NAVER CLOUD PLATFORM

For Platform 2.0 Only

System Security Checker

서버의 운영체제 및 WAS의 보안 설정이 올바르게 되어 있는지 점검합니다. 간단한 설정으로 서버의 보안성을 향상시켜 보세요.

Server OS and WAS Security Setting Inspection

Get an analysis of your server OS and WAS Security Settings and take measures on the vulnerabilities.

Improve System Security
The System Security Checker help you to manage access authority and accounts considering the security features of your operating system and inspect the WAS security settings for any vulnerabilities. Check the main security settings and detailed categories to ensure a secure server operation.
Rigorous Security Standards
The System Security Checker provides a more rigorous security policy than security standards for operating systems based on guidance from the Korea Internet & Security Agency (KISA). A test checklist, made from NAVER's long experience of operating various services, is used for the inspection.
Results on a Detailed Analysis
Vulnerabilities in the system settings can be checked via the web-based console and the inspection result will contain any settings that are inappropriate. A follow-up guide is provided together with the result to help you change the settings.

Detailed Features

Various features are provided to ensure the security of your service.

Target Customer

  • Customers who need a higher level of server security
  • Customers who want to mitigate security threats to their systems with a simple configuration
  • Customers who need to comply with security certifications such as the KISA guide or those required by law

Target of Inspection

Table of Main Provided Features
ClassificationDescription
OS Linux
- CentOS 5.11
- CentOS 6.3
- CentOS 6.6
- CentOS 7.2
- CentOS 7.3
- Ubuntu 12.04
- Ubuntu 14.04
- Ubuntu 16.04

Windows
- Windows Server 2008 R2 with SP1 (64-bit)
- Windows Server 2012 R2 (64-bit)
- Windows Server 2016 (64-bit)
WAS Apache(httpd)
Tomcat
Nginx

Main Checklist

Table of Main Provided Features
ClassificationDescription
Account Control- Check the security settings for accounts that can access the server.
- Check for the existence of unnecessary accounts and check the password setting policy of user accounts.
File Authorization Management-Check access levels to critical system files.
- Check the permission settings to prevent unauthorized access to files that store sensitive information on the server.
Default Settings-Check the security settings that should be set by default.

Detailed Checklist (Linux)

ChecklistDetailed ChecklistDescription
Default SettingsUMASK Setting Management- Access rights for newly-created files in the system are determined by a UMASK value.
- If the UMASK value is not accurate, you can create a file with the wrong permissions.
- The recommended UMASK Value is '027' or '022.'
Home Directory Authorization Setting- If the configuration file contained in the user's home directory is tampered with by an unauthorized person, normal user service is restricted.
- Restrict normal users, other than the owner of the home directory, from modifying the home directory.
Anonymous FTP Deactivation- Anonymous FTP allows a malicious user to obtain information about the system.
- In particular, if the directory has write permissions, various exploits can be made using local exploits.
- You should restrict access to FTP by unauthorized users by allowing only authorized users to connect.
Account ControlRestrict Root Account Remote Access- Since the root account is a very important account for managing the system, allowing direct logins can be an illegal intruder's goal.
-It is safe to restrict the remote access of the root account, to log in with a separate user account created by the user, and to change it to root with su command.
An account that has no password among /etc/shadow files-It can cause serious problems when information is leaked, if the password is saved as plain text without encryption.
-The encrypted password should be saved in "/etc/shadow" files, so that a only user with administrator privileges can read it.
Delete UID 0 Account Except Root- Accounts with a UID value of 0 have the same permissions as the root account.
- If there is an account with the same user identification (UID) as the root account (UID = 0), you can access the system with root privileges.
Set a Minimum Password Length- If the account password is too short, it is vulnerable to brute force attacks or password guessing attacks.
- To convince users to set account passwords of 8 digits or more, the minimum password length policy must be set to eight digits or more.
Set the Maximum Password Age- If you use the same password over a long time, you will be exposed to continuous attacks and passwords exposed by previous external intrusions.
- It is advisable to encourage users to change their passwords periodically.
Include Minimum Number of Accounts in the Administrator Group- The group that the root account for managing system belongs to is authorized to access the system operation file, so only vital account must be registered.
- If malicious file modification or a change is caused by an unauthorized user, it may cause damage to the system operation and management of the administrator group is required.
Usage Limits for Accounts Using Identical UIDs- The UNIX system grants the UID to all user accounts and verifies user information, such as user name, password, and home directory, by the UID.
- If a duplicate UID exists, it may be recognized as another user in the system and cause problems.
- In addition, because audit trails are difficult to obtain when an attacker reveals personal information or due to related data breaches, you must ensure that no accounts use the same UID.
Check shell permissions on accounts that do not require logins- Normally, an account like “nobody” does not need a login shell.
- It is possible to access the system using an account that does not require a login to interpret and misuse the user's commands, so you should restrict the login by granting the / bin / false shell.
Session Timeout Setting- If an account is left connected, it could be exposed to unauthorized users and used for malicious purposes.
- If no event occurs for a certain period of time, the Session Timeout setting for forced termination of connection is required.
Set File PermissionsManage Critical File Permissions- Depending on the importance of the system files, you need to set a range of operations that can be executed for each privilege.
- Permissions can be set with permission restrictions, such as read only permission for privileges other than those in the root account.

