Tomcat Server Configuration Automation Reinforcement
目錄php
0. 引言 1. 黑客針對WEB Server會有那些攻擊面 2. 針對Tomcat Server能夠作的安全加固 3. Managing Security Realms with JMX 4. 實現對TOMCAT配置信息的動態修改(hot dynamic edit) 5. Tomcat manager弱口令入侵部署WEBSHELL防護 6. Tomcat遠程war包部署攻防
0. 引言html
most weaknesses in Apache Tomcat come from incorrect or inappropriate configuration. It is nearly always possible to make Tomcat more secure than the default out of the box installation.
WEB容器(WEB Server)是運行在操做系統上的一個應用級軟件,對服務器的配置(config文件)進行加固處理是防護WEB相關漏洞的一個有效的手段。對於實現WEB服務器的配置加固,咱們須要達到以下幾個目標java
1. 使用加固後的標準版的配置文件(config file)對原始文件進行替換 2. 對配置文件替換操做須要實現回滾操做 3. 對配置文件進行加固後,須要能馬上生效,並對當前服務器的業務運行產生儘可能少的影響 1) 配置文件熱加載(hot reload) 2) 重啓web server
Relevant Link:mysql
https://www.owasp.org/index.php/Securing_tomcat
1. 黑客針對WEB Server會有那些攻擊面linux
黑客攻擊網站時,有一個簡單的殺手鐗,即尋找常見的漏洞,例如程序員
1. 使用WEB Server默認的帳戶 1) tomcat默認安裝後,後臺管理界面的登陸採用basic authentication的身份驗證方式,而這個默認的帳戶是系統默認設置的tomcat、tomcat(在tomcat-users.xml文件中) 2. 賬戶密碼很弱或者沒有 1) IIS使用內置或默認賬戶。黑客通常會尋找這些賬戶。若是這些帳戶沒有從系統中刪除的話,就會被發現並被更改 2) 用戶爲了方便管理,經常在tomcat的後臺管理界面的basic authentication登陸中使用弱口令,很容易遭到黑客的暴力破解 3. 大量的開放端口 每一位訪問者,不管是善意仍是惡意,均可以經過開放端口鏈接到站點和系統。在默認狀況下,Windows與IIS的開放端口遠遠多於爲了正常運行所需的端口。保持系統的開放端口應該保持最少數量,這一點很重要。全部其餘的端口都須要關閉。 1) Windows License Logging Service溢出 經過發送一條通過特殊格式化的信息到運行License Logging Service的Web服務器,黑客可以對未檢查的緩衝區進行攻擊。這能夠致使服務失效,爲黑客打開一個開放端口,從而使用「System」權限在服務器上執行代碼。 2) 微軟服務器信息塊(SMB)漏洞 服務器信息塊協議被Windows用於文件和打印機的共享以及計算機之間的通訊。黑客的SMB服務器能夠利用這項功能來使用"System"權限,對客戶機執行任意代碼。 4. 服務器擴展、模塊的漏洞 1) ISAPI擴展緩衝區溢出 IIS安裝後,就會自動安裝多個Internet ISAPI服務器擴展。ISAPI服務器擴展其實是動態連接庫(DLL),是用來加強IIS服務器的功能的。一些動態連接庫,好比idq.dll ,包含編程錯誤,可以讓黑客發送數據到ISAPI服務器擴展,這就是"緩衝區溢出"攻擊 所以,攻 5. WEB腳本漏洞 針對WEB腳本(asp、php、jsp)的攻擊原則上來講是代碼層的攻擊,可是從縱深防護的原則上來看,咱們在服務器的代碼執行層面也是能夠部署一些限制的 1) 利用執行路徑限制,將當前web路徑強制限定在某個路徑下 2) API白名單、黑名單限制
0x1: Tomcat默認配置 web
1. tomcat-users.xml Tomcat默認配置了2個角色: tomcat、role1 tomcat默認配置了3個賬號: both、tomcat、role1的默認密碼都是tomcat /* <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="both" password="tomcat" roles="tomcat,role1"/> <user username="role1" password="tomcat" roles="role1"/> */ 可是這些賬號都不具有直接部署應用的權限,默認須要有manager權限纔可以直接部署war包,Tomcat默認須要安裝Administration Web Application。Tomcat默認沒有配置任何用戶以及角色,沒辦法用默認賬號登陸,在正常狀況下,若是管理員須要登陸manager頁面使用管理以及遠程部署功能,須要新增一個manager角色,並將指定賬號賦予這個角色,以後管理員纔可使用這個賬號登陸manager頁面 2. context.xml Tomcat的上下文,通常狀況下若是用Tomcat的自身的數據源多在這裏配置。找到數據源便可用對應的賬號密碼去鏈接數據庫 /* <Context> <WatchedResource>WEB-INF/web.xml</WatchedResource> <Resource name="jdbc/u3" auth="Container" type="javax.sql.DataSource" maxActive="100" maxIdle="30" maxWait="10000" username="xxxxx" password="xxxx" driverClassName="com.mysql.jdbc.Driver" url="jdbc:mysql://192.168.0.xxx:3306/xxx?autoReconnect=true"/> </Context> */ 3. server.xml Server這個配置文件價值很是高,一般的訪問端口、域名綁定和數據源能夠在這裏找到,若是想知道找到域名對應的目錄能夠讀取這個配置文件。若是有用Https,其配置也在這裏面可以找到 4. web.xml 項目初始化的時候會去調用這個配置文件
0x2: manager頁面部署WAR Getshellsql
1. 查看部署狀況。從"tomcat-users.xml"文件中、或者直接經過猜解默認密碼獲取的具備管理員權限的用戶名和密碼,驗證經過後進入部署管理頁面 2. 部署管理頁面中能夠"Start"(啓動)、"Stop"(中止)、"Reload"(重載)、"Undeploy"(刪除部署)已經部署的項目,單擊"Undeploy"會對文件進行物理刪除 3. 部署的文件夾是以*.war文件的名稱,例如上傳的文件是job.war,則在Tomcat目錄中會對應生成一個"job"文件夾 4. 部署JSP WebShell後門程序。在部署管理頁面的下方有一個"WAR file to deploy",單擊瀏覽選擇一個已經設置好的後門war文件,在本例中的後門程序爲job.war,單擊「deploy」將該文件部署到服務器上 5. 上傳文件後,tomcat會自動進行部署並運行 http://127.0.0.1:8080/job/job.jsp[/url]
Relevant Link:shell
http://www.searchsecurity.com.cn/showcontent_11382.htm http://www.searchsecurity.com.cn/guide/webseversetting.htm http://blog.csdn.net/ablipan/article/details/7840103 http://drops.wooyun.org/tips/604 http://oss.org.cn/ossdocs/apache/tomcat/l-tomcat.htm
2. 針對Tomcat Server能夠作的安全加固數據庫
0x1: 升級到官方最新版
The first step is to make sure you are running the latest stable releases of software
1. Java Runtime Environment (JRE) or SDK 2. Tomcat 3. Third-party libraries
Many software projects, including Tomcat and Java, maintain multiple branches. New features are added to more recent branches, the older branches receive only bug-fixes and security updates. This allows developers to advance the software without disrupting production environments. Be aware of which branch you have deployed, and track new releases within that branch.
For example, if you are running Tomcat 5.5.26, you should watch for new versions within the 5.5 branch (e.g. 5.5.27) and upgrade to this bug-fix version. If you are content to stick with the Tomcat 5.5 branch then it is not necessary to upgrade to a new 6.0.18 version.
