 8080 to any other port in the conf/server.xml file.
Modify the information returned on the Tomcat access error page. To do this, create the corresponding 401.html\404.htm\500.htm files in the webapps\manager directory, and then add the following codes before the last line in the conf/web.xml file:
Follow these steps to prevent listing all the files under a directory when the directory is accessed directly and the default page cannot be found.
- Open the web.xml file.
Delete the docs, examples, manager, ROOT and host-manager folders under the webapps folder.