使用普通用户运行
使用普通用户来部署服务是比较安全的做法
[root@tomcat application]# useradd -u 1001 tomcat [root@tomcat application]# passwd tomcat Changing password for user tomcat. New password: Retype new password: passwd: all authentication tokens updated successfully.
切换到tomcat来执行 [root@tomcat application]# chown -R tomcat:tomcat /application/jdk [root@tomcat application]# chown -R tomcat:tomcat /application/tomcat/ [root@tomcat application]# su - tomcat [tomcat@linux-node1 ~]$ cd /application/tomcat/bin/ [tomcat@linux-node1 bin]$ sh startup.sh #启动脚本 Using CATALINA_BASE: /application/tomcat Using CATALINA_HOME: /application/tomcat Using CATALINA_TMPDIR: /application/tomcat/temp Using JRE_HOME: /application/jdk Using CLASSPATH: /application/tomcat/bin/bootstrap.jar:/application/tomcat/bin/tomcat-juli.jar Tomcat started.
[tomcat@linux-node1 tomcat]$ pwd /application/tomcat [tomcat@linux-node1 tomcat]$ ls -l total 100 drwxr-xr-x 5 tomcat tomcat 4096 Apr 9 18:53 bin drwxr-xr-x 6 tomcat tomcat 4096 Apr 8 10:49 conf drwxr-xr-x 2 tomcat tomcat 4096 Apr 8 05:49 lib -rw-r--r-- 1 tomcat tomcat 57011 Sep 28 2015 LICENSE drwxr-xr-x 2 tomcat tomcat 4096 Apr 9 18:39 logs -rw-r--r-- 1 tomcat tomcat 1444 Sep 28 2015 NOTICE -rw-r--r-- 1 tomcat tomcat 6741 Sep 28 2015 RELEASE-NOTES -rw-r--r-- 1 tomcat tomcat 16204 Sep 28 2015 RUNNING.txt drwxr-xr-x 2 tomcat tomcat 29 Apr 8 05:49 temp drwxr-xr-x 8 tomcat tomcat 108 Apr 8 09:14 webapps drwxr-xr-x 3 tomcat tomcat 21 Apr 8 05:53 work
启动的时候会把临时文件和工作文件放在temp和work,在生产用的时候、建议每次启动将这两个目录清空
tomcat使用自带的脚本有时候未必能关掉 、自己写一个脚本、
[tomcat@linux-node1 ~]$ cat tomcat.sh #!/bin/sh JAVA_HOME=/application/jdk CATALINA_HOME=/application/tomcat usage(){ echo "$0 {start|stop|restart}" exit 1 } [ $# -ne 1 ]&& usage start_tomcat(){ $CATALINA_HOME/bin/startup.sh } stop_tomcat(){ TPID=$(ps -aux|grep java|grep tomcat|grep -v 'grep'|awk '{print $2}') kill -9 $TPID sleep 5; TSTAT=$(ps -aux|grep java|grep tomcat|grep -v 'grep'|awk '{print $2}') if [ -z $TSTAT ];then echo "tomcat stop" else kill -9 $TSTAT fi cd $CATALINA_HOME rm temp/* -rf rm work/* -rf } case $1 in start) start_tomcat ;; stop) stop_tomcat ;; restart) stop_tomcat sleep 5 start_tomcat ;; *) usage ;; esac
[tomcat@linux-node1 ~]$ sh tomcat.sh tomcat.sh {start|stop|restart} [tomcat@linux-node1 ~]$ sh tomcat.sh start Using CATALINA_BASE: /application/tomcat Using CATALINA_HOME: /application/tomcat Using CATALINA_TMPDIR: /application/tomcat/temp Using JRE_HOME: /application/jdk Using CLASSPATH: /application/tomcat/bin/bootstrap.jar:/application/tomcat/bin/tomcat-juli.jar Tomcat started.