0x2: 最小權限默認安裝
1. UNIX 1) Create a tomcat user/group 2) Download and unpack the core distribution (referenced as CATALINA_HOME from now on) 3) Change CATALINA_HOME ownership to tomcat user and tomcat group 4) Change files in CATALINA_HOME/conf to be readonly (400) 5) Make sure tomcat user has read/write access to /tmp and write (300 - yes, only write/execute) access to CATALINA_HOME/logs //值得注意的是,在LINUX/UNIX系統上,tomcat能夠實現降權運行 2. Windows 1) Download the core windows service installer 2) Start the installation, click Next and Agree to the licence 3) Untick native, documentation, examples and webapps then click Next 4) Choose an installation directory (referenced as CATALINA_HOME from now on), preferably on a different drive to the OS. 5) Choose an administrator username (NOT admin) and a secure password that complies with your organisations password policy. 6) Complete tomcat installation, but do not start service. 3. Common 1) Remove everything from CATALINA_HOME/webapps (ROOT, balancer, jsp-examples, servlet-examples, tomcat-docs, webdav) 2) Remove everything from CATALINA_HOME/server/webapps (host-manager, manager). Note that it can be useful to keep the manager webapp installed if you need the ability to redeploy without restarting Tomcat. If you choose to keep it please read the section on Securing the Manager WebApp. 3) Remove CATALINA_HOME/conf/Catalina/localhost/host-manager.xml and CATALINA_HOME/conf/Catalina/localhost/manager.xml (again, if you are keeping the manager application, do not remove this). 4) Make sure the default servlet is configured not to serve index pages when a welcome file is not present. In CATALINA_HOME/conf/web.xml /* <servlet> <servlet-name>default</servlet-name> <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class> <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> <init-param> <param-name>listings</param-name> <param-value>false</param-value> <!-- make sure this is false --> </init-param> <load-on-startup>1</load-on-startup> </servlet> */ 5) Remove version string from HTTP error messages by repacking CATALINA_HOME/server/lib/catalina.jar with an updated ServerInfo.properties file. 6) ename CATALINA_HOME/conf/server.xml to CATALINA_HOME/conf/server-original.xml and rename CATALINA_HOME/conf/server-minimal.xml to CATALINA_HOME/conf/server.xml. The minimal configuration provides the same basic configuration, but without the nested comments is much easier to maintain and understand. Do not delete the original file as the comments make it useful for reference if you ever need to make changes - e.g. enable SSL. 7) Replace the server version string from HTTP headers in server responses, by adding the server keyword in your Connectors in CATALINA_HOME/conf/server.xml /* <Connector port="8080" ... server="Apache" /> <!-- server header is now Apache --> */
0x3: 錯誤頁面版本隱藏
Remove version string from HTTP error messages by repacking CATALINA_HOME/server/lib/catalina.jar with an updated ServerInfo.properties file. Note that making this change may prevent Lambda Probe (popular Tomcat monitoring webapp) to initialise as it cannot determine the Tomcat version.
1. unpack catalina.jar cd CATALINA_HOME/server/lib jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties 2. update ServerInfo.properties by changing server.info line to server.info=Apache Tomcat 3. repackage catalina.jar jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties 4. remove CATALINA_HOME/server/lib/org (created when extracting the ServerInfo.properties file)
0x4: HTTP響應版本隱藏
Replace the server version string from HTTP headers in server responses, by adding the server keyword in your Connectors in CATALINA_HOME/conf/server.xml
<Connector port="8080" ... server="Apache" /> <!-- server header is now Apache -->
0x5: Protecting the Shutdown Port
Tomcat uses a port (defaults to 8005) as a shutdown port. What this means is that to stop all webapps and stop Tomcat cleanly the shutdown scripts make a connection to this port and send the shutdown command. This is not as huge a security problem as it may sound considering the connection to the port must be made from the machine running tomcat(必須從本機發起這個關閉請求,沒法經過RCE完成) and the shutdown command can be changed to something other than the string SHUTDOWN. However, it's wise to take the following precautions
1. if you are running a publicly accessible server make sure you prevent external access to the shutdown port by using a suitable firewall. 2. change the shutdown command in CATALINA_HOME/conf/server.xml and make sure that file is only readable by the tomcat user. /* <Server port="8005" shutdown="ReallyComplexWord"> */
0x6: Securing Manager WebApp
1. By default there are no users with the manager role. To make use of the manager webapp you need to add a new role and user into the CATALINA_HOME/conf/tomcat-users.xml file.
<role rolename="manager"/> <user username="darren" password="ReallyComplexPassword" roles="manager"/>
2. When you access the password-protected manager webapp, the password you enter will be sent over the network in (nearly) plain text, ripe for interception. By using an SSL connection instead, you can transport the password securely
Fortunately, this is simple to accomplish. After configuring an SSL Connector in server.xml (see your Tomcat documentation), simply add the following to CATALINA_HOME/webapps/manager/WEB-INF/web.xml inside of the <security-constraint></security-constraint> tags.
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
This will force an SSL connection to be used when accessing the manager webapp. Plus, with a little more work, the SSL Connector can be configured to require a client certificate.
3. Using a valve to filter by IP or hostname to only allow a subset of machines to connect (i.e. LAN machines). Add one of the following within the Context tag in CATALINA_HOME/conf/Catalina/localhost/manager.xml
<!-- allow only LAN IPs to connect to the manager webapp --> <!-- contrary to the current Tomcat 5.5 documation the value for allow is not a regular expression --> <!-- future versions may have to be specified as 192\.168\.1\.* --> <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.1.*" /> <!-- allow only LAN hosts to connect to the manager webapp --> <!-- contrary to the current Tomcat 5.5 documation the value for allow is not a regular expression --> <!-- future versions may have to be specified as *\.localdomain\.com --> <Valve className="org.apache.catalina.valves.RemoteHostValve" allow="*.localdomain.com" />
4. Rename the manager webapp
This is 'security through obscurity'. Although widely maligned, obscurity is a useful adjunct security measure on a one-off basis. A would-be attacker seeking to gain access to the manager webapp will look for it in its usual location. By renaming it, you force the attacker to guess URLs or assume that it is not installed. It is important to note that you are not relying upon this obscurity for security, but rather using it as a backup measure in case someone finds a way around the remote valve filter you have configured as described above.
To rename the manager webapp, decide on the new name (we'll use foobar in this example), and:
1. Move CATALINA_HOME/conf/Catalina/localhost/manager.xml to CATALINA_HOME/conf/Catalina/localhost/foobar.xml 2. Update the docBase attribute within CATALINA_HOME/conf/Catalina/localhost/foobar.xml to ${catalina.home}/server/webapps/foobar 3. Move CATALINA_HOME/server/webapps/manager to CATALINA_HOME/server/webapps/foobar
0x7: Logging
As of tomcat 5.5 logging is now handled by the commons-logging framework allowing you to choose your preferred logging implementation - log4j or standard JDK logging. By default the standard JDK logging is used (or a compatible extension called juli to be more precise), storing daily log files in CATALINA_HOME/logs.
