tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pïd stèr <...@pidster.com>
Subject Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
Date Sat, 13 Apr 2013 10:26:59 GMT
On 13 Apr 2013, at 03:33, Esmond Pitt <esmond.pitt@bigpond.com> wrote:

> I agree with your comment. Adding a second box for Tomcat only means I also
> have to configure a firewall between them, whereas using 127.0.0.x for
> Tomcat protects it completely.

No it doesn't!

Obfuscation or indirection != security.
HTTPD doesn't magically provide you with some extra security capability.


p




>
> -----Original Message-----
> From: Pïd stèr [mailto:pid@pidster.com]
> Sent: Saturday, 13 April 2013 3:54 AM
> To: Tomcat Users List
> Subject: Re: Tomcat access log reveals hack attempt: "HEAD /manager/html
> HTTP/1.0" 404
>
> On 11 Apr 2013, at 21:36, Christopher Schultz <chris@christopherschultz.net>
> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Esmond,
>>
>> On 4/10/13 8:21 PM, Esmond Pitt wrote:
>>> We had lots of these and finally an attack last year on a Tomcat
>>> where the manager password somehow hadn't been changed.
>>
>> Note that the manager webapp has no default passwords, so I wonder
>> what you mean when you say it "hadn't been changed". There are
>> examples in conf/tomcat-users.xml but they are all commented-out.
>>
>> You would have had to intentionally enable the "default" password.
>>
>>> The attacker installed a viral servlet application that killed the
>>> server completely, we had to rebuild it.
>>
>> I -- like most people I would guess -- don't run under a
>> SecurityManager, but doing so can significantly limit the damage that
>> a rogue webapp can do.
>>
>>> We:
>>>
>>> - Hid the Tomcat behind an Apache HTTPD on port 80.
>>
>> Did you also remove manager webapp access through httpd? Otherwise,
>> this doesn't actually do anything to help.
>>
>>> - Closed port 8080, indeed removed all the HTTP Connectors from
>>> Tomcat and just used AJP connectors running on 127.0.0.1/2/3/4/...,
>>> all on the same port for simplicity, so there is no zero direct
>>> access to Tomcat from the outside
>>
>> +1, though I would run Apache httpd and Tomcat on different hosts, so
>> localhost-binding is not possible unless you are doing something like
>> stunnel (which also might be a good idea if you are traversing an
>> untrusted network).
>
> Respectfully, I have to disagree. Unless the Apache HTTPD is loaded with IDS
> that can sniff the inbound traffic, you've not achieved much, and now you
> have two boxes that have to be maintained, secured & patched. HTTPD !=
> firewall.
>
>
> p
>
>
>>
>>> - Configured Apache HTTPD for LDAP authentication via an OpenLDAP
>>> server that in turn is configured via the Password Policy overlay for
>>> finite (5 I think) password retries before locking out the account
>>
>> +2 -- both good ideas: central access control (LDAP) and enabling
>> lockout mechanism. Note that Tomcat's lockout mechanism is fairly
>> primitive and easy to game.
>>
>>> - required a very restricted LDAP group membership for access to
>>> /manager (and the other Tomcat builtins).
>>
>> +1 hooray for role-based permissions!
>>
>>> No recurrence, not even an attempt. I think actually closing port
>>> 8080 may have played the biggest part in all this.
>>
>> Would you be willing to review the Tomcat documentation on "securing
>> Tomcat" and make a few comments? It could always use some additional tips:
>>
>> http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html
>> http://wiki.apache.org/tomcat/FAQ/Security
>>
>> You can sign-up for the wiki yourself and make any changes you want.
>> If you want to modify the "official" documentation, create a Bugzilla
>> enhancement request and (please!) include a patch. I'm sure it will go
>> right in.
>>
>> Thanks,
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQIcBAEBCAAGBQJRZx7AAAoJEBzwKT+lPKRY+3MP/3c8kZZU43cMaxkXTi/ELXha
>> Hv6rAeGz4nnpMNn2C002cTRgZ39vomUXYdsLMnNIshn05JDVIZmLLoUXk6UzY9go
>> uH0QdAubBxhvwC/CWeLjUuSjy/Ei4vKeB7xJNw/FQ2xXEt47FWv36e0vgxOyluX+
>> gbkB3KQlN6PXtQENGvkOGT5oWLK9M7WUydGSWq9lXR+akwWeL3jWRAlLl6bHYybQ
>> n70c5wq/rJbEj+k9yCHsMZvPabYs5ejsz6wHvvw4Emrxcp4LVVjCuY2Z87Yhdtb4
>> B43tF48be9GUZCXDvtIjiS5phHMhpqyJakHuZ7GSvzDIeuiNZ96XuoDkIG1bwWjf
>> Z5SMCSjkSPqDKJ1cXcd8AaSYgI2C3KQnuFrbTD7bVqQHOeq7RJZp3+xE0IUNPl+V
>> H2PNpUfXD9BDbPiiDt8bcgvcrImejW0RDumQ2fwbTVvt4OaybVsMUsVFW8lUtw3A
>> YhvFn/WCEdR8VaY9PkqYm84BVMsQJBbBdb5clYiAtVQRky1NPS+hcIihnf85DkNU
>> vr6rv/oK0aMXAamwUagmRe5OjTHuHczERPYgEUMpppnlXuNV1mLxBib8+HInGg3/
>> Y5i28tTd7fS5uo7/CZv+9uEZdDUO7utWGT0W+gBaIkh35/yZI5a1l5wi0szYduQe
>> t3nftQXUTCYtK1QNwKND
>> =3s6Q
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message