tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
Date Tue, 16 Apr 2013 20:28:29 GMT
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> André,
> 
> On 4/16/13 2:37 PM, André Warnier wrote:
>> Say that it would be easy to implement this in Tomcat, and that we
>> do not collectively find good reasons not to do so, and that it
>> does get implemented.
>>
>> Then I pledge that my next move would be to bring this similarly
>> onto the Apache httpd list (using the Tomcat precedent as an
>> introduction of course (à la "hey guys ? those smart Tomcat
>> developers have just had a great idea etc..")).
> 
> Aren't we just back to mod_security at that point?

No.  mod_security is certainly a great tool, much more capable and flexible and effective

than what I am proposing.
But it suffers from the same issues as the one I mentioned earlier.
Have a look at : 
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-Introduction

It requires a whole setup in Apache to even start to do something.
In the practice, that means that only a small percentage of all webservers on the www will

ever install and use it, which greatly reduces any impact it will have on the www at 
large. It will totally protect the 10% of WWW servers on which it is installed, and do 
nothing to protect the remaining 90%.
So the botnets will still have 90% of the WWW webservers to scan, and this will keep them

in business. Because for the exploiters of a botnet, the "quality" of the servers into 
which they break does not really matter. A poorly-protected Linux server running only one

personal website, is just about as valuable as your high-powered 32 GB RAM 8-core monster,

when it comes to using it as a platform to attack other sites.
And most of these small, low-budget webservers will precisely be the ones which install 
the standard Tomcat or Apache via apt-get or the Windows Installer, and never change a 
standard setting.
So it should be a standard feature, and the option should be to turn it off.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message