tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
Date Thu, 11 Apr 2013 20:36:17 GMT
Hash: SHA256


On 4/10/13 8:21 PM, Esmond Pitt wrote:
> We had lots of these and finally an attack last year on a Tomcat
> where the manager password somehow hadn't been changed.

Note that the manager webapp has no default passwords, so I wonder
what you mean when you say it "hadn't been changed". There are
examples in conf/tomcat-users.xml but they are all commented-out.

You would have had to intentionally enable the "default" password.

> The attacker installed a viral servlet application that killed the
> server completely, we had to rebuild it.

I -- like most people I would guess -- don't run under a
SecurityManager, but doing so can significantly limit the damage that
a rogue webapp can do.

> We:
> - Hid the Tomcat behind an Apache HTTPD on port 80.

Did you also remove manager webapp access through httpd? Otherwise,
this doesn't actually do anything to help.

> - Closed port 8080, indeed removed all the HTTP Connectors from
> Tomcat and just used AJP connectors running on,
> all on the same port for simplicity, so there is no zero direct
> access to Tomcat from the outside

+1, though I would run Apache httpd and Tomcat on different hosts, so
localhost-binding is not possible unless you are doing something like
stunnel (which also might be a good idea if you are traversing an
untrusted network).

> - Configured Apache HTTPD for LDAP authentication via an OpenLDAP
> server that in turn is configured via the Password Policy overlay
> for finite (5 I think) password retries before locking out the
> account

+2 -- both good ideas: central access control (LDAP) and enabling
lockout mechanism. Note that Tomcat's lockout mechanism is fairly
primitive and easy to game.

> - required a very restricted LDAP group membership for access to
> /manager (and the other Tomcat builtins).

+1 hooray for role-based permissions!

> No recurrence, not even an attempt. I think actually closing port
> 8080 may have played the biggest part in all this.

Would you be willing to review the Tomcat documentation on "securing
Tomcat" and make a few comments? It could always use some additional tips:

You can sign-up for the wiki yourself and make any changes you want.
If you want to modify the "official" documentation, create a Bugzilla
enhancement request and (please!) include a patch. I'm sure it will go
right in.

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message