Difference between revisions of "Talk:Securing tomcat"

From OWASP
Jump to: navigation, search
(Running Tomcat with a Security Manager)
(39 intermediate revisions by 9 users not shown)
Line 1: Line 1:
== Introduction ==
+
== InvokerServlet ==
 +
There needs to be an addendum in here about disabling the InvokerServlet. See my blog entry at [[http://yet-another-dev.blogspot.com/2009/12/this-post-is-especially-for-anyone.html yet-another-dev.blogspot.com]] for details about why this is a bad idea. --[[User:Chris Schmidt|Chris Schmidt]] 22:03, 17 December 2009 (UTC)
  
Most weaknesses in [http://tomcat.apache.org/ Apache Tomcat] come from incorrect or inappropiate configuration.  It is nearly always possible to make Tomcat more secure than the default out of the box installation.  What follows documents best practices and recommendations on securing a production Tomcat server, whether it be hosted on a Windows or Unix based operating system.  ''Please note that the section ordering is not a representation of the section importance.''
+
== File permissions ==
  
== Software Versions ==
+
Hmm, what does "Make sure tomcat user has read/write access to /tmp" mean? 
  
The first step is to make sure you are running the latest stable releases of software;
+
Tomcat creates a directory "temp", not "tmp", and read/write on a directory doesn't actually allow reading or writingI assume the intention is "chmod 700 temp"... would love if anyone can clarify.
* Java Runtime Environment (JRE) or SDK
+
[[User:Douglasheld|Douglasheld]] 18:06, 3 April 2009 (UTC)
* Tomcat
+
* Third party libraries
+
This does not mean you have to upgrade all your production servers to a new (and potentially buggy) release which has just been made available to the publicWhat you must do is download the latest stable bugfix release that has continual support. For the JRE and Tomcat you should be looking at the last digits in the version number (5.5.'''X''') as it represents the bugfix information.  The bugs fixed in these releases are publicly available so if you don't upgrade you could be providing attackers with a very easy route to compromise your server.
+
  
== Installation of Apache Tomcat 5.5 ==
+
== Newer Tomcat branches ==
  
=== UNIX ===
+
This page is hopelessly outdated for anyone working with the Tomcat 6 branch.  We need to figure out the best way to document security measures for the different supported branches.
 +
[[User:Ken|Ken]] 10:25, 20 March 2009 (UTC)
  
* Create a tomcat user/group
+
I've not had call to use Tomcat 6, but in a few months I plan to start experimenting with the embedded version.  I don't mind expanding the article to have a section on 6 (and keep the section on 5.5), but I can't contribute anything just yetMy preference would be a single article as it will cut down on duplication.  In the meantime, any differences, areas to cover, new features, etc. that others could note down will help speed things up. [[User:Dledmonds|Darren]] 09:11, 26 March 2009 (UTC)
* Download and unpack the core distribution (referenced as '''TOMCAT_DIR''' from now on)
+
* Change '''TOMCAT_DIR''' ownership to tomcat user and tomcat group
+
* Change files in '''TOMCAT_DIR'''/conf to be readonly
+
* Make sure tomcat user has read/write access to /tmp and write (yes, only write) access to '''TOMCAT_DIR'''/log
+
* Change the default HTTP port to something other than 8080, by editing the Connector port attribute within the Catalina Service ('''TOMCAT_DIR'''/conf/server.xml).  This ensures less scripted attacks on your server, but in no way helps protect you from vulnerabilities.
+
  
=== Windows ===
+
== HttpOnly configuration ==
  
* Download the core windows service installer
+
Tomcat versions from 5.5.28 and 6.0.19 support the HttpOnly [http://www.owasp.org/index.php/HttpOnly] cookie option.
* Start the installation, click ''Next'' and ''Agree'' to the licence
+
* Untick ''native'', ''documentation'', ''examples'' and ''webapps'' then click ''Next''
+
* Choose an installation directory (referenced as '''TOMCAT_DIR''' from now on), preferably on a different drive to the OS. ''do we get many advantages separating application and webapps?''
+
- it could prevent path traversal under windows, but not unix. Separating apps from OS is common good practice anyway. [[User:Stephendv|Stephendv]] 02:32, 9 October 2006 (EDT)
+
* Change the default HTTP port to something other than 8080. This ensures less scripted attacks on your server, but in no way helps protect you from vulnerabilities.  
+
- As you say, there's probably not any real benefit to recommending this. [[User:Stephendv|Stephendv]] 02:32, 9 October 2006 (EDT)
+
* Choose an administrator username (NOT admin) and a secure password that complies with your organisations password policy.
+
* Complete tomcat installation, but do not start service.
+
* TODO: ''filesystem security''
+
  
