tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
Date Wed, 10 Apr 2013 20:32:55 GMT
Hash: SHA256


On 4/10/13 1:23 PM, Howard W. Smith, Jr. wrote:
>> As others have mentioned, I wouldn't give this too much thought: 
>> someone is scanning you for vulnerabilities. I'll bet if you log
>> the full headers of those requests, you'll see something like 
>> "admin/admin" or "scott/tiger" in the WWW-Authenticate headers.
>> Just someone knocking on your door to see if the latch works. Can
>> you mostly ignore them.
> Nice analogy, and definitely, I can ignore and have been ignoring
> them. Just thought I might ask the list, and see if my current
> securing-tomcat approach is common and/or sufficient. :)

There is a free utility for *NIX systems called fail2ban which can be
configured to scan log files (and other data sources) for certain
patterns. You can do things like say "if we get 10 or more failed
requests from a certain IP address, update the firewall to drop all
packets from that IP for a while". I wonder if there exists something
like that for the Windows world.

You can have fail2ban watch things like failed attempts to login to
ssh, and I think you could probably do something like that with 404
responses from your web-service logs, too. Of course, you have to make
sure that your site doesn't have too many "legit" 404s on it that
people will trigger this rather draconian response, but you can always
un-ban them fairly easily :)

>> On the other hand, I wonder why you are seeing these requests in
>> your Tomcat logs, since you:
>>> I mentioned earlier that I removed the manager apps. The server
>>> is behind a firewall router, port 8080 is port-forwarded from
>>> the router to the server, the web app has login page (and
>>> login servlet/filter in place), but SSL is not configured just
>>> yet. That is definitely on my to-do list to complete, ASAP, as
>>> the CEO has given me the go-ahead.
>> Are you not filtering by URL anywhere?
> Good question. not filtering any IP addresses at the firewall
> level, and really don't have a need unless some
> really-serious-harmful infiltration occurred. Looking at the
> localhost access logs, I am able to develop a reliable list of IP
> addresses to add to a 'safe list', but i have not found that
> necessary to do...just yet.

If you find that you are getting lots of penetration attempts from a
small set of IP addresses, just firewall them out.

>> If you don't expect anyone in Asia to be legitimately accessing
>> your site, you could do something drastic like close your site to
>> some CIDR pattern that blocks all that stuff.
> Interesting. Earlier, Chuck mentioned, "GIYF", and agreed on that
> point, and that would be my first step, if I needed to learn a bit
> more about CIDR. :)

It allows you to specify a bit pattern and bitmask at the same time.

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message