1. AuraPlayer
  2. FAQ/ How-To
  3. Security

Articles in this section

Tomcat harden security Follow

To harden Apache Tomcat and prevent penetration or exploitation attempts, follow these secure configuration best practices. These measures reduce the attack surface and help defend against both automated and targeted attacks.

1. Remove or Restrict Default Applications

Application Recommendation
/manager Remove unless absolutely needed.
/host-manager Remove or restrict by IP.
/examples Remove entirely.
/docs Remove if not required.

Remove Example Apps:

bash
 
rm -rf $CATALINA_HOME/webapps/examples rm -rf $CATALINA_HOME/webapps/docs

🔐 2. Secure tomcat-users.xml

Only define specific roles and users with least privilege. For example:

 
<role rolename="webuser"/>
<user username="AuraPlayer" password="VeryStrongPassword!" roles="webuser"/>

Use long, complex passwords. Never use default usernames 

🛑 3. Restrict IP Access to Admin Interfaces

For tomcat restriction edit:

<tomcat>/conf/context.xml

 

For ServiceManager specific restriction, copy tomcat context.xml file to the following location:

<tomcat>/webapps/ServiceManager/WEB_INF/context.xml

 

Restrict by IP using RemoteAddrValve:

 
<Context>
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|<your_ip_address>" />
</Context>

🔒 4. Enable HTTPS and Disable HTTP

Redirect all HTTP to HTTPS using reverse proxy or configure server.xml:

xml
 
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" ... />

Disable plain-text HTTP connector:

xml
 
<!-- Comment out or remove this block --> <!-- <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> -->

📦 5. Secure File Permissions

  • Run Tomcat under a dedicated non-root user.

  • Restrict file access:

    bash
     
    chown -R tomcat:tomcat /opt/tomcat chmod -R 750 /opt/tomcat

  • Prevent shell access for the Tomcat user:

    bash
     
    usermod -s /usr/sbin/nologin tomcat

🛡️ 6. Disable Unused Connectors and Features

In <tomcat>/conf/server.xml:

  • Disable AJP if not used:

    xml
     
    <!-- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> -->

  • Remove auto-deploy if not needed:

    xml
     
    <Host name="localhost" ... autoDeploy="false" deployOnStartup="false">

📄 7. Hide Server Information

In web.xml, disable server info leakage:

xml
 
<init-param>
<param-name>server</param-name>
<param-value>SecureTomcat</param-value>
</init-param>

Also remove version banners:

xml
 
<Connector ... server=" " />

In conf/web.xml, disable directory listings:

xml
 
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>

🔁 8. Keep Tomcat and Java Updated

📋 9. Enable Logging and Monitoring

  • Enable access logs: $CATALINA_HOME/logs/

  • Integrate with fail2ban, SIEMs, or alerting tools.

  • Review logs regularly for brute force, RCE attempts, etc.

🧱 10. Additional Recommendations

  • Use a reverse proxy (NGINX/Apache) to isolate Tomcat from direct exposure.

  • Limit exposure to internal networks or specific IPs using firewalls.

  • Use security headers: X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security, etc.

  • Disable Java serialization unless required.

Related articles

Comments

0 comments

Please sign in to leave a comment.