5.1 Securing Tomcat
The Bonsai Framework also provides a pre-packaged portable and secured version of Tomcat. This document outlines the hardening steps taken.
Unzip
The steps begin with a tar.gz version of Tomcat from the Apache website and the setup begins in the serveradmin home directory.
sudo serveradmin # log in as the user who will be running the service tar -xvpf apache-tomcat-6.0.32 mkdir apache mv ./apache-tomcat-6.0.32/ ./apache/
To make scripts consistent, the BonsaiFramework uses a standard name as described in Portable Tomcat 6.x & Instances.
cd apache mv apache-tomcat-6.0.32 tomcat.0
Remove Unnecessary Files
Delete sample applications,
cd /opt/apache/tomcat.0/webapps rm -rf docs examples
We recommend against using the Manager application,
# You should still be in the webapps directory rm -rf host-manager manager
Per p9 of Center for Internet Security, Security Configuration Benchmark for Apache Tomcat 5.5/6.0 Version 1.0.0.
Remove Unnecessary Ports
By default Tomcat listens to the following ports,
- 8080 - http port for the application server
- 8009 - http port use by mod_jk
In the BonsaiFramework we front Apache in front of Tomcat, as such we do not need 8080. Edit /opt/apache/tomcat.0/conf/server.xml and comment out 8080,
<!-- <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8643" /> -->
Per p11 of Center for Internet Security, Security Configuration Benchmark for Apache Tomcat 5.5/6.0 Version 1.0.0.
Remove Server Information Details
By default Tomcat broadcasts server details to clients through the server.info string stored in catalina.jar. This information could be used by an attacker to determine vulnerabilities.
Temporarily Setup Java Development Kit
To work with catalina.jar, we will use the jre command provided with the Java Development Kit (JDK). Assuming the JDK is not installed on your Ubuntu server refer to the 9.0 Zero Footprint Java on Ubuntu to temporarily setup your JDK directory java in the serveradmin home directory.
Update Property File
export PATH=$PATH:~/java/bin # Temporarily add the JDK execution directory to serveradmin path. cd ~/apache/tomcat.0/lib jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
This will extract the /home/serveradmin/apache/tomcat.0/lib/org/apache/catalina/util/ServerInfo.properties file.
Copy the file to location x, to ensure that you know the version number....
Change ServerInfo.properties to read,
server.info=Private
server.number=Private
server.built=Private
You may change "Private" to some other term that is not related to the server.
I have thought about leaving the values blank as any kind of return might give an indication of the type of server being used. However, there may be some repercussions if code or Tomcat itself relies on some kind of value being provided and there is no check for null.
Store the update file back into catalina.jar,
cd ~/apache/tomcat.0/lib jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties rm -rf ./org/ # Clean up unnecessary directory.
Verify Changes
...
Disable Client Facing Stack Traces
When an exception occurs, Tomcat will display debugging information. This information can be used to get insight into the application.
You should use this feature only in Production environments. In testing environments this is very useful to the developers, otherwise you will need to grant them access to the Tomcat logs. Ensure that your your development and support teams are aware of this variance in Production.
Clear Text Passwords
When configuring resources such as JDBC, Tomcat only supports clear text username and password in server.xml. By default, if untarred per the BonsaiFramework instructions, server.xml will only be readable by serveradmin.
Typical encryption or obfuscation generally do not provide much addition protection. These points and opinions are explained in detail by OSWASP and The Center for Internet Security.
I actually can think of a solution that uses the system's own hardware and a password to bind the encrypted value to the system.
References
http://blogs.mulesoft.org/is-your-tomcat-secure/ - looks like a good lead.
http://www.cisecurity.org/resources-publications/ - Security Benchmark