By default additional webapp log entries are added to CATALINA_HOME/logs/catalina.YYYY-MM-DD.log and System.out/System.err are redirected to CATALINA_HOME/logs/catalina.out. To place webapp log entries in individual log files create a logging.properties file similar to the following within CATALINA_HOME/webapps/APP_NAME/WEB-INF/classes (change the APP_NAME value to create a unique file for each webapp)
handlers = org.apache.juli.FileHandler, java.util.logging.ConsoleHandler org.apache.juli.FileHandler.level = ALL org.apache.juli.FileHandler.directory = ${catalina.base}/logs org.apache.juli.FileHandler.prefix = APP_NAME.
0x8: Java Security
1. Running Tomcat with a Security Manager The default Tomcat configuration provides good protection for most requirements, but does not prevent a malicious application from compromising the security of other applications running in the same instance. To prevent this sort of attack, Tomcat can be run with a Security Manager enabled which strictly controls access to server resources. Tomcat documentation has a good section on enabling the Security Manager. It's always a good idea to start tomcat with the "-security" parameter. This also makes sure (among other things), that a webapplication isn't able to read/write/execute any file on the local filesystem without enabling it in the catalina.policy file. This effectively stops web shells like described here from working.
0x9: 後臺管理界面登陸密碼強化
這個問題屬於口令安全的範疇,我在其餘的文章中涉及到了這方面的知識
http://www.cnblogs.com/LittleHann/p/3567908.html http://www.cnblogs.com/LittleHann/p/3541989.html http://www.cnblogs.com/LittleHann/p/3543681.html
0x10: 禁用tomcat manage管理頁面
禁用Tomcat Manage的後臺管理頁面,能夠經過修改tomcat-users.xml配置文件中和角色,帳戶身份有關的配置來實現,在研究如何禁用管理界面以前,咱們先來學習一下tomcat的身份驗證機制
1. tomcat中的Reaml身份驗證、管理
1. UserDatabaseRealm //className="org.apache.catalina.realm.UserDatabaseRealm" UserDatabaseRealm is an implementation of the Tomcat Realm interface that uses a JNDI resource to store user information. By default, the JNDI resource is backed by an XML file. It is not designed for large-scale production use. At startup time, the UserDatabaseRealm loads information about all users, and their corresponding roles, from an XML document (by default, this document is loaded from $CATALINA_BASE/conf/tomcat-users.xml). The users, their passwords and their roles may all be editing dynamically, typically via JMX. Changes may be saved and will be reflected in the XML file. 對於使用 的身份驗證,可使用JMX API接口動態的修改tomcat的身份認證配置,並自動映射到磁盤上的配置文件tomcat-users.xml 2. JDBCRealm //className="org.apache.catalina.realm.JDBCRealm JDBCRealm is an implementation of the Tomcat Realm interface that looks up users in a relational database accessed via a JDBC driver. There is substantial configuration flexibility that lets you adapt to existing table and column names, as long as your database structure conforms to the following requirements: 1) There must be a table, referenced below as the users table, that contains one row for every valid user that this Realm should recognize. 2) The users table must contain at least two columns (it may contain more if your existing applications required it): 3) Username to be recognized by Tomcat when the user logs in. Password to be recognized by Tomcat when the user logs in. This value may in cleartext or digested 4) The user roles table must contain at least two columns (it may contain more if your existing applications required it): 4.1) Username to be recognized by Tomcat ( 4.2) 2014/10/27Role name of a valid role associated with this user. /* create table users ( user_name varchar(15) not null primary key, user_pass varchar(15) not null ); create table user_roles ( user_name varchar(15) not null, role_name varchar(15) not null, primary key (user_name, role_name) ); */ When a user attempts to access a protected resource for the first time, Tomcat will call the authenticate() method of this Realm. Thus, any changes you have made to the database directly (new users, changed passwords or roles, etc.) will be immediately reflected. 對於JDBCRealm來講,對保存帳戶信息的數據庫的修改,會實時的映射到tomcat中 3. DataSourceRealm //className="org.apache.catalina.realm.DataSourceRealm" DataSourceRealm is an implementation of the Tomcat Realm interface that looks up users in a relational database accessed via a JNDI(JNDI(Java Naming and Directory Interface,Java命名和目錄接口) named JDBC DataSource. 本質上和JDBCRealm認證原理相似,差異在於使用JNDI接口進行數據源數據獲取 4. JNDIRealm //className="org.apache.catalina.realm.JNDIRealm" JNDIRealm is an implementation of the Tomcat Realm interface that looks up users in an LDAP directory server accessed by a JNDI provider (typically, the standard LDAP provider that is available with the JNDI API classes). The realm supports a variety of approaches to using a directory for authentication. 5. MemoryRealm MemoryRealm is a simple demonstration implementation of the Tomcat Realm interface. It is not designed for production use. At startup time, MemoryRealm loads information about all users, and their corresponding roles, from an XML document (by default, this document is loaded from $CATALINA_BASE/conf/tomcat-users.xml). Changes to the data in this file are not recognized until Tomcat is restarted. 6. JAASRealm //className="org.apache.catalina.realm.JAASRealm" JAASRealm is an implementation of the Tomcat Realm interface that authenticates users through the Java Authentication & Authorization Service (JAAS) framework which is now provided as part of the standard Java SE API. 7. CombinedRealm //className="org.apache.catalina.realm.CombinedRealm" CombinedRealm is an implementation of the Tomcat Realm interface that authenticates users through one or more sub-Realms. Using CombinedRealm gives the developer the ability to combine multiple Realms of the same or different types. This can be used to authenticate against different sources, provide fall back in case one Realm fails or for any other purpose that requires multiple Realms. Sub-realms are defined by nesting Realm elements inside the Realm element that defines the CombinedRealm. Authentication will be attempted against each Realm in the order they are listed. Authentication against any Realm will be sufficient to authenticate the user. 8. LockOutRealm //className="org.apache.catalina.realm.LockOutRealm" LockOutRealm is an implementation of the Tomcat Realm interface that extends the CombinedRealm to provide lock out functionality to provide a user lock out mechanism if there are too many failed authentication attempts in a given period of time. To ensure correct operation, there is a reasonable degree of synchronisation in this Realm. This Realm does not require modification to the underlying Realms or the associated user storage mechanisms. It achieves this by recording all failed logins, including those for users that do not exist. To prevent a DOS by deliberating making requests with invalid users (and hence causing this cache to grow) the size of the list of users that have failed authentication is limited. Sub-realms are defined by nesting Realm elements inside the Realm element that defines the LockOutRealm. Authentication will be attempted against each Realm in the order they are listed. Authentication against any Realm will be sufficient to authenticate the user.
咱們重點來研究一下tomcat默認的身份驗證方式,UserDatabaseRealm的相關知識
... <Realm className="org.apache.catalina.realm.LockOutRealm"> <!-- This Realm uses the UserDatabase configured in the global JNDI resources under the key "UserDatabase". Any edits that are performed against this UserDatabase are immediately available for use by the Realm. --> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> </Realm> ...
UserDatabaseRealm類接口
public class UserDatabaseRealm extends RealmBase //Implementation of Realm that is based on an implementation of UserDatabase made available through the global JNDI resources configured for this instance of Catalina. Set the resourceName parameter to the global JNDI resources name for the configured instance of UserDatabase that we should consult.
UserDatabaseRealm is an implementation of the Tomcat Realm interface that uses a JNDI resource to store user information. By default, the JNDI resource is backed by an XML file. It is not designed for large-scale production use. At startup time, the UserDatabaseRealm loads information about all users, and their corresponding roles, from an XML document (by default, this document is loaded from $CATALINA_BASE/conf/tomcat-users.xml). The users, their passwords and their roles may all be editing dynamically, typically via JMX. Changes may be saved and will be reflected in the XML file.
