tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeffrey Janner <Jeffrey.Jan...@PolyDyne.com>
Subject RE: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
Date Thu, 11 Apr 2013 13:47:31 GMT
> -----Original Message-----
> From: Howard W. Smith, Jr. [mailto:smithh032772@gmail.com]
> Sent: Wednesday, April 10, 2013 7:35 PM
> To: Esmond Pitt
> Cc: Tomcat Users List
> Subject: Re: Tomcat access log reveals hack attempt: "HEAD
> /manager/html HTTP/1.0" 404
> 
> On Wed, Apr 10, 2013 at 8:21 PM, Esmond Pitt
> <esmond.pitt@bigpond.com>wrote:
> 
> > We had lots of these and finally an attack last year on a Tomcat
> where
> > the manager password somehow hadn't been changed. The attacker
> > installed a viral servlet application that killed the server
> > completely, we had to rebuild it.
> >
> > We:
> >
> > - Hid the Tomcat behind an Apache HTTPD on port 80.
> > - Closed port 8080, indeed removed all the HTTP Connectors from
> Tomcat
> > and just used AJP connectors running on 127.0.0.1/2/3/4/..., all on
> > the same port for simplicity, so there is no zero direct access to
> > Tomcat from the outside
> > - Configured Apache HTTPD for LDAP authentication via an OpenLDAP
> > server that in turn is configured via the Password Policy overlay for
> > finite (5 I
> > think) password retries before locking out the account
> > - required a very restricted LDAP group membership for access to
> > /manager (and the other Tomcat builtins).
> >
> > No recurrence, not even an attempt. I think actually closing port
> 8080
> > may have played the biggest part in all this.
> >
> > EJP
> >
> >
> +1 I like what you all did! I'm currently not using Apache HTTPD,
> 'yet'.
> 
> Before I start TomEE/tomcat, I always copy my edited version of
> tomee/tomcat's user file, and I have a strong password in place. when I
> first started using TomEE, and when I had port 3389 open on my Windows
> Server 2008 'development server', I saw someone connect to the tomee
> and tomcat manager apps, and they tried 'many' times to login to those
> manager app pages.
> 
> I LOL at them, because even though the manager apps were available, i
> already beat them to the punch, because I secured tomee/tomcat by
> commenting out users and/or user groups in the user file, and created
> my own custom user that had a strong password. So, after I saw those
> blatent-and-sorry-hacker attempts, I resolved that by removing manager
> apps whenever I install new version of tomee/tomcat. Problem solved!!!
> :) And  yes, i eventually, closed port 3389 on my router, since I
> really don't need it since I am in the office 99.99999% of the time
> doing my work.
> Sometimes, if I have to travel somewhere or sit in waiting room, while
> my vehicle is being service, I do get tempted to open 3389 port on my
> router and do some work at that time. :)
> 

FYI, Howard, this is why they invented VPN technology.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message