Detailed Checklist (Windows)

ChecklistDetailed ChecklistDescription
Account ControlChange Name of Administrator Account- By changing the name of the administrator account, which is normally set to 'Administrator,' the attacker should not be able to guess the account name and password easily.
Restrict the Use of the Guest Account- The guest account is a vulnerable account that allows anyone to access the system.
- If you need unspecified access, it is recommended to create a regular user account, instead of a Guest account.
Set account lockout threshold on unsuccessful login attempts- Allows you to lock accounts in case of unsuccessful login attempts or indiscriminate password assignment attacks.
- A locked account cannot be used until the account is reset or until the number of minutes specified in the Account Lockout Period policy setting has expired.
- You can set a value for the number of failed login attempts from 1 to 999 or set the value to 0 to specify that the account is not locked.
Account Lockout Period Setting- The account lockout duration setting determines the number of minutes that a locked account remains locked before it is automatically unlocked.
- You can specify a value between 1 and 99,999 minutes.
A value of 0 specifies that the account is locked until the administrator explicitly releases the lock.
Disable 'Store passwords with decryptable encryption'- Storing a password in a decryptable manner means that it can be decrypted.
- An attacker with the ability to decrypt this password can use a corrupted account to log on to network resources.
- We recommend that you do not allow passwords to be stored using readable encryption, unless the application requirements are greater than the need to protect password information.
Apply Everyone permissions to anonymous users - Disabled- This policy setting allows anonymous users to enumerate the names of domain accounts and shared folders and perform other specific activities.
- By default, tokens created for anonymous connections do not include the Everyone SID. Therefore, the permissions assigned to the Everyone group do not apply to anonymous users.
Set Password Complexity- When setting the password, it is recommended to set the password complexity so that strong password can be set including all letters, numbers, and special characters.
Set Minimum Password Length- The minimum password length setting determines the minimum number of characters that can constitute a password for a user account.
- It can be set between 1–14 characters. We recommend setting the minimum password length to eight characters or more.
- If you set the minimum password length to '0', you can disable the password.
Set Password Age- You can set the minimum and maximum password age, so that the user can change the password periodically.
- You can specify that passwords expire after a certain period (1–999 days) or that passwords never expire by setting the number of days to '0.'
Remember Recent Password- If you set to remember recently-used passwords, you can prevent users from using previous passwords to some extent.
- When the user changes the password, the effect of the password policy is greatly reduced if the previous password can be used again. The user must remember the most recently-used password, so that the same password cannot be used repeatedly.
Do Not Show Last Username- The name of the last user logged on to the device must be set to be hidden from the secure desktop.
- If the name of the last logged-on user is displayed in the logon dialog box, an attacker can gain it and guess the password or attempt a random attack.
Restrict the use of blank passwords on local accounts at console logon- This setting determines whether to allow remote interactive logon through a network service, such as Remote Desktop Services, Telnet, or File Transfer Protocol (FTP), for local accounts that use blank passwords.
- If you enable this policy setting, the local account must contain a non-empty password to be used for interactive or network logon from a remote client.
- Empty passwords are a serious threat to computer security and should be prohibited through company policy and appropriate technical measures.
Service ManagementEliminate Unnecessary Services- In general, vulnerable services that are not needed by the system are installed and running by default and these services or applications can be attack points.
- Do not use or remove unnecessary services or executables in your environment.
IIS Service Operating Check- The IIS service is a useful service that provides services, such as WEB and FTP, but that can be exposed to threats such as profiling, denial of service, illegal access, arbitrary code execution, information disclosure, viruses, worms and Trojans. Any unauthorized service should be stopped.
FTP Service Operating Check- It is recommended that basic services not use the FTP service, because accounts and passwords are sent unencrypted and can be sniffed by simple sniffer protocols.
*Sniffer: A program to monitor and analyze network traffic.
DNS Zone Transfer Setup- It is not desirable for security protocols to leak domain information stored in the DNS server outside of the approved DNS server.
- If the DNS domain information is exposed to the outside, a malicious user can use that information to obtain the homepage and sub-URL information, and the predict the structure of the web application and use it in an attack. - Restrict domain information transmission through appropriate security settings.
Set the Terminal Services Encryption Level- Terminal Services is a useful tool for managing remote servers, but it can be exploited as a tool for hacking if you are using weak passwords or if access control is not set up properly.
- You should check that terminal services are not being used unnecessarily.
SNMP Service Operating Check- SNMP service is a service that is used to grasp or set the system status in real time.
- It is necessary to stop the system if the important information of the system is leaked or illegally modified and the SNMP service is not used.
Telnet Security Setting- Because the Telnet service sends and receives data in plain text, there is a risk that the ID and password are exposed to the outside when authentication is performed by password method.
- Therefore, when using Telnet, only NTLM authentication that does not transmit password to the network should be used.
※ Telnet service of Windows server provides NTLM authentication and password authentication method.
-NTLM Authentication Authentication is performed by the negotiate/challenge/response procedure, without sending the password.
-Password Authentication Perform an authentication procedure with ID/password included in administrator and TelnetClients group.
Log ControlSetting system logging according to the policy- Logging should be set up appropriately according to legal requirements and organizational policies.
- If audit settings are not configured or are too low, it is difficult to identify the cause of a security-related problem and cannot be used as a sufficient proof of a legal response.
- However, if the audit settings are too high, the security log will contain a lot of unnecessary entries, which can be confused with very important items and can seriously affect system performance.
Block Remotely-accessible Registry Paths- All initialization and configuration information used by Windows is stored in the registry, which requires thorough security for the registry.
- The registry editor can change the key even if it is remotely connected, but it is very dangerous and should block the registry access through the network.
Event Log Management Setting- The maximum log size should be set to '10, 240Kb or more,' so that there is enough room for the logs to be saved.
- The vent log management should be set to 'Do not overwrite event,' so that the log will be automatically overwritten and that it will not happen that the old log is deleted.
Security ManagementAllows system shutdown without logging on- By disabling the 'Shut down' button in the logon window, you can prevent unauthorized users from threatening the system shutdown.
Do not allow anonymous enumeration of SAM accounts and shares- If anonymous enumeration of security account manager (SAM) accounts and shares is allowed, a malicious user can view the list of account names and use this information to guess passwords or perform social engineering attack techniques.
Control Auto-logon Function- The Auto-logon feature is a feature that automatically logs in using an alternative proof stored in the encrypted registry.
- The attacker can use the hack tool to verify the login account and password in the registry, so it is advised to disable the Auto-logon feature.
Allow Formatting and Ejecting of Removable media- You need to move data on removable disks to any computer for which the user has administrative privileges to take ownership of the file and view or modify the file.
Prevent Users from Installing Printer Drivers- A malicious user can intentionally install the wrong printer driver to damage your computer and install malware that is disguised as a printer driver.
- The user should not be able to install the printer driver.
Set Warning Message- For malicious users attempting to log on to the system, the administrator can provide an alert that the system is protected with the proper security level by displaying a warning window about illegal use of the system.
LAN Manager Authentication Standards- Challenge/Response authentication protocols to be used for network logon will be determined through LAN Manager Authentication Standards.
- LAN Manager is responsible for authentication when working with files and printers over a network.
-It is recommended to use NTLMv2 for more secure authentication.
※NTLMv2 requires Windows 2000, 2003, XP or higher. Patch should be installed when communicating with Windows 98 or NT.

