tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Esmond Pitt" <esmond.p...@bigpond.com>
Subject RE: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
Date Fri, 12 Apr 2013 00:43:59 GMT
> You would have had to intentionally enable the "default" password.

I had clearly done that. 

> The attacker installed a viral servlet application that killed the 
> server completely, we had to rebuild it.

I -- like most people I would guess -- don't run under a SecurityManager,
but doing so can significantly limit the damage that a rogue webapp can do.

Thanks, I don't think that's feasible given our webapps.

> Did you also remove manager webapp access through httpd? Otherwise, this
doesn't actually do anything to help.

No I didn't, I *access-controlled it,* as I went on to describe.


> +2 -- both good ideas: central access control (LDAP) and enabling
> lockout mechanism. Note that Tomcat's lockout mechanism is fairly
primitive and easy to game.

I referred to the OpenLDAP lockout mechanism, which is not at all primitive.

> Would you be willing to review the Tomcat documentation on "securing
Tomcat" and make a few comments? It could always use some additional tips:

Sure, will do.

http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html
http://wiki.apache.org/tomcat/FAQ/Security

You can sign-up for the wiki yourself and make any changes you want.
If you want to modify the "official" documentation, create a Bugzilla
enhancement request and (please!) include a patch. I'm sure it will go right
in.

Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRZx7AAAoJEBzwKT+lPKRY+3MP/3c8kZZU43cMaxkXTi/ELXha
Hv6rAeGz4nnpMNn2C002cTRgZ39vomUXYdsLMnNIshn05JDVIZmLLoUXk6UzY9go
uH0QdAubBxhvwC/CWeLjUuSjy/Ei4vKeB7xJNw/FQ2xXEt47FWv36e0vgxOyluX+
gbkB3KQlN6PXtQENGvkOGT5oWLK9M7WUydGSWq9lXR+akwWeL3jWRAlLl6bHYybQ
n70c5wq/rJbEj+k9yCHsMZvPabYs5ejsz6wHvvw4Emrxcp4LVVjCuY2Z87Yhdtb4
B43tF48be9GUZCXDvtIjiS5phHMhpqyJakHuZ7GSvzDIeuiNZ96XuoDkIG1bwWjf
Z5SMCSjkSPqDKJ1cXcd8AaSYgI2C3KQnuFrbTD7bVqQHOeq7RJZp3+xE0IUNPl+V
H2PNpUfXD9BDbPiiDt8bcgvcrImejW0RDumQ2fwbTVvt4OaybVsMUsVFW8lUtw3A
YhvFn/WCEdR8VaY9PkqYm84BVMsQJBbBdb5clYiAtVQRky1NPS+hcIihnf85DkNU
vr6rv/oK0aMXAamwUagmRe5OjTHuHczERPYgEUMpppnlXuNV1mLxBib8+HInGg3/
Y5i28tTd7fS5uo7/CZv+9uEZdDUO7utWGT0W+gBaIkh35/yZI5a1l5wi0szYduQe
t3nftQXUTCYtK1QNwKND
=3s6Q
-----END PGP SIGNATURE-----



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message