2. tomcat中用戶角色
tomcat採用"用戶角色"的方式對用戶的訪問權限進行管理,每一個用戶都被劃分到了一個"用戶角色"中,toncat的默認預設角色有
1. manager-gui allows access to the HTML GUI and the status pages 也就是咱們經常使用到的 http://localhost:8080/manager/html 2. manager-script allows access to the text interface and the status pages 3. manager-jmx allows access to the JMX proxy and the status pages 4. manager-status allows access to the status pages only
結合以上知識,咱們能夠得出若是須要對tomcat manager頁面進行禁用,能夠採起以下的方法
1. 將tomcat-users.xml中的<user .../>節點中,設置爲"manager-gui"的帳戶所有修改成"tomcat" 由於只有manager-gui這個role才具備訪問tomcat web後臺界面的權限,所以,這樣實現對tomcat後臺頁面的禁用 2. 修改403.jsp頁面 對tomcat-users.xml文件進行修改後,管理員在使用原始的賬號密碼登陸後臺的時候,會被Realm驗證模塊拒絕,顯示403.jsp頁面。咱們須要在這個頁面顯示咱們的修復動做和可能產生的後果,並告知修改回滾的接口地址 3. 修復消息通知推送 經過手機短信的方式通知到管理員tomcat的後臺管理界面已經被禁用
3. 刪除\webapps\manager\WEB-INF\web.xml文件
Relevant Link:
http://tomcat.apache.org/tomcat-8.0-doc/index.html http://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html http://www.cnblogs.com/lanhuahua/archive/2011/08/10/2133685.html http://blog.csdn.net/feng88724/article/details/7164983 https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/realm/UserDatabaseRealm.html
011: 禁用tomcat manager管理界面的WAR Remote Deploy遠程部署
0x12: 禁止列目錄(index travel)
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
Relevant Link:
https://www.owasp.org/index.php/Securing_tomcat http://tomcat.apache.org/tomcat-7.0-doc/security-howto.htm http://media.techtarget.com/tss/static/articles/content/TomcatSecurity/TomcatSecurity.pdf https://www.mulesoft.com/tcat/tomcat-security
3. Managing Security Realms with JMX(java management extensions)
和IIS的自動化API操做相似,tomcat一樣提供了對外暴露的安全配置接口
//IIS API automatic config相關知識請參閱 http://www.cnblogs.com/LittleHann/p/3988923.html
Java Management Extensions, or JMX, is a Java technology designed for remote administration and monitoring of Java components. All versions of Tomcat 5.x or later natively support the JMX protocol.
整個tomcat的安全配置體系架構能夠分爲一個三層的結構
1. the Instrumentation Level The Instrumentation Level contains the components and resources that you would like to manage. These resources are represented by one or more specialized JavaBeans known as Managed Beans, or MBeans for short MBeans are Java Beans that implement additional components which allow them to be managed and monitored via the JMX framework. Each MBean represents a single resource running on the JVM, which is exposed for remote management using JMX. 在這一層就是所謂的providers MBeans 2. the Agent Level There are a few different types of MBeans, each with different functionalities, which offer a greater degree flexibility when designing your administrative framework. Any MBean that you wish to expose is registered with the MBeanServer, which makes up JMX's Agent Level. The Agent Level is composed of an intermediate agent called MBeanServer. The job of this layer is to receive requests or commands from the Remote Management Level, and relay them to the appropriate MBean. It also can receive notifications from its MBeans, such as state changes, and forward them to the Remote Management Layer. 在這一層就是所謂的security service(APIS) 3. the Remote Management Level The Remote Management Layer is made up of client programs, connectors, and adaptors, and allows the user to send requests to the Agent layer for relay and receive the results of these requests. Users can connect to the MBeanServer either 1) through a connector, using a client program such as JConsole and a protocol such as RMI or IIOP 對應於tomcat-users.xml中的manager-jmx role 2) or through an adaptor, which adapts the MBeanServer API to another protocol, such as HTTP, allowing JMX to be used with custom web-based GUIs. 對應於tomcat-users.xml中的manager-gui role In summary, a user at the Remote Management Level sends a request or command to the Agent Level, which contacts the appropriate MBean at the Instrumentation Level, and relays the response back to the user.
This distributed system allows users to build highly customized administrative frameworks from scratch.
0x1: Security Realms
A security realm comprises mechanisms for protecting WebLogic resources. Each security realm consists of a set of configured security providers, which are modular components that handle specific aspects of security. You can
1. create a JMX client that uses the providers in a realm to add or remove security data such as users and groups. 2. You can also create a client that adds or removes providers 3. makes other changes to the realm configuration.
0x2: Understanding the Hierarchy of Security MBeans
Like other subsystems, the "WebLogic Server security framework" organizes its MBeans in a hierarchy that JMX clients can navigate without constructing JMX object names. However
1. the set of MBean types that are available in a security realm depends on which security providers you have installed in the realm 2. the set of services that each security provider enables depends on how the provider was created.
tomcat使用層次結構的MBeans對安全域進行組織管理,每一個Mbeans對應於不一樣方面的安全配置,程序員能夠經過JMX Clients鏈接這些Mbeans,對tomcat的對應的安全配置進行動態的讀寫
security providers -> security realm(一個realm能夠包含多個providers) -> MBean Proxy -> security service(APIS)
而之因此說tomcat的Mbeans是層次結構的,是由它的類繼承關係決定的
Each security provider must extend a base provider type. For example
1. DefaultAuthorizerMBean extends AuthorizerMBean 2. any custom or third-party authorization provider also extends AuthorizerMBean. //If a JMX client gets the value of the RealmMBean Authorizers attribute, the MBean server returns all MBeans in the realm that extend AuthorizerMBean. The JMX client can iterate through the list of providers and select one based on the value of its Name attribute or other criteria.
Base provider types can be enhanced by extending a set of optional mix-in interfaces. For example
1. if an authentication provider extends the UserEditorMBean, then the provider can add users to the realm.
0x3: Security Providers(the Instrumentation Level)
咱們知道,對tomcat中某個MBeans的操做實質上就是在對MBeans後面的Provider的操做,在tomcat的providers中,和安全身份認證有關的providers有
1. AuthenticationProviderMBean The base MBean for all MBean implementations that manage Authentication providers. If your Authentication provider uses the WebLogic Security SSPI to provide login services, then your MBean must extend weblogic.management.security.authentication.Authenticator. If your Authentication provider uses the WebLogic Security SPI to provide identity-assertion services, then your MBean must extend weblogic.management.security.authentication.IdentityAsserter. 2. AuthenticatorMBean The SSPI MBean that all Authentication providers with login services must extend. This MBean provides a ControlFlag to determine whether the Authentication provider is a REQUIRED, REQUISITE, SUFFICENT, or OPTIONAL part of the login sequence. 3. IdentityAsserterMBean The SSPI MBean that all Identity Assertion providers must extend. This MBean enables an Identity Assertion provider to specify the token types for which it is capable of asserting identity. 4. ServletAuthenticationFilterMBean The SSPI MBean that all Servlet Authentication Filter providers must extend. This MBean is just a marker interface. It has no methods on it.
