tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Howard W. Smith, Jr." <smithh032...@gmail.com>
Subject Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
Date Thu, 11 Apr 2013 20:43:14 GMT
On Thu, Apr 11, 2013 at 4:39 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Jeffrey,
>
> On 4/11/13 9:47 AM, Jeffrey Janner wrote:
> >> -----Original Message----- From: Howard W. Smith, Jr.
> >> [mailto:smithh032772@gmail.com] Sent: Wednesday, April 10, 2013
> >> 7:35 PM To: Esmond Pitt Cc: Tomcat Users List Subject: Re: Tomcat
> >> access log reveals hack attempt: "HEAD /manager/html HTTP/1.0"
> >> 404
> >>
> >> On Wed, Apr 10, 2013 at 8:21 PM, Esmond Pitt
> >> <esmond.pitt@bigpond.com>wrote:
> >>
> >>> We had lots of these and finally an attack last year on a
> >>> Tomcat
> >> where
> >>> the manager password somehow hadn't been changed. The attacker
> >>> installed a viral servlet application that killed the server
> >>> completely, we had to rebuild it.
> >>>
> >>> We:
> >>>
> >>> - Hid the Tomcat behind an Apache HTTPD on port 80. - Closed
> >>> port 8080, indeed removed all the HTTP Connectors from
> >> Tomcat
> >>> and just used AJP connectors running on 127.0.0.1/2/3/4/...,
> >>> all on the same port for simplicity, so there is no zero direct
> >>> access to Tomcat from the outside - Configured Apache HTTPD for
> >>> LDAP authentication via an OpenLDAP server that in turn is
> >>> configured via the Password Policy overlay for finite (5 I
> >>> think) password retries before locking out the account -
> >>> required a very restricted LDAP group membership for access to
> >>> /manager (and the other Tomcat builtins).
> >>>
> >>> No recurrence, not even an attempt. I think actually closing
> >>> port
> >> 8080
> >>> may have played the biggest part in all this.
> >>>
> >>> EJP
> >>>
> >>>
> >> +1 I like what you all did! I'm currently not using Apache
> >> HTTPD, 'yet'.
> >>
> >> Before I start TomEE/tomcat, I always copy my edited version of
> >> tomee/tomcat's user file, and I have a strong password in place.
> >> when I first started using TomEE, and when I had port 3389 open
> >> on my Windows Server 2008 'development server', I saw someone
> >> connect to the tomee and tomcat manager apps, and they tried
> >> 'many' times to login to those manager app pages.
> >>
> >> I LOL at them, because even though the manager apps were
> >> available, i already beat them to the punch, because I secured
> >> tomee/tomcat by commenting out users and/or user groups in the
> >> user file, and created my own custom user that had a strong
> >> password. So, after I saw those blatent-and-sorry-hacker
> >> attempts, I resolved that by removing manager apps whenever I
> >> install new version of tomee/tomcat. Problem solved!!! :) And
> >> yes, i eventually, closed port 3389 on my router, since I really
> >> don't need it since I am in the office 99.99999% of the time
> >> doing my work. Sometimes, if I have to travel somewhere or sit in
> >> waiting room, while my vehicle is being service, I do get tempted
> >> to open 3389 port on my router and do some work at that time. :)
> >>
> >
> > FYI, Howard, this is why they invented VPN technology.
>
> +1
>
> OpenVPN is cheap and relatively easy to set up.
>

Interesting. Thanks Chris.


>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJRZx+eAAoJEBzwKT+lPKRYTD8P/RYPp4fq476XkWWnBQ+Z5hQn
> sGNkos89wTDvMWDTSaDclZ3zcc8RDGDBq4Mv/iN6TXev9ztZAiw5iQIbWqg1TiMx
> sEgaL++mtvC825epomP8vzxrc7EmAlM/iTLsnUxIxJSFXp93/ntLWy4drPPERxNr
> nXoRBNL9pdwAMln4e693I2TUsezH3zr+bppjfe3pzKWk0JU/Y1+Cp/XycwPKklwK
> qNhtgztqrL7URx28r/GPQ6/yUEoXzEe4PFBB+rZ7XyDqPlH30XmnUBXAU+B0Lr1D
> wekhHVSjVzl4UhgiAFxm1VF4FAuAG/Lvuia7Z4Jt074H7UaGVfsyauurWFn5JC0l
> 8NDVlBqRufHHmUPgZSIctR8vyqp4vbRKCcdL5CdXQ9TgScEWI+cVYzi4VjVz4kyR
> FRKhMZXC4K8lqvMkecLNjNLISp8KhAaGkM9sffzOLzWyqxPG8u7us26MScBKoAaJ
> 60gTJcDZ5jU0mywhJrGBK+X9ceKEIX0fafSiPbQ64Rb/MNxgkD9r92AiE4Ycslbg
> cAEHxioCrrTumCVeFCb9b9a+ZMXVw0LlBtUUeo8V5q/9KXTfQ5WFhXKPadN6tbP3
> ERGTFXZUU+8Kbe5ziv5m/039RUaOXnAFLUN46JcNfT2sKn/KkirV9DifxmnP3roh
> E/MwnaE4+YWdG5WSdvRa
> =28Nh
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message