Tutorial: 12 steps to secure Apache Tomcat

Securing a system environment or just even a web application can be a tricky undertaking. You will even face some challenges when trying to secure Apache Tomcat.
I recently introduced myself about how to secure Tomcat. This article will show you, how to establish general secure Tomcat instances on Unix or Linux in twelve steps.

Introduction

Securing enrironments and web applications isn’t always simple. Depending on the existing infrastructure and corporate security policies, it can be a hard challange to keep a certain security level up and running. Especially, because security is a major manner of configuration.
In general, there is one organisation you should consult in first instance, when trying to secure a web application: The Open Web Application Security Project (OWASP). The OWASP is a non profit organisation, generally focused on improving the security of application software. It provides information about software vurnerabilities, security principles, technologies and so on.

The 12 steps to security

1. Create a Tomcat user and a Tomcat group
2. The Tomcat user and the Tomcat group should be the owner of Tomcat’s home directory (CATALINA_HOME)
3. Change file permissions undre CATALINA_HOME/conf to 400
4. The Tomcat user should have read and write permissions to /tmp
5. Remove everything under CATALINA_HOME/webapps
6. Remove everything under CATALINA_HOME/server/webapps
7. Remove CATALINA_HOME/conf/Catalina/localhost/host-manager.xml
8. Remove CATALINA_HOME/conf/Catalina/localhost/manager.xml
9. Disable Directory listings in CATALINA_HOME/conf/web.xml by adding the following init-param to the default servlet

   <init-param>
        <param-name>listings</param-name>
        <param-value>false</param-value>
   </init-param>

10. Prevent Tomcat from sending its version number within error messages by modifying CATALINA_HOME/server/lib/catalina.jar/ServerInfo.properties entry server.info to

    server.info=Apache Tomcat

11. Replace the standard error pages, which contain Stacktraces. Do this by adding your own error pages or just adding a non existent dummy page in your CATALINA_HOME/conf/web.xml like the following one.

    <error-page>
       <exception-type>java.lang.Throwable</exception-type>
       <location>/error.jsp</location>
    </error-page>
    

    This /error.jsp doesn’t exist. Thereway, Tomcat produces just a blank page. This is not nice, but doesn’t shows the critical Stacktrace.

12. Replace the version identification from Tomcat’s HTTP response headers by modifying CATALINA_HOME/conf/server.xml’s Connector as follows

    <Connector port="8080" ... server="Apache" />

Very important hint

Never run Tomcat on Port 80. Port 80 generally requires root, as it is a port lower than 1024. Rather consider

• connecting Apache HTTPd in front of Tomcat, listening on Port 80 and dispatching requests to Tomcat listening on port 8080
• or using a port forwarding mechanism just like IPTables is providing.

Tool support

Think of running the SecureTomcatScanner utility to check your Tomcat for critical issues.

Recommendation

The OWASP is my first instance for support on securing web applications and web server environments. I highly recommend to take a look at their proposals as well as at their guides and tutorials.

References and resources

• Open Web Application Security Project (OWASP)
• OWASP’s guide to secure Tomcat
• Tomcat Security Manager How-To
• Secure Tomcat Scanner Tool