Tomcat servers are widely used application servers for today’s development architectures, popular for hosting Java based applications. Below is a guide on best security practices for security your Tomcat Server environment.
Banner grabbing is the process of gaining information from computer systems including services, open ports, version, etc.
When sending a server host request via telnet command, you pass along the server name, port, and version. This makes it easy for an attacker to use the displayed information and use the web server error pages to discover vulnerabilities and attack.
In cryptology, a cipher is an algorithm for encrypting and decrypting data. In other words, a cipher is a method of hiding words or text with encryption by replacing original letters with other letters, numbers and symbols through substitution or transposition.
By enabling strong cipher suites and protocols, improve security and reduce the risk of cyber security attacks. For example; TLS 1.3 is much better, faster and secure compared to TLS 1.2. Advantages of TLS 1.3 can improve your server performance and security.
Steps to disable weak ciphers
Backup server.xml file
1. Open this file for edit
2. Look for this line in the server.xml file
<!– HTTPS Connector added by Automation API Installation –>
<Connector port=”8443″ protocol=”org.apache.coyote.http11.Http11Protocol” SSLEnabled=”true”
maxThreads=”150″ scheme=”https” secure=”true” clientAuth=”false” sslProtocol=”TLS” keystoreFile=”conf/emweb_unsigned.keystore” keystorePass=”empass” />
3. Add the following line to disable the weak ciphers:
ciphers=”<Required ciphers List”/>
For example, to disable the 3DES and RC4 ciphers, add the following:
ciphers=”TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA” />
4.Restart Tomcat server.
Redirection enhances security and provides encryption, with your website is displayed with a padlock sign.
Below is the redirection code used in tomcat:
<security-constraint>
<web-resource-collection>
<web-resource-name>SECURE</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Mix content issues occur when some content loaded on the URL is not on https. Your website should not have any resources coming from HTTP. For better security practice, always try to fix mixed content errors when you come across any.
Below is the image which is seen when there is a mix content issue
You may be using Tomcat servers in your production environment, backup environment, or test environment. Securing any environment is the best approach to follow. One way to secure your Tomcat server is to install SSL certificate on tomcat servers to protect all data in transit. Another way is to remove unsecured connectors from $tomcat/server.xml.
Monitoring the server for the availability and response time along with logs should be done regularly in order to track performance, CPU utilization, disk utilization, memory utilization, running services and processes.
Including an Application Performance Management tools, such as Stackify Retrace, allows users to accelerate application performance with centralized logging and error tracking.
To learn more about monitoring Tomcat, check out our Step by Step Guide to Tomcat Performance Monitoring.
If you would like to be a guest contributor to the Stackify blog please reach out to stackify@stackify.com