天天看點
傳回

tomcat漏掃修複及調優

環境

  • Centos7 8G
  • tomcat7

nessus漏掃修複

12085 - Apache Tomcat Servlet / JSP Container Default Files

  • 删除tomcat/webapps/下example、doc、manager,(ROOT保留,内部隻留下自定義的404頁面)

35291 - SSL Certificate Signed Using Weak Hashing Algorithm

42873 - SSL Medium Strength Cipher Suites Supported

20007 - SSL Version 2 and 3 Protocol Detection

https證書簽名算法強度不夠,預設生成的是1024位,需要更新為2048, 指定Cipher,禁用ssl2.0 ssl3.0

證書制作參考HTTPSS證書制作筆記

注意:需要指定證書長度:

修改

server.xml

 ,指定

keystoreFile

truststoreFile

sslProtocol

sslEnabledProtocols

 
<Connector port="8443" URIEncoding="UTF-8" protocol="HTTP/1.1" SSLEnabled="true"
             maxThreads="150" minSpareThreads="25"
           maxSpareThreads="75"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="100" debug="0" scheme="https" secure="true"
             clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"  ciphers="TLS_ECDHE_RSA_WITAES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"  keystoreFile="conf/server.keystore" keystorePass="123456"
             truststoreFile="conf/server.keystore" truststorePass="123456"/>

cookie未設定HttpOnly屬性 

vim tomcat/conf/contenxt.xml

<!-- 給cookies設定HttpOnly屬性 tomcat/conf/context.xml-->
<Context useHttpOnly="true">
新版tomcat預設就是HttpOnly

敏感資訊洩露

輸入一個不存在的位址時,洩露tomcat版本号等資訊

自定義tomcat的404頁面

#在ROOT下自定義一個404.html,其它都删除即可

# 配置tomcat 404頁面
vim conf/web.xml

...
#添加如下配置
<error-page>
    <error-code></error-code>
    <location>/html</location>
 </error-page>
...

支援不安全的http方法

  • 修改tomcat的web.xml檔案配置禁用options/PUT/DELETE這三種方法 
# 在 <webapp></webapp>标簽中添加:
<security-constraint>
   <web-resource-collection>
      <url-pattern>/*</url-pattern>
      <http-method>PUT</http-method>
      <http-method>DELETE</http-method>
      <http-method>HEAD</http-method>
      <http-method>OPTIONS</http-method>
      <http-method>TRACE</http-method>
   </web-resource-collection>
   <auth-constraint>
   </auth-constraint>
 </security-constraint>
<login-config>
  <auth-method>BASIC</auth-method>
</login-config>
  • 删除tomcat/webapps/下example、doc、manager,(ROOT保留,内部隻留下自定義的404頁面)

性能調優

jvm參數優化 

vim catalina.sh

...
# 添加jvm參數配置
JAVA_OPTS="$JAVA_OPTS -XX:PermSize=128M -XX:MaxPermSize=256M -Xms1024M -Xmx1024M -Xss512k"
...

并發線程優化 

vim server.xml

...

<Connector port="8443" URIEncoding="UTF-8" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="1024" maxConnections="1024" minSpareThreads="25" acceptCount="150"
                           enableLookups="false" disableUploadTimeout="true"
                            debug="0" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"  ciphers="TLS_ECDHE_RSA_WITAES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"  keystoreFile="conf/server.keystore" keystorePass="123456"
               truststoreFile="conf/server.keystore" truststorePass="123456"/>

參數說明:

* acceptCount: 請求等待隊列大小,預設100(tomcat沒有空閑線程處理請求時放入該隊列緩存起來),超出該隊列大小後,拒絕連接配接

* maxConnections: tomcat最大并發連接配接數,bio預設是maxThreads數量,nio和nio2預設是10000,arp預設8192

* minSpareThreads: 線程池最小線程數,預設10

* maxThreads: 線程池最大線程數,預設200

java開發學習筆記 java web tomcat 漏洞掃描
上一篇: Tomcat背景部署war木馬getshell
下一篇: 關于緊急修複Apache Tomcat Fastjson存在檔案包含漏洞

繼續閱讀