Detailed Checklist (Apache)

ChecklistDetailed ChecklistDescription
Minimize ModulesEnable the Log Config ModuleThe log_config module provides for flexible logging of client requests, and provides for the configuration of the information in each log.
Disable WebDAV ModulesThe Apache mod_dav and mod_dav_fs modules support WebDAV ('Web-­‐based Distributed Authoring and Versioning') functionality for Apache. WebDAV is an extension to the HTTP protocol which allows clients to create, move, and delete files and resources on the web server.
Disable Status Module The Apache mod_status module provides current server performance statistics.
Disable Autoindex Module The Apache autoindex module automatically generates web page listing the contents of directories on the server, typically used so that an index.html does not have to generated
Disable Proxy Modules The Apache proxy modules allow the server to act as a proxy (either forward or reverse proxy) of http and other protocols with additional proxy modules loaded. If the Apache installation is not intended to proxy requests to or from another network then the proxy module should not be loaded.
Disable User Directories Modules "The UserDir directive must be disabled so that user home directories are not accessed via the web site with a tilde (~) preceding the username. The directive also sets the path name of the directory that will be accessed. For example:
• http://example.com/~ralph/ might access a public_html sub-­‐directory of ralph user's home directory.
• The directive UserDir ./ might map /~root to the root directory (/). "
Disable Info ModuleThe Apache mod_info module provides information on the server configuration via access to a /server-info URL location.
Permission, OwnershipRun the Apache Web Server as a non-root GroupAlthough Apache typically is started with root privileges in order to listen on port 80 and 443, it can and should run as another non-­‐root user in order to perform the web services. The Apache User and Group directives are used to designate the user and group to be used.
Run the Apache Web Server as a non-root user Although Apache typically is started with root privileges in order to listen on port 80 and 443, it can and should run as another non-­‐root user in order to perform the web services. The Apache User and Group directives are used to designate the user and group to be used.
Give the Apache User Account an Invalid Shell The apache account must not be used as a regular login account, and should be assigned an invalid or nologin shell to ensure that the account cannot be used to login.
Lock the Apache User Account The user account under which Apache runs, should not have a valid password, but should be locked.
Access ControlOrder Access to OS Root Directory The Apache Directory directive allows for directory specific configuration of access controls and many other features and options. One important usage is to create a default deny policy that does not allow access to Operating system directories and files, except for those specifically allowed. This is done, with denying access to the OS root directory.
Deny Access to OS Root Directory The Apache Directory directive allows for directory specific configuration of access controls and many other features and options. One important usage is to create a default deny policy that does not allow access to Operating system directories and files, except for those specifically allowed. This is done, with denying access to the OS root directory.
Restrict OverRide for the OS Root Directory The Apache OverRide directive allows for .htaccess files to be used to override much of the configuration, including authentication, handling of document types, auto generated indexes, access control, and options. When the server finds an .htaccess file (as specified by AccessFileName) it needs to know which directives declared in that file can override earlier access information. When this directive is set to None, then .htaccess files are completely ignored. In this case, the server will not even attempt to read .htaccess files in the filesystem. When this directive is set to All, then any directive which has the .htaccess Context is allowed in .htaccess files.
Minimize Features and ContentRestrict Options for the OS Root Directory "The Apache Options directive allows for specific configuration of options, including execution of CGI, following symbolic links, server side includes, and content negotiation.
Refer to the Apache 2.2 documentation for details:
http://httpd.apache.org/docs/2.2/mod/core.html#options"
Remove Default HTML Content - server-statusApache installations have default content that is not needed or appropriate for production use. The primary function for these sample content is to provide a default web site, provide user manuals or to demonstrate special features of the web server. All content that is not needed should be removed.
