tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Esmond Pitt" <>
Subject RE: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
Date Mon, 15 Apr 2013 10:36:20 GMT
When you quote me in refutation, kindly quote *all* and *only* the parts
that are relevant. You have now made both mistakes in succession. I hid the
Tomcat behind an HTTPD on port 80, closed port 8080, and made the Tomcat
listen on 127.0.0.x only. A TCP socket that listens on cannot be
connected to from outside the localhost. That's not 'security by obscurity',
that's security via a well-known feature of TCP. It is in effect a firewall.

-----Original Message-----
From: Pid [] 
Sent: Monday, 15 April 2013 8:25 PM
To: Esmond Pitt
Cc: 'Tomcat Users List'
Subject: Re: Tomcat access log reveals hack attempt: "HEAD /manager/html
HTTP/1.0" 404

On 15/04/2013 03:51, Esmond Pitt wrote:
>>> I agree with your comment. Adding a second box for Tomcat only means 
>>> I also have to configure a firewall between them, whereas using 
>>> 127.0.0.x for Tomcat protects it completely.
>> No it doesn't!
>> Obfuscation or indirection != security.
>> HTTPD doesn't magically provide you with some extra security capability.
> I don't know what you're talking about. I didn't mention HTTPD in the 
> message you quoted. I mentioned 127.0.0.x, and it does exactly what I 
> said it does. There is no 'security via obscurity' here, just a 
> well-known TCP mechanism.

I quote:

> We:
> - Hid the Tomcat behind an Apache HTTPD on port 80.

You used the word 'hid'.

  Not discovered or known about; uncertain.
  Keep from being seen; conceal.

Security via obscurity.

> - Closed port 8080, indeed removed all the HTTP Connectors from Tomcat 
> and just used AJP connectors running on, all on 
> the same port for simplicity, so there is no zero direct access to 
> Tomcat from the outside

I am objecting to the above as being an improvement on two counts:

1. the phrase 'direct access' has no meaning here

2. Tomcat still processes the bytes received from the client with no prior
inspection or validation of their safety.

> - Configured Apache HTTPD for LDAP authentication via an OpenLDAP 
> server that in turn is configured via the Password Policy overlay for 
> finite (5 I
> think) password retries before locking out the account
> - required a very restricted LDAP group membership for access to 
> /manager (and the other Tomcat builtins).

So you secured the Manager app, rather than use a password that could be

> No recurrence, not even an attempt. I think actually closing port 8080 
> may have played the biggest part in all this.

No it didn't.  Using a password that couldn't be guessed did.




To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message