edit-icon download-icon

Harden Tomcat service security

Last Updated: Oct 17, 2017

By default, the Tomcat service has the management backend feature enabled after the installation. Through the management backend feature, you can directly upload war packages to deploy and manage the site. Usually, due to personnel negligence, an empty or weak password may be used for the management backend, allowing hackers or criminals to exploit the vulnerability to directly upload Webshell scripts, compromising the server. The http://iP:8080/manager/html/ is the commonly used Tomcat management backend address.

After a hacker logs on to the Tomcat management backend with the guessed password, he or she can then upload Webshell scripts to break into the server.

Resolution

This type of vulnerability is a huge risk to the business system, so we recommend that you apply the following security configurations to your Tomcat management backend:

1. Network access control

  • If your business does not require the Tomcat management backend feature, we recommend that you use the Security Group Firewall or directly delete all the manager and host-manager folders under the webapps deployment directory of Tomcat. Then, comment out all the code in the tomcat-users.xml file under the conf directory of Tomcat.

  • If your business system requires the Tomcat management backend feature for new code release and management, we recommend that you configure a strong password, and modify the default admin user. To configure a strong password, set a password of no fewer than 10 characters comprised of upper case letters, special symbols and numbers.

2. Enable Tomcat access log

To enable Tomcat access log, modify the conf/server.xml file to enable the following comment-out codes:

  1. <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
  2. prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>

After enabling access log, restart the Tomcat service, and then you can see the access log at tomcat_home/logs.

3. Tomcat default account security

To harden the default account security, modify the tomcat-user.xml file under the conf installation directory, re-set a complex password and save the file.

The new password takes effect after you restart the Tomcat service.

4. Modify the default access port

Modify the default port 8080 to any other port in the conf/server.xml file.

5. Redirect error page

Modify the information returned on the Tomcat access error page. To do this, create the corresponding 401.html\404.htm\500.htm files in the webapps\manger directory, and then add the following codes before the last line in the conf/web.xml file:

  1. <error-page>
  2. <error-code>401</error-code>
  3. <location>/401.htm</location>
  4. </error-page>
  5. <error-page>
  6. <error-code>404</error-code>
  7. <location>/404.htm</location>
  8. </error-page>
  9. <error-page>
  10. <error-code>500</error-code>
  11. <location>/500.htm</location>
  12. </error-page>

6. Disable listing directory

Follow these steps to prevent listing all the files under a directory when the directory is accessed directly and the default page cannot be found.

  1. Open the web.xml file.
  2. Change <param-name>listings</param-name> to <param-name>false</param-name>.

7. Delete documentation and sample programs

Delete the docs, examples, manager, ROOT and host-manager folders under the webapps folder.

Thank you! We've received your feedback.