默认监听的是8080端口
[tomcat@linux-node1 ~]$ netstat -ntpl|grep java (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp6 0 0 :::8009 :::* LISTEN 4220/java tcp6 0 0 :::8080 :::* LISTEN 4220/java tcp6 0 0 127.0.0.1:8005 :::* LISTEN 4220/java
状态Server Status查看JVM等详情、比较快的反应jvm的使用情况、可以保留,Manger App删除、在这个里面可以调用WAR包部署、所以入侵很容易
[tomcat@linux-node1 webapps]$ pwd
/application/tomcat/webapps
[tomcat@linux-node1 webapps]$ mv host-manager/ /tmp/
[tomcat@linux-node1 webapps]$ mv docs/ /tmp/
[tomcat@linux-node1 webapps]$ mv examples/ /tmp/
[tomcat@linux-node1 webapps]$ ls
manager ROOT
Manger App也在manager里面、如果开启Server Status、前端Nginx可以做个访问控制、只允许内网访问这个后缀
telnet管理端口
注,在说telnet管理Tomcat之前,我们得先看一下默认的配置文件,这里面定义了默认的管理端口, [root@tomcat /]# vim /application/tomcat/conf/server.xml <Server port="8005" shutdown="SHUTDOWN"> 说明,定义了一个管理端口为8005,我们可以用telnet直接登录进本机的8005端口,来执行SHUTDOWN命令,来关闭Tomcat实例。下面我们来具体演示一下 先安装telnet客户端: [root@tomcat ~]# yum install -y telnet 下面我们一测试并查看, [root@tomcat ~]# telnet localhost 8005 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SHUTDOWN #输入SHOWDOWN就可以直接关闭Tomcat服务。 Connection closed by foreign host.
[tomcat@linux-node1 conf]$ netstat -ntpl (No info could be read for "-p": geteuid()=1001 but you should be root.) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN - tcp6 0 0 :::22 :::* LISTEN - tcp6 0 0 ::1:25 :::* LISTEN - [tomcat@linux-node1 conf]$ #大家可以看到tomcat被关了
telnet管理端口保护(强制)
有两种办法
1.修改默认的8005管理端口为不易猜测的端口(大于1024)
2. 将默认的SHUTDOWN改掉<Server port="8005" shutdown="dangerous">
AJP连接端口保护
1.修改默认的ajp8009端口为不易冲突的大于1024的端口
2.通过iptables规则限制ajp端口访问的权限仅为线上的机器
版本信息隐藏
1.修改conf/web.xml,重定向403、404以及500等错误到指定的错误页面;
2.也可以通过修改应用程序目录下的WEB-INF/web.xml下的配置进行错误页面的重定向
主要是在配置中对一些常见错误进行重定向,避免当出现错误时tomcat默认显示的错误页面暴露服务器和版本信息;
必须确保程序根目录下的错误页面已经存在。
<error-page> <error-code>403</error-code> <location>/forbidden.jsp</location> </error-page> <error-page> <error-code>404</error-code> <location>/notfound.jsp</location> </error-page> <error-page> <error-code>500</error-code> <location>/systembusy.jsp</location> </error-page>
文件列表访问控制
conf/web.xml文件中default部分listings的配置必须为false;
false为不列出目录文件,true为允许列出,默认为false;
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
Server header重写
在HTTP Connector 配置中加入server的配置
server="zsq"
[tomcat@linux-node1 tomcat]$ curl --head http://192.168.230.130:8080/ HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Transfer-Encoding: chunked Date: Sat, 15 Apr 2017 12:34:47 GMT
[tomcat@linux-node1 tomcat]$ cd /application/tomcat/conf/
[tomcat@linux-node1 conf]$ vim server.xml
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" server="zsq"/> #修改这一行
[tomcat@linux-node1 ~]$ sh tomcat.sh restart
tomcat stop
Using CATALINA_BASE: /application/tomcat
Using CATALINA_HOME: /application/tomcat
Using CATALINA_TMPDIR: /application/tomcat/temp
Using JRE_HOME: /application/jdk
Using CLASSPATH: /application/tomcat/bin/bootstrap.jar:/application/tomcat/bin/tomcat-juli.jar
Tomcat started.
[tomcat@linux-node1 ~]$ curl --head http://192.168.230.130:8080/
HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Sat, 15 Apr 2017 13:25:23 GMT
Server: zsq
访问控制
通过配置,限定访问的ip来源、也可以使用Nginx来代替
通过配置信任ip的白名单,拒绝非白名单ip的访问,此配置主要是针对高保密级别的系统,一般产品线不需要
<Context path="" docBase="/home/work/tomcat" debug="0" reloadable="false" crossContext="true"> <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="61.128.18.38,61.13.65.*" deny="*.*.*.*"/> </Context>
屏蔽DNS查询
当web应用程序要记录客户端信息的时候、对客户端的IP地址进行查询、这样会产生不必要的消耗
enableLookups="false"
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" enableLookups="false" redirectPort="8443" server="zsq"/>