tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Howard W. Smith, Jr." <>
Subject Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
Date Wed, 10 Apr 2013 17:23:44 GMT

> As others have mentioned, I wouldn't give this too much thought:
> someone is scanning you for vulnerabilities. I'll bet if you log the
> full headers of those requests, you'll see something like
> "admin/admin" or "scott/tiger" in the WWW-Authenticate headers. Just
> someone knocking on your door to see if the latch works. Can you
> mostly ignore them.

Nice analogy, and definitely, I can ignore and have been ignoring them.
Just thought I might ask the list, and see if my current securing-tomcat
approach is common and/or sufficient. :)

> On the other hand, I wonder why you are seeing these requests in your
> Tomcat logs, since you:
> > I mentioned earlier that I removed the manager apps. The server is
> > behind a firewall router, port 8080 is port-forwarded from the
> > router to the server, the web app has login page (and login
> > servlet/filter in place), but SSL is not configured just yet. That
> > is definitely on my to-do list to complete, ASAP, as the CEO has
> > given me the go-ahead.
> Are you not filtering by URL anywhere?

Good question. not filtering any IP addresses at the firewall level, and
really don't have a need unless some really-serious-harmful infiltration
occurred. Looking at the localhost access logs, I am able to develop a
reliable list of IP addresses to add to a 'safe list', but i have not found
that necessary to do...just yet.

> If you don't expect anyone in Asia to be legitimately accessing your
> site, you could do something drastic like close your site to some CIDR
> pattern that blocks all that stuff.

Interesting. Earlier, Chuck mentioned, "GIYF", and agreed on that point,
and that would be my first step, if I needed to learn a bit more about
CIDR. :)

> On the other hand, we actually have some customers in China and blocking
> them is neither acceptable nor necessary.

Agreed, and I am satisfied with the current configuration I have in place
to 'block China'...and others. :)

> It's just log noise.

log noise = details, and i love details, and I'm loving my tomcat (tomee)
experience. Learning a lot more 'here', on a higher level, while using
tomcat/tomee. I was amazed, when I saw the logs folder, and the different
log files available, by default. I didn't have all that when I was using
glassfish. Okay okay, NetBeans/Glassfish (reference implementation) helped
me learn Java EE and JSF, and helped me develop Java, java EE, and JSF
(web) applications. Now, tomcat/tomee is allowing me to have an app that
performs well, etc..., and life, deploying app-or-software-updates, is much
more endurable and no need of any 'patience', since tomcat starts sooo
fast. Plenty of good to say about tomcat/tomee...i'm getting off-topic
here. haha :)


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message