tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Esmond Pitt" <esmond.p...@bigpond.com>
Subject RE: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
Date Mon, 15 Apr 2013 10:36:20 GMT
When you quote me in refutation, kindly quote *all* and *only* the parts
that are relevant. You have now made both mistakes in succession. I hid the
Tomcat behind an HTTPD on port 80, closed port 8080, and made the Tomcat
listen on 127.0.0.x only. A TCP socket that listens on 127.0.0.1 cannot be
connected to from outside the localhost. That's not 'security by obscurity',
that's security via a well-known feature of TCP. It is in effect a firewall.

EJP
-----Original Message-----
From: Pid [mailto:pid@pidster.com] 
Sent: Monday, 15 April 2013 8:25 PM
To: Esmond Pitt
Cc: 'Tomcat Users List'
Subject: Re: Tomcat access log reveals hack attempt: "HEAD /manager/html
HTTP/1.0" 404

On 15/04/2013 03:51, Esmond Pitt wrote:
> 
>>> I agree with your comment. Adding a second box for Tomcat only means 
>>> I also have to configure a firewall between them, whereas using 
>>> 127.0.0.x for Tomcat protects it completely.
> 
>> No it doesn't!
>> Obfuscation or indirection != security.
>> HTTPD doesn't magically provide you with some extra security capability.
> 
> I don't know what you're talking about. I didn't mention HTTPD in the 
> message you quoted. I mentioned 127.0.0.x, and it does exactly what I 
> said it does. There is no 'security via obscurity' here, just a 
> well-known TCP mechanism.

I quote:

> We:
>
> - Hid the Tomcat behind an Apache HTTPD on port 80.

You used the word 'hid'.

ob.scure
 Adjective
  Not discovered or known about; uncertain.
 Verb
  Keep from being seen; conceal.

Security via obscurity.


> - Closed port 8080, indeed removed all the HTTP Connectors from Tomcat 
> and just used AJP connectors running on 127.0.0.1/2/3/4/..., all on 
> the same port for simplicity, so there is no zero direct access to 
> Tomcat from the outside

I am objecting to the above as being an improvement on two counts:

1. the phrase 'direct access' has no meaning here

2. Tomcat still processes the bytes received from the client with no prior
inspection or validation of their safety.


> - Configured Apache HTTPD for LDAP authentication via an OpenLDAP 
> server that in turn is configured via the Password Policy overlay for 
> finite (5 I
> think) password retries before locking out the account
> - required a very restricted LDAP group membership for access to 
> /manager (and the other Tomcat builtins).

So you secured the Manager app, rather than use a password that could be
guessed.


> No recurrence, not even an attempt. I think actually closing port 8080 
> may have played the biggest part in all this.

No it didn't.  Using a password that couldn't be guessed did.


p





-- 

[key:62590808]


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message