tomcat),并设置密码。sudo useradd -r -d /opt/tomcat -s /bin/false tomcat # 创建系统用户
sudo passwd tomcat # 设置密码
/opt/tomcat)的所有权赋予tomcat用户及组,限制其他用户访问。sudo chown -R tomcat:tomcat /opt/tomcat # 递归修改所有权
sudo chmod -R 750 /opt/tomcat # 设置目录权限(所有者可读写执行,组可读执行,其他无权限)
sudo chcon -R -t httpd_sys_content_t /opt/tomcat # 设置内容类型
sudo chcon -R -t httpd_sys_rw_content_t /opt/tomcat/logs # 允许日志写入
/etc/systemd/system/tomcat.service),在[Service]部分添加:User=tomcat
Group=tomcat
ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh
Restart=on-failure
sudo systemctl daemon-reload
sudo systemctl start tomcat
sudo systemctl enable tomcat
server.xml(/opt/tomcat/conf/server.xml),将HTTP端口从8080改为非标准端口(如8081),减少被扫描工具发现的风险。<Connector port="8081" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
server.xml的<Connector>标签中添加server属性,掩盖Tomcat版本。<Connector port="8081" protocol="HTTP/1.1" server="CustomServer/1.0" ... />
tomcat-users.xml(/opt/tomcat/conf/tomcat-users.xml),删除默认用户,添加具有admin-gui(管理界面)和manager-gui(应用管理)角色的用户,密码需包含大小写字母、数字和特殊符号(如s3cr3t@123)。<tomcat-users>
<role rolename="admin-gui"/>
<role rolename="manager-gui"/>
<user username="admin" password="s3cr3t@123" roles="admin-gui,manager-gui"/>
</tomcat-users>
manager.xml(/opt/tomcat/webapps/manager/META-INF/context.xml),添加RemoteAddrValve阀门,仅允许特定IP(如公司IP、本地IP)访问管理界面。<Context antiResourceLocking="false" privileged="true">
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192\.168\.1\.\d+|127\.0\.0\.1" />
</Context>
web.xml(应用或全局web.xml)中配置RemoteAddrValve,限制特定IP访问应用。<Context>
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192\.168\.1\.\d+" />
</Context>
WEB-INF/web.xml中定义安全约束,限制只有特定角色(如admin)可访问敏感路径(如/admin/*)。<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Area</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Protected Area</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
sudo mkdir -p /etc/pki/tls/certs /etc/pki/tls/private
sudo openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout /etc/pki/tls/private/tomcat.key -out /etc/pki/tls/certs/tomcat.crt
server.xml,添加Connector配置,启用HTTPS(端口8443)。<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true" scheme="https" secure="true"
keystoreFile="/etc/pki/tls/certs/tomcat.crt"
keystorePass="your_password"
clientAuth="false" sslProtocol="TLS" />
logging.properties(/opt/tomcat/conf/logging.properties),调整日志级别为FINE,记录更多操作细节。org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = FINE
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = java.util.logging.ConsoleHandler
catalina.out(/opt/tomcat/logs/catalina.out)和访问日志(/opt/tomcat/logs/localhost_access_log.*.txt),及时发现异常访问(如频繁的登录失败尝试)。webapps目录下的默认应用(如docs、examples、manager、ROOT、host-manager),减少潜在攻击面。sudo rm -rf /opt/tomcat/webapps/docs /opt/tomcat/webapps/examples /opt/tomcat/webapps/manager /opt/tomcat/webapps/ROOT /opt/tomcat/webapps/host-manager
# 示例:下载并解压最新版Tomcat
wget https://downloads.apache.org/tomcat/tomcat-10/v10.1.20/bin/apache-tomcat-10.1.20.tar.gz
tar -xzf apache-tomcat-10.1.20.tar.gz -C /opt
mv /opt/apache-tomcat-10.1.20 /opt/tomcat
chown -R tomcat:tomcat /opt/tomcat
通过以上配置,可显著提升Linux环境下Tomcat的安全性,降低被攻击的风险。需根据实际业务需求调整配置(如IP白名单、角色权限),并定期进行安全审计。
