5.1 Securing Tomcat

The Bonsai Framework also provides a pre-packaged portable and secured version of Tomcat. This document outlines the hardening steps taken.

Unzip

The steps begin with a tar.gz version of Tomcat from the Apache website and the setup begins in the serveradmin home directory.

sudo serveradmin # log in as the user who will be running the service
tar -xvpf apache-tomcat-6.0.32
mkdir apache
mv ./apache-tomcat-6.0.32/ ./apache/

To make scripts consistent, the BonsaiFramework uses a standard name as described in Portable Tomcat 6.x & Instances.

cd apache
mv apache-tomcat-6.0.32 tomcat.0

Remove Unnecessary Files

Delete sample applications,

cd /opt/apache/tomcat.0/webapps
rm -rf docs examples

We recommend against using the Manager application,

# You should still be in the webapps directory
rm -rf host-manager manager

Remove Unnecessary Ports

By default Tomcat listens to the following ports,

• 8080 - http port for the application server
• 8009 - http port use by mod_jk

In the BonsaiFramework we front Apache in front of Tomcat, as such we do not need 8080. Edit /opt/apache/tomcat.0/conf/server.xml and comment out 8080,

<!--
<Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8643" />
-->

Remove Server Information Details

By default Tomcat broadcasts server details to clients through the server.info string stored in catalina.jar. This information could be used by an attacker to determine vulnerabilities.

Temporarily Setup Java Development Kit

To work with catalina.jar, we will use the jre command provided with the Java Development Kit (JDK). Assuming the JDK is not installed on your Ubuntu server refer to the 9.0 Zero Footprint Java on Ubuntu to temporarily setup your JDK directory java in the serveradmin home directory.

Update Property File

export PATH=$PATH:~/java/bin # Temporarily add the JDK execution directory to serveradmin path.
cd ~/apache/tomcat.0/lib
jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties

This will extract the /home/serveradmin/apache/tomcat.0/lib/org/apache/catalina/util/ServerInfo.properties file.

Copy the file to location x, to ensure that you know the version number....

Change ServerInfo.properties to read,

You may change "Private" to some other term that is not related to the server.

Store the update file back into catalina.jar,

cd ~/apache/tomcat.0/lib
jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties
rm -rf ./org/ # Clean up unnecessary directory.

Verify Changes

...

Disable Client Facing Stack Traces

When an exception occurs, Tomcat will display debugging information. This information can be used to get insight into the application.

Clear Text Passwords

When configuring resources such as JDBC, Tomcat only supports clear text username and password in server.xml. By default, if untarred per the BonsaiFramework instructions, server.xml will only be readable by serveradmin.

Typical encryption or obfuscation generally do not provide much addition protection. These points and opinions are explained in detail by OSWASP and The Center for Internet Security.

References

http://blogs.mulesoft.org/is-your-tomcat-secure/ - looks like a good lead.

http://www.cisecurity.org/resources-publications/ - Security Benchmark

https://www.owasp.org/index.php/Securing_tomcat/ - OWASP