=== Common ===
+
This is configured in the conf/context.xml file:
  
* Remove everything from '''TOMCAT_DIR'''/webapps (ROOT, balancer, jsp-examples, servlet-examples, tomcat-docs, webdav)
+
<Context useHttpOnly="true">
* Remove everything from '''TOMCAT_DIR'''/server/webapps (host-manager, manager)
+
...
* Replace default HTTP error pages (i.e. 404) ''can we specify a container wide location?''
+
</Context>
  <error-page>
+
    <error-code>404</error-code>
+
    <location>/404.jsp</location>
+
  </error-page>
+
* Replace default error page (default is stacktrace) ''can we specify a container wide location?''
+
  <error-page>
+
    <exception-type>java.lang.Exception</exception-type>
+
    <location>/error.jsp</location>
+
  </error-page>
+
* Consider replacing '''TOMCAT_DIR'''/conf/server.xml with '''TOMCAT_DIR'''/conf/server-minimal.xml - ''work out what we lose''
+
* ''is it easy to remove the version string from the server HTTP header (Apache-Coyote/1.1) ?''
+
* Start Tomcat, deploy your applications into '''TOMCAT_DIR'''/webapps and hope it works!
+
  
== Network Security ==
+
[[User:Simon Bennetts|Simon Bennetts]] 14:40, 18 June 2010 (UTC)
  
Generic advice common to all server security (link).
+
== Overriding Tomcat Version Number ==
  
== Logging ==
+
Rebuilding the catalina.jar to alter ServerInfo.properties may not be an ideal way to override the version number, the same effect can be achieved without repackaging JARs in the default distribution (repackaging can be somewhat intrusive and/or impractical). Classloader classpaths can be patched using strategically placed files on the classpath. Classes that are loaded first always take precedence, the same goes for properties files, hence you can override by creating files in the following places:
  
* Audit trails
+
# For Tomcat 5.5 (inject your new file onto the path of the server classloader):
 +
${catalina.home}/server/classes/org/apache/catalina/util/ServerInfo.properties
  
== User Input ==
+
# For Tomcat 6 (inject it onto the path of the common classloader, or whichever classloader is loading catalina.jar):
 +
${catalina.home}/lib/org/apache/catalina/util/ServerInfo.properties
  
User data, whether it be HTTP headers or parameters, should '"never"' be trusted. It is usually the responsibility of the application to validate data, but it is important that one poorly written application doesn't compromise Tomcat as a whole.
+
In both cases, ${catalina.home} is typically either the root of your local installation, or your global installation if you are making use of disjoint installs using ${catalina.base} to provide instance-specific information.
  
* global filters
+
== autoDeploy feature ==
* global error pages (see above)
+
* permission lockdown (see below)
+
  
== Encryption ==
+
Wouldn't it make sense to disable the autoDeploy feature in production environments for added security?
  
* SSL for password or other sensitive data exchange (''bordering on application security, not specific to tomcat'')
+
[[User:Pierre Ernst|Pierre Ernst]] 2011-08-12
* SSL for connections (JDBC, LDAP, etc ..)
+
  
== Java Security ==
+
== Disabling weak ciphers in Tomcat ==
  
=== Running Tomcat with a Security Manager===
+
Copied from [https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1225]
[[User:Stephendv|Stephendv]] 04:56, 9 October 2006 (EDT)
+
* The default Tomcat configuration provides good protection for most requirements.  Edit the $CATALINA_HOME/conf/catalina.policy to define a custom policy.
+
* Start Tomcat with the ''-security'' option to enable the security manager.  Optionally edit the startup scripts to ensure that  Tomcat is always started with the security manager.
+
  
