tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid <>
Subject Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
Date Mon, 15 Apr 2013 10:25:19 GMT
On 15/04/2013 03:51, Esmond Pitt wrote:
>>> I agree with your comment. Adding a second box for Tomcat only means I 
>>> also have to configure a firewall between them, whereas using 
>>> 127.0.0.x for Tomcat protects it completely.
>> No it doesn't!
>> Obfuscation or indirection != security.
>> HTTPD doesn't magically provide you with some extra security capability.
> I don't know what you're talking about. I didn't mention HTTPD in the
> message you quoted. I mentioned 127.0.0.x, and it does exactly what I said
> it does. There is no 'security via obscurity' here, just a well-known TCP
> mechanism.

I quote:

> We:
> - Hid the Tomcat behind an Apache HTTPD on port 80.

You used the word 'hid'.

  Not discovered or known about; uncertain.
  Keep from being seen; conceal.

Security via obscurity.

> - Closed port 8080, indeed removed all the HTTP Connectors from Tomcat and
> just used AJP connectors running on, all on the same
> port for simplicity, so there is no zero direct access to Tomcat from the
> outside

I am objecting to the above as being an improvement on two counts:

1. the phrase 'direct access' has no meaning here

2. Tomcat still processes the bytes received from the client with no
prior inspection or validation of their safety.

> - Configured Apache HTTPD for LDAP authentication via an OpenLDAP server
> that in turn is configured via the Password Policy overlay for finite (5 I
> think) password retries before locking out the account
> - required a very restricted LDAP group membership for access to /manager
> (and the other Tomcat builtins).

So you secured the Manager app, rather than use a password that could be

> No recurrence, not even an attempt. I think actually closing port 8080 may
> have played the biggest part in all this.

No it didn't.  Using a password that couldn't be guessed did.




To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message