Updated on 2022-11-11 GMT+08:00
Security Hardening
Tomcat Hardening
During the installation and use of FusionInsight Manager, the following Tomcat functions are enhanced on the basis of the open-source version:
- Tomcat is upgraded to a stable official version.
- Permissions on the directories under applications are set to 500, and the write permission on some directories is supported.
- The Tomcat installation package is automatically deleted after the system software is installed.
- The automatic deployment function is disabled for projects in application directories. Only the web, cas, and client projects are deployed.
- Some unused http methods are disabled, preventing attacks that may be launched by using the http methods.
- The default shutdown port and command of the Tomcat server are changed to prevent hackers from shutting down the server and attacking the server and applications.
- To ensure security, the value of maxHttpHeaderSize is changed, which enables server administrators to control abnormal requests of clients.
- The Tomcat version description file is modified after Tomcat is installed.
- To prevent disclosure of Tomcat information, the Server attributes of Connector are modified so that attackers cannot obtain information about the server.
- Permissions on files and directories of Tomcat, such as the configuration files, executable files, log directories, and temporary folders, are under control.
- Session facade recycling is disabled to prevent request leakage.
- LegacyCookieProcessor is used as CookieProcessor to prevent the leakage of sensitive data in cookies.
LDAP Hardening
LDAP is hardened as follows after a cluster is installed:
- In the LDAP configuration file, the password of the administrator account is encrypted using SHA. After the OpenLDAP is upgraded to 2.4.39 or later, data is automatically synchronized between the active and standby LDAP nodes using the SASL External mechanism, which prevents disclosure of the password.
- The LDAP service in the cluster supports the SSLv3 protocol by default, which can be used securely. When OpenLDAP is upgraded to 2.4.39 or later, LDAP automatically uses TLS1.0 or later to prevent unknown security risks.
Other Security Hardening
For details about other security hardening guidance, see Security Hardening.
Parent topic: Security
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot