tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Howard W. Smith, Jr." <>
Subject Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
Date Thu, 11 Apr 2013 00:35:21 GMT
On Wed, Apr 10, 2013 at 8:21 PM, Esmond Pitt <>wrote:

> We had lots of these and finally an attack last year on a Tomcat where the
> manager password somehow hadn't been changed. The attacker installed a
> viral
> servlet application that killed the server completely, we had to rebuild
> it.
> We:
> - Hid the Tomcat behind an Apache HTTPD on port 80.
> - Closed port 8080, indeed removed all the HTTP Connectors from Tomcat and
> just used AJP connectors running on, all on the same
> port for simplicity, so there is no zero direct access to Tomcat from the
> outside
> - Configured Apache HTTPD for LDAP authentication via an OpenLDAP server
> that in turn is configured via the Password Policy overlay for finite (5 I
> think) password retries before locking out the account
> - required a very restricted LDAP group membership for access to /manager
> (and the other Tomcat builtins).
> No recurrence, not even an attempt. I think actually closing port 8080 may
> have played the biggest part in all this.
+1 I like what you all did! I'm currently not using Apache HTTPD, 'yet'.

Before I start TomEE/tomcat, I always copy my edited version of
tomee/tomcat's user file, and I have a strong password in place. when I
first started using TomEE, and when I had port 3389 open on my Windows
Server 2008 'development server', I saw someone connect to the tomee and
tomcat manager apps, and they tried 'many' times to login to those manager
app pages.

I LOL at them, because even though the manager apps were available, i
already beat them to the punch, because I secured tomee/tomcat by
commenting out users and/or user groups in the user file, and created my
own custom user that had a strong password. So, after I saw those
blatent-and-sorry-hacker attempts, I resolved that by removing manager apps
whenever I install new version of tomee/tomcat. Problem solved!!! :) And
 yes, i eventually, closed port 3389 on my router, since I really don't
need it since I am in the office 99.99999% of the time doing my work.
Sometimes, if I have to travel somewhere or sit in waiting room, while my
vehicle is being service, I do get tempted to open 3389 port on my router
and do some work at that time. :)

I really like the idea of LDAP, but honestly, I have no need for that,
since endusers of the app connect to the web app via mobile devices, from
laptop/PCs (via their home ISPs), etc...

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message