0x4: MBean Mixin Interfaces for Security Providers
在tomcat中,providers模塊是數據提供者,而MBeans則提供了對外訪問的接口,用來對tomcat的配置進行動態地修改
.... 1. UserEditorMBean:Provides a set of methods for creating, editing, and removing users 2. UserReaderMBean:Provides a set of methods for reading data about users. 3. RoleEditorMBean:Provides a set of methods for creating, editing, and removing roles. 4. RoleReaderMBean:Provides a set of methods for reading roles. ...
0x5: 經過JMX操做tomcat配置信息編程示例
鏈接tomcat的JMX Proxy有2種方法
1. HTTP URL方式:tomcat manager內置了一個輕量級的JMP HTTP Proxy 2. 使用java編寫client connector/adaptor客戶端程序
1. HTTP方式
The JMX Proxy Servlet is a lightweight proxy to get and set the tomcat internals
JXMProxy HTTP有如下幾種操做方式
1. JMX Query command 1) look for a specific MBean by the given name http://localhost:8080/manager/jmxproxy/?qry=Catalina%3Atype%3DEnvironment%2Cresourcetype%3DGlobal%2Cname%3DsimpleValue 2) locate all workers which can process requests and report their state http://localhost:8080/manager/jmxproxy/?qry=*%3Atype%3DRequestProcessor%2C* 3) return all loaded servlets http://localhost:8080/manager/jmxproxy/?qry=*%3Aj2eeType=Servlet%2c* 2. JMX Get command 1) fetch the value of a specific MBean's attribute http://localhost:8080/manager/jmxproxy/?get=BEANNAME&att=MYATTRIBUTE&key=MYKEY 2) fetch the current heap memory data: http://localhost:8080/manager/jmxproxy/?get=java.lang:type=Memory&att=HeapMemoryUsage 3) fetch the current heap memory data and only want the "used" key http://localhost:8080/manager/jmxproxy/?get=java.lang:type=Memory&att=HeapMemoryUsage&key=used 3. JMX Set command 1) general format http://localhost:8080/manager/jmxproxy/?set=BEANNAME&att=MYATTRIBUTE&val=NEWVALUE 2) turn up debugging on the fly for the ErrorReportValve http://localhost:8080/manager/jmxproxy/?set=Catalina%3Atype%3DValve%2Cname%3DErrorReportValve%2Chost%3Dlocalhost&att=debug&val=10 4. JMX Invoke command The invoke command enables methods to be called on MBeans 1) general format http://localhost:8080/manager/jmxproxy/?invoke=BEANNAME&op=METHODNAME&ps=COMMASEPARATEDPARAMETERS 2) call the findConnectors() method of the Service use http://localhost:8080/manager/jmxproxy/?invoke=Catalina%3Atype%3DService&op=findConnectors&ps= 3) 修改指定用戶的密碼 http://localhost:8080/manager/jmxproxy/?set=Users:type=User,username="test",database=UserDatabase&att=password&val=hello //將test這個帳戶的密碼修改成hello
Relevant Link:
http://docs.oracle.com/cd/E11035_01/wls100/secintro/index.html http://docs.oracle.com/cd/E11035_01/wls100/jmx/accessWLS.html#wp1112969 http://tomcat.apache.org/tomcat-8.0-doc/manager-howto.html#Using_the_JMX_Proxy_Servlet http://tomcat.apache.org/tomcat-8.0-doc/manager-howto.html http://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html#MemoryRealm http://docs.oracle.com/cd/E11035_01/wls100/jmx/editsecurity.html http://www.360doc.com/content/10/1005/14/39755_58581727.shtml
2. JAVA Client Connector/adaptor方式:Creating WebLogic users programmatically from a standalone Java client
使用java編寫client connector/adaptor這種方式要求服務端的tomcat服務器要開啓"JMX_REMOTE_CONFIG",即tomcat須要監聽一個JMX Proxy端口,默認狀況下,tomcat是不會開啓這個接口的,因此要進行這個實驗,咱們還須要對tomcat的啓動腳本增長一些額外的配置
1. 先修改Tomcat的啓動腳本 1) windows下爲bin/catalina.bat 2) linux下爲catalina.sh 添加如下內容 set JMX_REMOTE_CONFIG=-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=8999 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false set CATALINA_OPTS=%CATALINA_OPTS% %JMX_REMOTE_CONFIG% /* 1. 8999是jmxremote使用的端口號 2. 第二個false表示不須要鑑權 */ 2. 要注意以上語句的位置不能太后面 大概在200行左右這個位置就能夠了,太前面也不行 3. 啓動/重啓tomcat 1) D:\tomcat\apache-tomcat-8.0.14\bin 2) catalina.bat run
咱們配置了無鑑權模式的8999端口jmxproxy監聽服務,如今能夠開始編寫java代碼,經過jmx api鏈接到jmxproxy上了,從而對tomcat的MBeans進行動態的讀寫
import java.util.HashMap; import java.util.Map; import javax.management.MBeanServerConnection; import javax.management.ObjectName; import javax.management.remote.JMXConnector; import javax.management.remote.JMXConnectorFactory; import javax.management.remote.JMXServiceURL; public class JMXTest { public static void main(String[] args) { try { String jmxURL = "service:jmx:rmi:///jndi/rmi://127.0.0.1:8999/jmxrmi";//tomcat jmx url /* * JMXServiceURL用於標識JMXConnectorServer,它是採用如下形式的字符串 * service:jmx:<protocol>://[[[ <host>]: <port>]/ <path>] 1. "protocol" 指定了協議,例如 1) rmi 2) iiop 3) jmxmp 4) soap 2. "host"(可選) 3. "port"(可選) 4. "path"(可選) */ JMXServiceURL serviceURL = new JMXServiceURL(jmxURL); Map<String, String[]> map = new HashMap<String, String[]>(); String[] credentials = new String[] { "monitorRole" , "QED" }; map.put("jmx.remote.credentials", credentials); /* * The client end of a JMX API connector. An object of this type can be used to establish a connection to a connector server. * A newly-created object of this type is unconnected. Its connect method must be called before it can be used. However, objects created by JMXConnectorFactory.connect are already connected. */ JMXConnector conneactor = JMXConnectorFactory.connect(serviceURL, map); MBeanServerConnection mbsc = conneactor.getMBeanServerConnection(); /* ObjectName threadObjNameSet = new ObjectName("Catalina:type=Valve,host=localhost,context=/host-manager,name=BasicAuthenticator"); Attribute attrVal = new Attribute("stateName", "STOPED"); mbsc.setAttribute(threadObjNameSet, attrVal); */ /* * 填寫須要獲取的ObjectName對象名,即MBeans Idntifier */ ObjectName threadObjName = new ObjectName("Catalina:type=Valve,host=localhost,context=/host-manager,name=BasicAuthenticator"); String attrName = "stateName"; //經過MBeans的getter方法獲取對應的屬性值 System.out.println("password: " + mbsc.getAttribute(threadObjName, attrName)); } catch (Exception e) { e.printStackTrace(); } } }
能夠經過URL的jmxproxy方式驗證咱們得到的結果
http://localhost:8080/manager/jmxproxy/?get=Catalina:type=Valve,host=localhost,context=/host-manager,name=BasicAuthenticator&att=stateName result: OK - Attribute get 'Catalina:type=Valve,host=localhost,context=/host-manager,name=BasicAuthenticator' - stateName = STARTED
Relevant Link:
http://whitesock.iteye.com/blog/246186 http://www.programcreek.com/java-api-examples/index.php?api=javax.management.MBeanServerConnection http://pic.dhe.ibm.com/infocenter/wxsinfo/v8r6/index.jsp?topic=%2Fcom.ibm.websphere.extremescale.doc%2Ftxsmbeanprog.html http://blog.csdn.net/airobot008/article/details/3951524 http://sharpspeed.iteye.com/blog/2009770 http://www.blogjava.net/japper/archive/2012/09/05/387092.html
4. 實現對TOMCAT配置信息的動態修改(hot dynamic edit)
瞭解了tomcat jmx api編程以後,咱們回到咱們本文的中心,就是自動化的tomcat配置加固,即動態的修改內存中的tomcat配置,實現對tomcat的MBeans(保存tomcat全部維度信息的基本單位)配置信息的動態修改
1. HTTP URL JMXPROXY 經過這種方式對tomcat的配置進行動態修改存在以下幾個條件、限制 1) 調用URL接口的用戶必須自己是具備"manager-jmx"的角色,而且須要處於登陸後的狀態才能夠調用這個接口 2) tomcat的MBeans大多數不提供setter接口,而只提供getter接口,不少的設置是不能修改的,例如 2.1) 取消basic認證 2.2) 修改帳戶的role角色 2. JAVA CLIENT JXMPROXY API 經過這種方式對tomcat的配置進行動態修改存在以下幾個條件、限制 1) 須要tomcat服務端開啓了JMXPROXY端口監聽服務,而tomcat默認是不開啓這個端口監聽的,須要手動設置並重啓 2) tomcat的MBeans大多數不提供setter接口,而只提供getter接口,不少的設置是不能修改的,例如 2.1) 取消basic認證 2.2) 修改帳戶的role角色
須要注意的是,tomcat的jmx自動化操做方式是針對須要對tomcat進行實時性能監控而產生的,因此咱們會發現jmx接口中大多數是getter方法,並且無論是ur方式、仍是java client方式,在默認狀況下tomcat都不支持,須要額外的配置才能啓用,因此,咱們想要經過tomcat jmx方式對tomcat進行配置加固是有困難的
5. Tomcat manager弱口令入侵部署WEBSHELL防護
