tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Howard W. Smith, Jr." <smithh032...@gmail.com>
Subject Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
Date Wed, 17 Apr 2013 22:20:34 GMT
On Wed, Apr 17, 2013 at 2:39 PM, André Warnier <aw@ice-sa.com> wrote:

>
> Some other calculations :
> According to the same Netcraft site, of the 600 million websites, 60% are
> "Apache" (I guess that this includes httpd and Tomcat (or else Tomcat is in
> "others").
>
>
This is good to know, and honestly, I'm glad to see/know this. I recently
learned that the webhost of my family business 'public' website is using
Apache as well. I recognized this while looking at some specs in the admin
console, provided by the web host on the admin console pages of their
website.

Anyway, again, I like the idea that you're proposing, but a friendly
reminder... something I have recognized (even being new to the list) is
that a *huge* *majority* of *tomcat* endusers are using *older* tomcat
versions, and even though you all recommend them to update their tomcat
version for security reasons, how many of them do their best to 'always'
have the latest-n-greatest version of tomcat.

So, even if 'delay 404' was added, I don't think many of the
already-existing apache/tomcat websites will have this new 'delay 404'
feature. :)

Also, the 'delay 404' basically requires a possible change or release note
that says, undeploy or delete manager app (etc...), so this 'delay 404'
feature can be used, since tomcat's manager app is one of the popular URLs
that hackers or bots, target.

just my two cents...


>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<users-unsubscribe@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message