Remove Default HTML Content - server-infoApache installations have default content that is not needed or appropriate for production use. The primary function for these sample content is to provide a default web site, provide user manuals or to demonstrate special features of the web server. All content that is not needed should be removed.
Remove Default HTML Content - perl-statusApache installations have default content that is not needed or appropriate for production use. The primary function for these sample content is to provide a default web site, provide user manuals or to demonstrate special features of the web server. All content that is not needed should be removed.
Disable HTTP TRACE Method "Use the Apache TraceEnable directive to disable the HTTP TRACE request method. Refer to the Apache documentation for more details:
http://httpd.apache.org/docs/2.2/mod/core.html#traceenable "
Logging, MonitoringConfigure the Error Log - LogLevelThe LogLevel directive is used to configure the severity level for the error logs. While the ErrorLog directive configures the error log file name. The log level values are the standard syslog levels of emerg, alert, crit, error, warn, notice, info and debug. The recommended level is notice, so that all errors from the emerg level through notice level will be logged.
Configure the Error Log - ErrorLogThe LogLevel directive is used to configure the severity level for the error logs. While the ErrorLog directive configures the error log file name. The log level values are the standard syslog levels of emerg, alert, crit, error, warn, notice, info and debug. The recommended level is notice, so that all errors from the emerg level through notice level will be logged.
Configure the Access Log - LogFormatThe LogFormat directive defines the format and information to be included in the access log entries. The CustomLog directive specifies the log file, syslog facility or piped logging utility.
Configure the Access Log - CustomLogThe LogFormat directive defines the format and information to be included in the access log entries. The CustomLog directive specifies the log file, syslog facility or piped logging utility.
SSL/TLSInstall mod_ssl and/or mod_nss Secure Sockets Layer (SSL) was developed by Netscape and turned into an open standard, and was renamed Transport Layer Security (TLS) as part of the process. TLS is important for protecting communication and can provide authentication of the server and even the client. However contrary to vendor claims, implementing SSL does NOT directly make your web server more secure! SSL is used to encrypt traffic and therefore does provide confidentiality of private information and users credentials. Keep in mind, however that just because you have encrypted the data in transit does not mean that the data provided by the client is secure while it is on the server. Also SSL does not protect the web server, as attackers will easily target SSL-­‐Enabled web servers, and the attack will be hidden in the encrypted channel. The mod_ssl module is the standard, most used module that implements SSL/TLS for Apache. A newer module found on Red Hat systems can be a compliment or replacement for mod_ssl, and provides the same functionality plus additional security services. The mod_nss is an Apache module implementation of the Network Security Services (NSS) software from Mozilla, which implements a wide range of cryptographic functions in addition to TLS.
Information LeakageSet ServerToken to 'Prod' Configure the Apache ServerTokens directive to provide minimal information. By setting the value to Prod or ProductOnly. The only version information given in the server HTTP response header will be "Apache" rather than providing detailes on modules and versions installed.
Set ServerSignature to 'Off' Disable the server signatures which generates a signature line as a trailing footer at the bottom of server generated documents such as error pages.
Denial of Service MitigationsSet the KeepAlive to On The KeepAlive directive controls whether Apache will reuse the same TCP connection per client to process subsequent HTTP requests from that client. It is recommended that the KeepAlive directive be set to On.
Set the MaxKeepAliveRequests to 100 or greater The MaxKeepAliveRequests directive limits the number of requests allowed per connection when KeepAlive is on. If it is set to 0, unlimited requests will be allowed. It is recommended that the MaxKeepAliveRequests directive be set to 100 or greater.
Set the TimeOut to 10 or less The TimeOut directive controls the maximum time in seconds that Apache HTTP server will wait for an Input/Output call to complete. It is recommended that the TimeOut directive be set to 10 or less.
Set the KeepAliveTimeout to 15 or less The KeepAliveTimeout directive specifies the number of seconds Apache will wait for a subsequent request before closing a connection that is being kept alive.