0x1: 直接刪除manager頁面對應的jsp文件、manager目錄
或者直接刪除\webapps\manager\WEB-INF\web.xml文件,一樣獲得禁用manager頁面的效果
0x2: 修改tomcat-users.xml文件配置
1. 將弱密碼修改成強密碼 2. 取消用戶的manager-gui,即降權,達到禁止用戶訪問manager頁面的目的 //須要重啓tomcat才能使新配置生效
0x3: 針對web應用的輕量級重啓:修改應用中的web.xml的和身份認證、禁止登陸、POST WAR的相關配置
在開始研究tomcat應用程序的web.xml配置以前,咱們先針對這個思路和apache的配置進行一個類比
http://man.chinaunix.net/newsoft/Apache2.2_chinese_manual/howto/htaccess.html
在apache架構的網站應用中.htaccess文件(或者"分佈式配置文件")提供了針對每一個目錄(web應用)改變配置的方法,即在一個特定的目錄中放置一個包含指令的文件,其中的指令做用於此目錄及其全部子目錄
對於tomcat,咱們也能夠採起相同的思路,從本質上來講,manager這個後臺管理界面屬於一個J2EE的應用,咱們能夠直接修改manager目錄下的web.xml文件,對其配置項進行修改禁止管理員訪問,而後直接重啓manager這個應用便可
1. tomcat web.xml配置
The web.xml Deployment Descriptor file describes how to deploy a web application in a servlet container such as Tomcat.
The location of the file is always the same: application root/WEB-INF/web.xml
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4"> <!-- ========================================================== --> <!-- General --> <!-- ========================================================== --> <!-- Name the application --> <display-name>Example App</display-name> <description>An example application which is used to play with some of the features of Tomcat</description> <!-- This app is cluster-ready --> <distributable /> <!-- Set timeout to 120 minutes --> <session-config> <session-timeout>120</session-timeout> </session-config> <!-- ========================================================== --> <!-- Custom Tag Libraries --> <!-- ========================================================== --> <!-- Taglib declarations are no longer required since JSP 2.0, see Removing taglib from web.xml --> <!-- The <taglib> did not need to be a child of <jsp-config> in earlier versions but is required as of Tomcat 7 --> <!-- Note that you can only have one <jsp-config> element per web.xml --> <!-- <jsp-config> <taglib> <taglib-uri>mytags</taglib-uri> <taglib-location>/WEB-INF/jsp/mytaglib.tld</taglib-location> </taglib> </jsp-config> --> <!-- ========================================================== --> <!-- JSP Configuration --> <!-- ========================================================== --> <jsp-config> <jsp-property-group> <url-pattern>*.jsp</url-pattern> <include-prelude>/WEB-INF/jspf/prelude1.jspf</include-prelude> <include-coda>/WEB-INF/jspf/coda1.jspf</include-coda> </jsp-property-group> </jsp-config> <!-- ========================================================== --> <!-- Context Parameters --> <!-- ========================================================== --> <context-param> <description>Enable debugging for the application</description> <param-name>debug</param-name> <param-value>true</param-value> </context-param> <context-param> <description>The email address of the administrator, used to send error reports.</description> <param-name>webmaster</param-name> <param-value>address@somedomain.com</param-value> </context-param> <!-- ========================================================== --> <!-- JNDI Environment Variables --> <!-- ========================================================== --> <env-entry> <env-entry-name>webmasterName</env-entry-name> <env-entry-value>Ms. W. Master</env-entry-value> <env-entry-type>java.lang.String</env-entry-type> </env-entry> <env-entry> <env-entry-name>cms/defaultUserSettings/recordsPerPage</env-entry-name> <env-entry-value>30</env-entry-value> <env-entry-type>java.lang.Integer</env-entry-type> </env-entry> <env-entry> <env-entry-name>cms/enableXMLExport</env-entry-name> <env-entry-value>false</env-entry-value> <env-entry-type>java.lang.Boolean</env-entry-type> </env-entry> <env-entry> <env-entry-name>cms/enableEmailNotifications</env-entry-name> <env-entry-value>true</env-entry-value> <env-entry-type>java.lang.Boolean</env-entry-type> </env-entry> <!-- ========================================================== --> <!-- Servlets --> <!-- ========================================================== --> <!-- Simple Servlet, provide a name, class, description and map to URL /servlet/SimpleServlet --> <servlet> <servlet-name>Simple</servlet-name> <servlet-class>SimpleServlet</servlet-class> <description>This is a simple Hello World servlet</description> </servlet> <servlet-mapping> <servlet-name>Simple</servlet-name> <url-pattern>/servlet/SimpleServlet</url-pattern> </servlet-mapping> <!-- CMS Servlet, responds to *.cms URL's --> <servlet> <!-- Identification --> <servlet-name>cms</servlet-name> <servlet-class>com.metawerx.servlets.ContentManagementSystem</servlet-class> <description>This servlet handles requests for the CMS (it is a controller in an MVC architecture)</description> <!-- This servlet has two parameters --> <init-param> <param-name>debug</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>detail</param-name> <param-value>2</param-value> </init-param> <!-- Load this servlet when the application starts (call the init() method of the servlet) --> <load-on-startup>5</load-on-startup> <!-- <run-at>0:00, 6:00, 12:00, 18:00</run-at> This tag is only valid for Resin --> </servlet> <!-- Map some URLs to the cms servlet (demonstrates *.extension mapping) --> <servlet-mapping> <!-- For any URL ending in .cms, the cms servlet will be called --> <servlet-name>cms</servlet-name> <url-pattern>*.cms</url-pattern> </servlet-mapping> <!-- Rewriter Servlet, responds to /content/* and /admin/RewriterStatistics URL's --> <!-- Define a servlet to respond to /content/* URL's --> <servlet> <servlet-name>rewriter</servlet-name> <servlet-class>com.metawerx.servlets.URLRewriter</servlet-class> </servlet> <!-- Map some URL's to the rewriter servlet (demonstrates /path/* and specific URL mapping) --> <servlet-mapping> <!-- For any URL starting with /content/, the rewriter servlet will be called --> <servlet-name>rewriter</servlet-name> <url-pattern>/content/*</url-pattern> </servlet-mapping> <servlet-mapping> <!-- The rewriter servlet can also be called directly as /admin/RewriterStatistics, to return stats --> <servlet-name>rewriter</servlet-name> <url-pattern>/admin/RewriterStatistics</url-pattern> </servlet-mapping> <!-- PathJSP Servlet, maps /shop/item/* URL's to a JSP file --> <!-- Define a JSP file to respond to /shop/item/* URL's --> <servlet> <servlet-name>pathjsp</servlet-name> <jsp-file>pathfinder.jsp</jsp-file> </servlet> <!-- Map some URL's to the pathjsp servlet (demonstrates /long/path/* URL mapping) --> <servlet-mapping> <!-- For any URL starting with /shop/item/, the pathjsp servlet will be called --> <servlet-name>pathjsp</servlet-name> <url-pattern>/shop/item/*</url-pattern> </servlet-mapping> <!-- ========================================================== --> <!-- Filters --> <!-- ========================================================== --> <!-- Example filter to set character encoding on each request (from Tomcat servlets-examples context) --> <filter> <filter-name>Set Character Encoding</filter-name> <filter-class>filters.SetCharacterEncodingFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>EUC_JP</param-value> </init-param> </filter> <filter-mapping> <filter-name>Set Character Encoding</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- Example filter to dump the HTTP request at the top of each page (from Tomcat servlets-examples context) --> <filter> <filter-name>Request Dumper Filter</filter-name> <filter-class>filters.RequestDumperFilter</filter-class> </filter> <filter-mapping> <filter-name>Request Dumper Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- ========================================================== --> <!-- Listeners --> <!-- ========================================================== --> <!-- Define example application events listeners --> <listener> <listener-class>com.metawerx.listener.ContextListener</listener-class> </listener> <listener> <listener-class>com.metawerx.listener.SessionListener</listener-class> </listener> <!-- ========================================================== --> <!-- Security --> <!-- ========================================================== --> <!-- Define roles --> <security-role> <role-name>admin</role-name> </security-role> <security-role> <role-name>cms_editors</role-name> </security-role> <!-- Define a constraint to restrict access to /private/* --> <security-constraint> <display-name>Security constraint for the /private folder</display-name> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/private/*</url-pattern> <!-- If you list http methods, only those methods are protected. --> <!-- Leave this commented out to protect all access --> <!-- <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> --> </web-resource-collection> <auth-constraint> <!-- Only only administrator and CMS editors to access this area --> <role-name>admin</role-name> <role-name>cms_editors</role-name> </auth-constraint> </security-constraint> <!-- FORM based authentication --> <!-- Leave this commented out, we will use BASIC (HTTP) authentication instead --> <!-- <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/error.jsp</form-error-page> </form-login-config> </login-config> --> <!-- This application uses BASIC authentication --> <login-config> <auth-method>BASIC</auth-method> <realm-name>Editor Login</realm-name> </login-config> <!-- Define a constraint to force SSL on all pages in the application --> <security-constraint> <web-resource-collection> <web-resource-name>Entire Application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <!-- ========================================================== --> <!-- Error Handler --> <!-- ========================================================== --> <!-- Define an error handler for 404 pages --> <error-page> <error-code>404</error-code> <location>/error404.jsp</location> </error-page> <!-- Define an error handler for java.lang.Throwable --> <error-page> <exception-type>java.lang.Throwable</exception-type> <location>/errorThrowable.jsp</location> </error-page> <!-- ========================================================== --> <!-- Extra MIME types --> <!-- ========================================================== --> <!-- Set XML mime-mapping so spreadsheets open properly instead of being sent as an octet/stream --> <mime-mapping> <extension>xls</extension> <mime-type>application/vnd.ms-excel</mime-type> </mime-mapping> <!-- ========================================================== --> <!-- Locale --> <!-- ========================================================== --> <!-- Set Locale Encoding --> <locale-encoding-mapping-list> <locale-encoding-mapping> <locale>ja</locale> <encoding>Shift_JIS</encoding> </locale-encoding-mapping> </locale-encoding-mapping-list> <!-- ========================================================== --> <!-- Welcome Files --> <!-- ========================================================== --> <!-- Define, in order of preference, which file to show when no filename is defined in the path --> <!-- eg: when user goes to http://yoursite.com/ or http://yoursite.com/somefolder --> <!-- Defaults are provided in the server-wide web.xml file, such as index.jsp, index.htm --> <!-- Note: using this tag overrides the defaults, so don't forget to add them here --> <welcome-file-list> <!-- Use index.swf if present, or splash.jsp, otherwise just look for the normal defaults --> <welcome-file>index.swf</welcome-file> <welcome-file>splash.jsp</welcome-file> <welcome-file>index.html</welcome-file> <welcome-file>index.htm</welcome-file> <welcome-file>index.jsp</welcome-file> </welcome-file-list> </web-app>
關於jsp和web.xml配置的相關知識,請參閱
http://www.cnblogs.com/LittleHann/p/3725886.html 搜索:2. web.xml基礎語法
2. 配置web.xml禁用管理登陸manager後臺頁面
要達到禁用後臺登陸的目的,咱們能夠經過對web.xml做以下修改達到目的
1. <security-constraint>(fro html) -> <auth-constraint> -> <role-name> 2. 將"/html/*"(web-gui)的身份鑑權角色限制修改成一個自定義的角色名,例如"just4fun",這個名字要保證tomcat的默認角色配置不會覆蓋到,即達到對管理員的角色降權,禁止管理員 3. 針對web.xml的配置修改是馬上在tomcat中生效的,tomcat會對web.xml的修改自動作reload操做 4. manager頁面會馬上禁止管理員登陸
D:\tomcat\apache-tomcat-8.0.14\webapps\manager\WEB-INF\web.xml
修改後,當即生效
回滾後也當即生效
Relevant Link:
http://wiki.metawerx.net/wiki/Web.xml http://fangyunfeng.iteye.com/blog/1862251
0x4: Make A Brustattack Blocking Filter Or Listener Within Tomcat:向tomcat註冊一個用於阻斷後臺manager頁面的暴力破解阻斷模塊
filter、listener是tomcat中對http數據流進行pre(前置劫持)、after(後置處理)的一直機制,簡單來講,tomcat在整個http數據流的流程中給程序員暴露出了一些串行的hook點,容許程序員對http數據流進行修改
web.xml 的加載順序是:context-param -> listener -> filter -> servlet ,而相同類型節點之間的程序調用的順序是根據對應的mapping的順序進行調用的
因此咱們能夠選擇編寫tomcat filter,實現暴力破解阻斷的功能
1. Tomcat Filter
關於tomcat filter的相關知識,請參閱另外一篇文章
http://www.cnblogs.com/LittleHann/p/3725886.html 搜索:0x3: Filter介紹
2. Code Example
import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; /** * @author Administrator * */ public class LogFilter implements Filter { private FilterConfig filterConfig; public FilterConfig getFilterConfig() { System.err.println("...getFilterConfig..."); return filterConfig; } public void setFilterConfig(FilterConfig filterConfig) { System.err.println("...setFilterConfig..."); this.filterConfig = filterConfig; } /* (non-Javadoc) * @see javax.servlet.Filter#destroy() */ @Override public void destroy() { System.err.println("...filter destroy..."); } /* (non-Javadoc) * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain) */ @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { System.err.println("...doFilter..."); //傳遞下一個Filter chain.doFilter(request, response); } /* (non-Javadoc) * @see javax.servlet.Filter#init(javax.servlet.FilterConfig) */ @Override public void init(FilterConfig filterConfig) throws ServletException { System.err.println("...init Filter..."); this.filterConfig = filterConfig; } }
2. 配置web.xml,向web應用註冊一個Filter
<filter>
<filter-name>LogFilter</filter-name>
<filter-class>com.ee.filter.LogFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>LogFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
0x5: 經過classloader反射動態修改容器內類的配置實現修復配置修復
0x6: 經過java attach api實現遠程代碼注入,修復應用內存配置漏洞
0x7: Use LockOutRealm To Prevents Brute Force Attacks(org.apache.catalina.realm.LockOutRealm)
LockOutRealm is an implementation of the Tomcat Realm interface that extends the CombinedRealm to provide lock out functionality to provide a user lock out mechanism if there are too many failed authentication attempts in a given period of time.
