tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
Date Thu, 11 Apr 2013 20:39:59 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jeffrey,

On 4/11/13 9:47 AM, Jeffrey Janner wrote:
>> -----Original Message----- From: Howard W. Smith, Jr.
>> [mailto:smithh032772@gmail.com] Sent: Wednesday, April 10, 2013
>> 7:35 PM To: Esmond Pitt Cc: Tomcat Users List Subject: Re: Tomcat
>> access log reveals hack attempt: "HEAD /manager/html HTTP/1.0"
>> 404
>> 
>> On Wed, Apr 10, 2013 at 8:21 PM, Esmond Pitt 
>> <esmond.pitt@bigpond.com>wrote:
>> 
>>> We had lots of these and finally an attack last year on a
>>> Tomcat
>> where
>>> the manager password somehow hadn't been changed. The attacker 
>>> installed a viral servlet application that killed the server 
>>> completely, we had to rebuild it.
>>> 
>>> We:
>>> 
>>> - Hid the Tomcat behind an Apache HTTPD on port 80. - Closed
>>> port 8080, indeed removed all the HTTP Connectors from
>> Tomcat
>>> and just used AJP connectors running on 127.0.0.1/2/3/4/...,
>>> all on the same port for simplicity, so there is no zero direct
>>> access to Tomcat from the outside - Configured Apache HTTPD for
>>> LDAP authentication via an OpenLDAP server that in turn is
>>> configured via the Password Policy overlay for finite (5 I 
>>> think) password retries before locking out the account -
>>> required a very restricted LDAP group membership for access to 
>>> /manager (and the other Tomcat builtins).
>>> 
>>> No recurrence, not even an attempt. I think actually closing
>>> port
>> 8080
>>> may have played the biggest part in all this.
>>> 
>>> EJP
>>> 
>>> 
>> +1 I like what you all did! I'm currently not using Apache
>> HTTPD, 'yet'.
>> 
>> Before I start TomEE/tomcat, I always copy my edited version of 
>> tomee/tomcat's user file, and I have a strong password in place.
>> when I first started using TomEE, and when I had port 3389 open
>> on my Windows Server 2008 'development server', I saw someone
>> connect to the tomee and tomcat manager apps, and they tried
>> 'many' times to login to those manager app pages.
>> 
>> I LOL at them, because even though the manager apps were
>> available, i already beat them to the punch, because I secured
>> tomee/tomcat by commenting out users and/or user groups in the
>> user file, and created my own custom user that had a strong
>> password. So, after I saw those blatent-and-sorry-hacker
>> attempts, I resolved that by removing manager apps whenever I
>> install new version of tomee/tomcat. Problem solved!!! :) And
>> yes, i eventually, closed port 3389 on my router, since I really
>> don't need it since I am in the office 99.99999% of the time 
>> doing my work. Sometimes, if I have to travel somewhere or sit in
>> waiting room, while my vehicle is being service, I do get tempted
>> to open 3389 port on my router and do some work at that time. :)
>> 
> 
> FYI, Howard, this is why they invented VPN technology.

+1

OpenVPN is cheap and relatively easy to set up.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRZx+eAAoJEBzwKT+lPKRYTD8P/RYPp4fq476XkWWnBQ+Z5hQn
sGNkos89wTDvMWDTSaDclZ3zcc8RDGDBq4Mv/iN6TXev9ztZAiw5iQIbWqg1TiMx
sEgaL++mtvC825epomP8vzxrc7EmAlM/iTLsnUxIxJSFXp93/ntLWy4drPPERxNr
nXoRBNL9pdwAMln4e693I2TUsezH3zr+bppjfe3pzKWk0JU/Y1+Cp/XycwPKklwK
qNhtgztqrL7URx28r/GPQ6/yUEoXzEe4PFBB+rZ7XyDqPlH30XmnUBXAU+B0Lr1D
wekhHVSjVzl4UhgiAFxm1VF4FAuAG/Lvuia7Z4Jt074H7UaGVfsyauurWFn5JC0l
8NDVlBqRufHHmUPgZSIctR8vyqp4vbRKCcdL5CdXQ9TgScEWI+cVYzi4VjVz4kyR
FRKhMZXC4K8lqvMkecLNjNLISp8KhAaGkM9sffzOLzWyqxPG8u7us26MScBKoAaJ
60gTJcDZ5jU0mywhJrGBK+X9ceKEIX0fafSiPbQ64Rb/MNxgkD9r92AiE4Ycslbg
cAEHxioCrrTumCVeFCb9b9a+ZMXVw0LlBtUUeo8V5q/9KXTfQ5WFhXKPadN6tbP3
ERGTFXZUU+8Kbe5ziv5m/039RUaOXnAFLUN46JcNfT2sKn/KkirV9DifxmnP3roh
E/MwnaE4+YWdG5WSdvRa
=28Nh
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message