Detailed Checklist (Tomcat)

ChecklistDetailed ChecklistDescription
Remove Extraneous ResourcesRemove extraneous files and directories"The installation may provide example applications, documentation, and other directories which may not serve a production use.
Removing sample resources is a defense in depth measure that reduces potential exposures introduced by these resources."
Limit Server Platform Information LeaksAlter the Advertised server.info String"The server.info attribute contains the name of the application service. This value is presented to Tomcat clients when clients connect to the tomcat server.
Altering the server.info attribute may make it harder for attackers to determine which vulnerabilities affect the server platform."
Alter the Advertised server.number String"The server.number attribute represents the specific version of Tomcat that is executing. This value is presented to Tomcat clients when connect.
Advertising a valid server version may provide attackers with information useful for locating vulnerabilities that affect the server platform. Altering the server version string may make it harder for attackers to determine which vulnerabilities affect the server platform."
Alter the Advertised server.built Date"The server.built date represents the date which Tomcat was compiled and packaged. This value is presented to Tomcat clients when clients connect to the server.
Altering the server.built string may make it harder for attackers to fingerprint which vulnerabilities affect the server platform."
Disable X-Powered-By HTTP Header and Rename the Server Value for all Connectors"The xpoweredBy setting determines if Apache Tomcat will advertise its presence via the XPowered-By HTTP header. It is recommended that this value be set to false. The server attribute overrides the default value that is sent down in the HTTP header further masking Apache Tomcat.
Preventing Tomcat from advertising its presence in this manner may make it harder for attackers to determine which vulnerabilities affect the server platform."
Disable client facing Stack Traces"When a runtime error occurs during request processing, Apache Tomcat will display debugging information to the requestor. It is recommended that such debug information be withheld from the requestor.
Debugging information, such as that found in call stacks, often contains sensitive information that may useful to an attacker. By preventing Tomcat from providing this information, the risk of leaking sensitive information to a potential attacker is reduced."
Turn off TRACE"The HTTP TRACE verb provides debugging and diagnostics information for a given request.
Diagnostic information, such as that found in the response to a TRACE request, often contains sensitive information that may useful to an attacker. By preventing Tomcat from providing this information, the risk of leaking sensitive information to a potential attacker is reduced."
Protect the Shutdown PortSet a nondeterministic Shutdown command value"Tomcat listens on TCP port 8005 to accept shutdown requests. By connecting to this port and sending the SHUTDOWN command, all applications within Tomcat are halted. The shutdown port is not exposed to the network as it is bound to the loopback interface. It is recommended that a nondeterministic value be set for the shutdown attribute in $CATALINA_HOME/conf/server.xml.
Setting the shutdown attribute to a nondeterministic value will prevent malicious local users from shutting down Tomcat."
Disable the Shutdown port"Tomcat listens on TCP port 8005 to accept shutdown requests. By connecting to this port and sending the SHUTDOWN command, all applications within Tomcat are halted. The shutdown port is not exposed to the network as it is bound to the loopback interface. If this functionality is not used, it is recommended that the Shutdown port be disabled.
Disabling the Shutdown port will eliminate the risk of malicious local entities using the shutdown command to disable the Tomcat server."
Protect Tomcat ConfigurationsRestrict access to $CATALINA_HOME"$CATALINA_HOME is the environment variable which holds the path to the root Tomcat directory. It is important to protect access to this in order to protect the Tomcat binaries and libraries from unauthorized modification. It is recommended that the ownership of $CATALINA_HOME be tomcat_admin:tomcat. It is also recommended that the permission on $CATALINA_HOME prevent read, write, and execute for the world (o-rwx) and prevent write access to the group (g-w).
The security of processes and data that traverse or depend on Tomcat may become compromised if the $CATALINA_HOME is not secured."
Restrict access to $CATALINA_BASE"$CATALINA_BASE is the environment variable that specifies the base directory which most relative paths are resolved. $CATALINA_BASE is usually used when there is multiple instances of Tomcat running. It is important to protect access to this in order to protect the Tomcat-related binaries and libraries from unauthorized modification. It is recommended that the ownership of $CATALINA_BASE be tomcat_admin:tomcat. It is also recommended that the permission on $CATALINA_BASE prevent read, write, and execute for the world (o-rwx) and prevent write access to the group (g-w).