===Locking down web application permissions===
+
In order to disable weak ciphers, please modify your SSL Connector container attribute inside server.xml with the following information.
* ...
+
  
== Miscellaneous ==
+
ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
 +
  TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
 +
  SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
 +
  SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
  
* Storing cleartext passwords in configuration files (article to add)
+
Example:
 +
 
 +
<Connector port="443" maxHttpHeaderSize="8192" address="192.168.1.1"
 +
enableLookups="false" disableUploadTimeout="true"
 +
acceptCount="100" scheme="https" secure="true"
 +
clientAuth="false" sslProtocol="SSL"
 +
ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
 +
  TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
 +
  SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 
 +
  SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
 +
keystoreFile="SomeDir/SomeFile.key" keystorePass="Poodle"
 +
truststoreFile="SomeDir/SomeFile.truststore" truststorePass="HomeRun"/>
 +
 
 +
[[User:Psiinon]] 2011-10-06

Revision as of 08:49, 6 October 2011

Contents

InvokerServlet

There needs to be an addendum in here about disabling the InvokerServlet. See my blog entry at [yet-another-dev.blogspot.com] for details about why this is a bad idea. --Chris Schmidt 22:03, 17 December 2009 (UTC)

File permissions

Hmm, what does "Make sure tomcat user has read/write access to /tmp" mean?

Tomcat creates a directory "temp", not "tmp", and read/write on a directory doesn't actually allow reading or writing. I assume the intention is "chmod 700 temp"... would love if anyone can clarify. Douglasheld 18:06, 3 April 2009 (UTC)

Newer Tomcat branches

This page is hopelessly outdated for anyone working with the Tomcat 6 branch. We need to figure out the best way to document security measures for the different supported branches. Ken 10:25, 20 March 2009 (UTC)

I've not had call to use Tomcat 6, but in a few months I plan to start experimenting with the embedded version. I don't mind expanding the article to have a section on 6 (and keep the section on 5.5), but I can't contribute anything just yet. My preference would be a single article as it will cut down on duplication. In the meantime, any differences, areas to cover, new features, etc. that others could note down will help speed things up. Darren 09:11, 26 March 2009 (UTC)

HttpOnly configuration

Tomcat versions from 5.5.28 and 6.0.19 support the HttpOnly [1] cookie option.

This is configured in the conf/context.xml file:

<Context useHttpOnly="true">
...
</Context>

Simon Bennetts 14:40, 18 June 2010 (UTC)

Overriding Tomcat Version Number

Rebuilding the catalina.jar to alter ServerInfo.properties may not be an ideal way to override the version number, the same effect can be achieved without repackaging JARs in the default distribution (repackaging can be somewhat intrusive and/or impractical). Classloader classpaths can be patched using strategically placed files on the classpath. Classes that are loaded first always take precedence, the same goes for properties files, hence you can override by creating files in the following places:

# For Tomcat 5.5 (inject your new file onto the path of the server classloader):
${catalina.home}/server/classes/org/apache/catalina/util/ServerInfo.properties
# For Tomcat 6 (inject it onto the path of the common classloader, or whichever classloader is loading catalina.jar):
${catalina.home}/lib/org/apache/catalina/util/ServerInfo.properties

In both cases, ${catalina.home} is typically either the root of your local installation, or your global installation if you are making use of disjoint installs using ${catalina.base} to provide instance-specific information.

autoDeploy feature

Wouldn't it make sense to disable the autoDeploy feature in production environments for added security?

Pierre Ernst 2011-08-12

Disabling weak ciphers in Tomcat

Copied from [2]

In order to disable weak ciphers, please modify your SSL Connector container attribute inside server.xml with the following information.

ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, 
 TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 
 SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 
 SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"

Example:

<Connector port="443" maxHttpHeaderSize="8192" address="192.168.1.1"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="SSL"
ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, 
 TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 
 SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,   
 SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
keystoreFile="SomeDir/SomeFile.key" keystorePass="Poodle"
truststoreFile="SomeDir/SomeFile.truststore" truststorePass="HomeRun"/>

User:Psiinon 2011-10-06