tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Howard W. Smith, Jr." <smithh032...@gmail.com>
Subject Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
Date Thu, 11 Apr 2013 20:42:21 GMT
On Thu, Apr 11, 2013 at 9:47 AM, Jeffrey Janner <Jeffrey.Janner@polydyne.com
> wrote:

> > -----Original Message-----
> > From: Howard W. Smith, Jr. [mailto:smithh032772@gmail.com]
> > Sent: Wednesday, April 10, 2013 7:35 PM
> > To: Esmond Pitt
> > Cc: Tomcat Users List
> > Subject: Re: Tomcat access log reveals hack attempt: "HEAD
> > /manager/html HTTP/1.0" 404
> >
> > On Wed, Apr 10, 2013 at 8:21 PM, Esmond Pitt
> > <esmond.pitt@bigpond.com>wrote:
> >
> > > We had lots of these and finally an attack last year on a Tomcat
> > where
> > > the manager password somehow hadn't been changed. The attacker
> > > installed a viral servlet application that killed the server
> > > completely, we had to rebuild it.
> > >
> > > We:
> > >
> > > - Hid the Tomcat behind an Apache HTTPD on port 80.
> > > - Closed port 8080, indeed removed all the HTTP Connectors from
> > Tomcat
> > > and just used AJP connectors running on 127.0.0.1/2/3/4/..., all on
> > > the same port for simplicity, so there is no zero direct access to
> > > Tomcat from the outside
> > > - Configured Apache HTTPD for LDAP authentication via an OpenLDAP
> > > server that in turn is configured via the Password Policy overlay for
> > > finite (5 I
> > > think) password retries before locking out the account
> > > - required a very restricted LDAP group membership for access to
> > > /manager (and the other Tomcat builtins).
> > >
> > > No recurrence, not even an attempt. I think actually closing port
> > 8080
> > > may have played the biggest part in all this.
> > >
> > > EJP
> > >
> > >
> > +1 I like what you all did! I'm currently not using Apache HTTPD,
> > 'yet'.
> >
> > Before I start TomEE/tomcat, I always copy my edited version of
> > tomee/tomcat's user file, and I have a strong password in place. when I
> > first started using TomEE, and when I had port 3389 open on my Windows
> > Server 2008 'development server', I saw someone connect to the tomee
> > and tomcat manager apps, and they tried 'many' times to login to those
> > manager app pages.
> >
> > I LOL at them, because even though the manager apps were available, i
> > already beat them to the punch, because I secured tomee/tomcat by
> > commenting out users and/or user groups in the user file, and created
> > my own custom user that had a strong password. So, after I saw those
> > blatent-and-sorry-hacker attempts, I resolved that by removing manager
> > apps whenever I install new version of tomee/tomcat. Problem solved!!!
> > :) And  yes, i eventually, closed port 3389 on my router, since I
> > really don't need it since I am in the office 99.99999% of the time
> > doing my work.
> > Sometimes, if I have to travel somewhere or sit in waiting room, while
> > my vehicle is being service, I do get tempted to open 3389 port on my
> > router and do some work at that time. :)
> >
>
> FYI, Howard, this is why they invented VPN technology.
>
>
True/agreed! Tried it years ago (when, evidently, our network was slower),
and we were completely turned off by the really really really slow
connection. Honestly, we've been managing well, for years, without VPN.
Thanks Jeffrey!


>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message