The security of processes and data that traverse or depend on Tomcat may become compromised if the $CATALINA_BASE is not secured."
Restrict access to Tomcat configuration directory"The Tomcat $CATALINA_HOME/conf/ directory contains Tomcat configuration files. It is recommended that the ownership of this directory be tomcat_admin:tomcat. It is also recommended that the permissions on this directory prevent read, write, and execute for the world (o-rwx) and prevent write access to the group (g-w).
Restricting access to these directories will prevent local users from maliciously or inadvertently altering Tomcat’s configuration."
Restrict access to Tomcat logs directory"The Tomcat $CATALINA_HOME/logs/ directory contains Tomcat logs. It is recommended that the ownership of this directory be tomcat_admin:tomcat. It is also recommended that the permissions on this directory prevent read, write, and execute for the world (o-rwx).
Restricting access to these directories will prevent local users from maliciously or inadvertently altering Tomcat’s logs."
Restrict access to Tomcat temp directory"The Tomcat $CATALINA_HOME/temp/ directory is used by Tomcat to persist temporary information to disk. It is recommended that the ownership of this directory be tomcat_admin:tomcat. It is also recommended that the permissions on this directory prevent read, write, and execute for the world (o-rwx).
Restricting access to these directories will prevent local users from maliciously or inadvertently affecting the integrity of Tomcat processes."
Restrict access to Tomcat binaries directory"The Tomcat $CATALINA_HOME/bin/ directory contains executes that are part of the Tomcat run-time. It is recommended that the ownership of this directory be tomcat_admin:tomcat. It is also recommended that the permission on this directory prevent read, write, and execute for the world (o-rwx) and prevent write access to the group (g-w).
Restricting access to these directories will prevent local users from maliciously or inadvertently affecting the integrity of Tomcat processes."
Restrict access to Tomcat web application directory"The Tomcat $CATALINA_HOME/webapps directory contains web applications that are deployed through Tomcat. It is recommended that the ownership of this directory be tomcat_admin:tomcat. It is also recommended that the permission on $CATALINA_HOME/webapps prevent read, write, and execute for the world (o-rwx) and prevent write access to the group (g-w).
Restricting access to these directories will prevent local users from maliciously or inadvertently affecting the integrity of web applications."
Restrict access to Tomcat catalina.policy"The catalina.policy file is used to configure security policies for Tomcat. It is recommended that access to this file has the proper permissions to properly protect from unauthorized changes.
Restricting access to this file will prevent local users from maliciously or inadvertently altering Tomcat’s security policy."
Restrict access to Tomcat catalina.properties"catalina.properties is a Java properties files that contains settings for Tomcat including class loader information, security package lists, and performance properties. It is recommended that access to this file has the proper permissions to properly protect from unauthorized changes.
Restricting access to this file will prevent local users from maliciously or inadvertently altering Tomcat’s security policy."
Restrict access to Tomcat context.xml"The context.xml file is loaded by all web applications and sets certain configuration options. It is recommended that access to this file has the proper permissions to properly protect from unauthorized changes.
Restricting access to this file will prevent local users from maliciously or inadvertently altering Tomcat’s security policy."
Restrict access to Tomcat logging.properties"logging.properties is a Tomcat files which specifies the logging configuration. It is recommended that access to this file has the proper permissions to properly protect from unauthorized changes.
Restricting access to this file will prevent local users from maliciously or inadvertently altering Tomcat’s security policy."
Restrict access to Tomcat server.xml"server.xml contains Tomcat servlet definitions and configurations. It is recommended that access to this file has the proper permissions to properly protect from unauthorized changes.
Restricting access to this file will prevent local users from maliciously or inadvertently altering Tomcat’s security policy."
Restrict access to Tomcat tomcat-users.xml"tomcat-users.xml contains authentication information for Tomcat applications. It is recommended that access to this file has the proper permissions to properly protect from unauthorized changes.
Restricting access to this file will prevent local users from maliciously or inadvertently altering Tomcat’s security policy."
Restrict access to Tomcat web.xml"web.xml is a Tomcat configuration file that stores application configuration settings. It is recommended that access to this file has the proper permissions to properly protect from unauthorized changes.
