Although Apache Tomcat’s security has improved significantly over the years, this does not mean that it cannot be improved. Apache Tomcat is a free open source Java application server that comes with incredible functionality from the box. In this article, cyber security course experts will guide at various ways to secure the Apache Tomcat server.
The methods discussed in this article are best suited for a production environment , as you may need them during development, or may not need them.
1 – Remove information about the server
An easy way to improve Apache Tomcat server security is to remove the server banner from the HTTP response. If the banner is opened, it can issue the version of Tomcat that you use, which makes it easier to collect information about the server and known exploits.
In the latest versions of Tomcat (Tomcat 8 and above), the server banner is disabled by default, mentions cyber security course expert.
However, if you are using an older version of Tomcat, you may have to do it manually. Edit the server.xml file in the conf directory of the Tomcat installation directory. Find the Connector Port block and delete the server record
Before:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
server="<value>"
redirectPort="8443" />
After:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
Save the file and restart the Apache Tomcat service.
2 – Do not run Tomcat with Root user privileges
Never run Tomcat on behalf of a privileged user. This will allow you to protect the server in case of hacking the Tomcat service.
Create a user to run the Tomcat service.
sudo useradd -m -U -d /home/tomcat -s $ (which false) tomcat
Finally, change privileges of the created tomcat user.
chown -R tomcat: tomcat / home / tomcat
3 – Remove unwanted applications
Apache Tomcat comes with the default application options. The best risk mitigation measure is to remove them from the webapps catalog explains the cyber security course expert.
You can delete applications such as:
- ROOT – Tomcat page by default
- Docs – Tomcat documentation
- Examples – Test Servements
4 – Turn on SSL / TLS
SSL allows you to transfer data between the server and the client via HTTPS . To use SSL in Tomcat, thereby increasing security, edit the server.xml file and the SSLEnabled directive in the Connector port in this way :
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
SSLEnabled="true" scheme="https" keystoreFile="conf/key.jks" keystorePass="password" clientAuth="false" sslProtocol="TLS"
redirectPort="8443" />
The above entry suggests that you have a Keystore with an SSL certificate.
5 – Use Security Manager
According to cyber security experts a good practice is to run the Apache Tomcat server using a security manager. This prevents the launch of unverified applets in the browser.
. /startup.sh -security.
Below is an example of the conclusion :
To do this, use the catalina script with the –security flag.Using CATALINA_BASE: /home/debian/apache-tomcat-10.0.10Using CATALINA_HOME: /home/debian/apache-tomcat-10.0.10Asing CATAL.
6 – Add the Secure and HttpOnly flags
Threat actors can also manipulate cookies and sessions of installed applications.
To resolve this issue, edit the web.xml file and add the following entries to the session-config.<cookie-config> block
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
7 – Change Tomcat shutdown procedure
Another way to protect Tomcat is to change the shutdown procedure.
This will help prevent the shutdown of Tomcat services by intruders.
Tomcat can be turned off using port 8005 via telnet and sending the shutdown command :
$ telnet localhost 8005Trying 127.0.0.1...Connected to localhost.Escape character is '^]'.shutdownConnection closed by foreign host.
To fix this, edit the server.xml file and delete the next block.
<Server port=“8005” shutdown=“SHUTDOWN”>
If you want to save the shutdown command, change the port and command by default.
For instance:
<Server port="5800" shutdown="KILLME">
Conclusion
This article described some of the necessary settings that you can make in Apache Tomcat to secure your servers. Please note that the methods discussed are just some of the many measures you can take to protect Apache Tomcat servers taught during cyber security courses.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.