To ensure correct operation, there is a reasonable degree of synchronization in this Realm.
This Realm does not require modification to the underlying Realms or the associated user storage mechanisms. It achieves this by recording all failed logins, including those for users that do not exist. To prevent a DOS by deliberating making requests with invalid users (and hence causing this cache to grow) the size of the list of users that have failed authentication is limited.
Sub-realms are defined by nesting Realm elements inside the Realm element that defines the LockOutRealm. Authentication will be attempted against each Realm in the order they are listed. Authentication against any Realm will be sufficient to authenticate the user.
The LockOutRealm implementation supports the following additional attributes.
1. allRolesMode This attribute controls how the special role name * is handled when processing authorization constraints in web.xml. By default, the specification compliant value of strict is used which means that the user must be assigned one of the roles defined in web.xml. The alternative values are authOnly which means that the user must be authenticated but no check is made for assigned roles and strictAuthOnly which means that the user must be authenticated and no check will be made for assigned roles unless roles are defined in web.xml in which case the user must be assigned at least one of those roles. 2. cacheRemovalWarningTime If a failed user is removed from the cache because the cache is too big before it has been in the cache for at least this period of time (in seconds) a warning message will be logged. Defaults to 3600 (1 hour). 3. cacheSize Number of users that have failed authentication to keep in cache. Over time the cache will grow to this size and may not shrink. Defaults to 1000. 4. failureCount The number of times in a row a user has to fail authentication to be locked out. Defaults to 5. 5. lockOutTime The time (in seconds) a user is locked out for after too many authentication failures. Defaults to 300 (5 minutes).
爲了配置 CombinedRealm,須要建立一個 <Realm> 元素,並將其內嵌在 <Engine> 或 <Host> 元素中的 $CATALINA_BASE/conf/server.xml 文件內。一樣,你也能夠將其內嵌到 context.xml 文件下的 <Context> 節點
<Engine name="Catalina" defaultHost="localhost"> <Realm className="org.apache.catalina.realm.LockOutRealm"> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> </Realm> <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t "%r" %s %b" /> </Host> </Engine>
0x8: 修改\conf\tomcat-users.xml中的弱密碼
缺點在於,須要重啓Tomcat
Relevant Link:
http://docs.oracle.com/javase/7/docs/technotes/guides/attach/index.html
https://tomcat.apache.org/tomcat-7.0-doc/security-howto.html#Securing_Management_Applications
https://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#LockOut_Realm_-_org.apache.catalina.realm.LockOutRealm
https://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html
http://wiki.jikexueyuan.com/project/tomcat/realms-aaa.html
0x9: 調用attach api動態修復JVM內存中配置
1. 列出當前主機上全部運行中JVM實例 2. 經過枚舉進程列表、及其參數,找到tomcat進程PID 3. attach到目標JVM進程 4. 執行指定agent,注入指令,修改JVM的內存配置,關閉redirect、debug開關
6. Tomcat遠程war包部署攻防
在windows環境下,tomcat的啓動參數以下
D:\Java\bin\java.exe -Djava.util.logging.config.file="D:\Apache_Tomcat\conf\logging.properties" -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs="D:\Apache_Tomcat\endorsed" -classpath "D:\Apache_Tomcat\bin\bootstrap.jar;D:\Apache_Tomcat\bin\tomcat-juli.jar" -Dcatalina.base="D:\Apache_Tomcat" -Dcatalina.home="D:\Apache_Tomcat" -Djava.io.tmpdir="D:\Apache_Tomcat\temp" org.apache.catalina.startup.Bootstrap start
規則
proc:path:blurry:java:cmd:"Tomcat\conf" write file:path:blurry:/webapps/*.war deny //tomcat manager遠程部署只會像webapps目錄下寫後綴爲war的文件
Relevant Link:
Copyright (c) 2014 LittleHann All rights reserved
相關文章
- 1. Tomcat Server Configuration Automation Reinforcement
- 2. Could not load the Tomcat server configuration
- 3. Could not load the Tomcat server configuration at C:\apache-tomcat-6.0.35\conf. The configuration ma
- 4. Tomcat tomcat-users.xml configuration example
- 5. Could not load the Tomcat server configuration at /Servers/Tomcat v7.0 Server at localhost-config.
- 6. The Tomcat server configuration at \Servers\Tomcat v6.0 Server at localhost-config is missing. Check
- 7. Could not load the Tomcat server configuration at /Servers/Tomcat v7.0 Server
- 8. Could not load the Tomcat server configuration at \Servers\Tomcat v8.0 Server at localhost-config
- 9. Could not load the Tomcat server configuration at \Servers\Tomcat v7.0 Server at localhost-config
- 10. Tomcat啓動失敗:Could not publish server configuration for Tomcat v7.0 Server at localhost.
- 更多相關文章...
- • Docker 安裝 Tomcat - Docker教程
- • ASP Server 對象 - ASP 教程
- • Tomcat學習筆記(史上最全tomcat學習筆記)
- • Docker容器實戰(一) - 封神Server端技術
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. Tomcat Server Configuration Automation Reinforcement
- 2. Could not load the Tomcat server configuration
- 3. Could not load the Tomcat server configuration at C:\apache-tomcat-6.0.35\conf. The configuration ma
- 4. Tomcat tomcat-users.xml configuration example
- 5. Could not load the Tomcat server configuration at /Servers/Tomcat v7.0 Server at localhost-config.
- 6. The Tomcat server configuration at \Servers\Tomcat v6.0 Server at localhost-config is missing. Check
- 7. Could not load the Tomcat server configuration at /Servers/Tomcat v7.0 Server
- 8. Could not load the Tomcat server configuration at \Servers\Tomcat v8.0 Server at localhost-config
- 9. Could not load the Tomcat server configuration at \Servers\Tomcat v7.0 Server at localhost-config
- 10. Tomcat啓動失敗:Could not publish server configuration for Tomcat v7.0 Server at localhost.