Restricting access to this file will prevent local users from maliciously or inadvertently altering Tomcat’s security policy."
Configure RealmsUse secure Realms"A realm is a database of usernames and passwords used to identify valid users of web applications. Review the Realms configuration to ensure Tomcat is not configured to use JDBCRealm, UserDatabaseRealm or JAASRealm. Specifically, Tomcat should not utilize MemoryRealm.
The MemoryRealm is not intended for production use as any changes to tomcat-users.xml require a restart of Tomcat to take effect.
The JDBCRealm is not recommended for production use as it is single threaded for all authentication and authorization options. Use the DataSourceRealm instead.
The UserDatabaseRealm is not intended for large-scale installations. It is intended for small-scale, relatively static environments.
The JAASRealm is not widely used and therefore the code is not as mature as the other realms. Additional testing is recommended before using this realm."
Use LockOut Realms"A LockOut realm wraps around standard realms adding the ability to lock a user out after multiple failed logins.
Locking out a user after multiple failed logins slows down attackers from brute forcing logins."
Connector SecuritySetup Client-cert Authentication"Client-cert authentication requires that each client connecting to the server has a certificate used to authenticate. This is generally regarded as strong authentication than a password as it requires the client to have the cert and not just know a password.
Certificate based authentication is more secure than password based authentication."
Ensure secure is set to true only for SSL-enabled Connectors"The secure attribute is used to convey Connector security status to applications operating over the Connector. This is typically achieved by calling request.isSecure(). Ensure the secure attribute is only set to true for Connectors operating with the SSLEnabled attribute set to true.
Accurately reporting the security state of the Connector will help ensure that applications built on Tomcat are not unknowingly relying on security controls that are not in place."
Ensure SSL Protocol is set to TLS for Secure Connectors"The sslProtocol setting determines which protocol Tomcat will use to protect traffic. It is recommended that sslProtocol attribute be set to TLS.
The TLS protocol does not contain weaknesses that affect other secure transport protocols, such as SSLv1 or SSLv2. Therefore, TLS is leveraged to protect the confidentiality and integrity of data while in transit."
Application DeploymentStarting Tomcat with Security Manager"Configure application to run in a sandbox using the Security Manager. The Security Manager restricts what classes Tomcat can access thus protecting your server from mistakes, Trojans, and malicious code.
By running Tomcat with the Security Manager, applications are run in a sandbox which can prevent untrusted code from accessing files on the file system."
Disabling auto deployment of applications"Tomcat allows auto deployment of applications while Tomcat is running. It is recommended that this capability be disabled.
This could allow malicious or untested applications to be deployed and should be disabled."
Disable deploy on startup of applications"Tomcat allows auto deployment of applications. It is recommended that this capability be disabled.
This could allow malicious or untested applications to be deployed and should be disabled."
Miscellaneous Configuration SettingsTurn off session facade recycling"The RECYCLE_FACADES can specify if a new façade will be created for each request. If a new façade is not created there is a potential for information leakage from other sessions.
When RECYCLE_FACADES is set to false, Tomcat will recycle the session façade between requests. This will allow for information leakage between requests."
Do not allow additional path delimiters : ALLOW_BACKSLASH"Being able to specify different path-delimiters on Tomcat creates the possibility that an attacker can access applications that were previously blocked a proxy like mod_proxy
Allowing additional path-delimiters allows for an attacker to get an application or area that was not previously visible."
Do not allow additional path delimiters : ALLOW_ENCODED_SLASH"Being able to specify different path-delimiters on Tomcat creates the possibility that an attacker can access applications that were previously blocked a proxy like mod_proxy
Allowing additional path-delimiters allows for an attacker to get an application or area that was not previously visible."
Do not allow custom header status messages"Being able to specify custom status messages opens up the possibility for additional headers to be injected. If custom header status messages are required, make sure it is only in US-ASCII and does not include any user-supplied data.
Allowing user-supplied data into a header allows the possibility of XSS."
Do not resolve hosts on logging valves"Setting enableLookups to true on Connector requires a DNS look-up before logging the information. This adds additional resources when logging.
Allowing enableLookups adds additional overhead that is rarely needed."

Detailed Checklist (Nginx)

ChecklistDetailed ChecklistDescription
NginxBuffer Overflow Protection - client_body_buffer_sizeSets buffer size for reading client request body. In case the request body is larger than the buffer, the whole body or only its part is written to a temporary file. By default, buffer size is equal to two memory pages. This is 8K on x86, other 32-bit platforms, and x86-64. It is usually 16K on other 64-bit platforms.
Buffer Overflow Protection - client_header_buffer_sizeSets buffer size for reading client request header. For most requests, a buffer of 1K bytes is enough. However, if a request includes long cookies, or comes from a WAP client, it may not fit into 1K. If a request line or a request header field does not fit into this buffer then larger buffers, configured by the large_client_header_buffers directive, are allocated.
Buffer Overflow Protection - client_max_body_sizeSets the maximum allowed size of the client request body, specified in the “Content-Length” request header field. If the size in a request exceeds the configured value, the 413 (Request Entity Too Large) error is returned to the client. Please be aware that browsers cannot correctly display this error. Setting size to 0 disables checking of client request body size.
Buffer Overflow Protection - large_client_header_buffersSets the maximum number and size of buffers used for reading large client request header. A request line cannot exceed the size of one buffer, or the 414 (Request-URI Too Large) error is returned to the client. A request header field cannot exceed the size of one buffer as well, or the 400 (Bad Request) error is returned to the client. Buffers are allocated only on demand. By default, the buffer size is equal to 8K bytes. If after the end of request processing a connection is transitioned into the keep-alive state, these buffers are released.
Remove Version numberThe server_tokens directive tells Nginx to display its current version on error pages. This is not desirable since you do not want to share that information with the world in order to prevent attacks at your web server caused by known vulnerabilities in that specific version.
Mitigating Slow HTTP DoS Attack - client_body_timeoutDefines a timeout for reading client request body. The timeout is set only for a period between two successive read operations, not for the transmission of the whole request body. If a client does not transmit anything within this time, the 408 (Request Time-out) error is returned to the client.
Mitigating Slow HTTP DoS Attack - client_header_timeoutDefines a timeout for reading client request header. If a client does not transmit the entire header within this time, the 408 (Request Time-out) error is returned to the client.
Mitigating Slow HTTP DoS Attack - keepalive_timeoutThe first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The optional second parameter sets a value in the “Keep-Alive: timeout=time” response header field. Two parameters may differ. The “Keep-Alive: timeout=time” header field is recognized by Mozilla and Konqueror. MSIE closes keep-alive connections by itself in about 60 seconds.
Mitigating Slow HTTP DoS Attack - send_timeoutSets a timeout for transmitting a response to the client. The timeout is set only between two successive write operations, not for the transmission of the whole response. If the client does not receive anything within this time, the connection is closed.
SSL/TLS ConfigurationWhenever possible, do whatever it takes to avoid SSL in any of its versions and use TLS instead. The following ssl_protocols should be placed in a server or http context in your virtual host file or is a separate file via an include directive (some people use a file named ssl.conf, but it’s entirely up to you):
Enables server-side protection from BEAST attacksBEAST, or “Browser Exploit Against SSL/TLS” is an attack against the cipher block chaining (CBC) method used with SSL/TLS. To guard against the attack, we have to set our preference of the ciphers to be determined by the server (instead of the client).
Disabled insecure ciphers suiteTriple DES is a relatively old cipher that has several vulnerabilities published in the last 18 years. Although it used to be a government standard for encryption, it should no longer be used.
Avoid clickjackingClickjacking protection header applied globally in the configuration. HSTS header present and only on HTTPS. And sensitive data is not cached or stored.
Disable content-type sniffing on some browsersPrevent MIME types security risk by adding this header to your web page’s HTTP response. Having this header instruct browser to consider files types as defined and disallow content sniffing. There is only one parameter you got to add “nosniff”.
Enable the Cross-site scripting (XSS) filterX-XSS-Protection header can prevent some level of XSS (cross-site-scripting) attacks, and this is compatible with IE 8+, Chrome, Opera, Safari & Android. Google, Facebook, Github use this header, and most of the penetration testing consultancy will ask you to implement this. Let’s implement 1;mode=block in the following web servers.
Avoid ssl stripping attackIn SSL Strip, all the traffic from the victim’s machine is routed via a proxy created by the hacker and can be thought of as a Man-In-the-Middle (MITM) attack. To avoid attacks, you need to add the Strict-Transport-Security header to the nginx security configurations.

Pricing information

Flexible price plan depending on the usage amount.

System Security Checker fees are charged depending on the number of diagnoses.

ClassificationBilling standard (case)Usage Fee per Diagnosis(KRW)
OS vulnerability diagnosis
(Windows, Linux)
Under 100 times/month100 KRW/diagnosis
Over 100 times/month80 KRW/diagnosis
WAS vulnerability diagnosis
(Apache, Tomcat, NginX)
N/A20,000 KRW/diagnosis

* In the case of WAS vulnerability diagnosis, if the same target is re-diagnosed within 30 days after the initial diagnosis, there is no additional charge up to one additional case.

  • The same target means that the first diagnosed server (instance ID-based) and the WAS type are the same.
  • If you exceed the period or number of times of re-diagnosis, you will be charged for new diagnosis.
  • In the case of OS vulnerability diagnosis, a separate free re-diagnosis policy does not apply.

* The following cases are not charged and no vulnerability diagnosis report is provided.

  • If diagnosis fails due to problems with the System Security Checker system, you will not be charged.
  • If diagnosis stopped at Customer Support Center due to customer's request during the diagnosis, you will not be charged.

Except the cases mentioned above, your will be charged as usual. Please check the items you need to check before diagnosis.

Was this page helpful?

Please share your opinion and any suggestions for us.
0/5000
Please enter content.
Send Opinion