tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Howard W. Smith, Jr." <smithh032...@gmail.com>
Subject Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404
Date Wed, 17 Apr 2013 21:46:46 GMT
On Wed, Apr 17, 2013 at 10:45 AM, chris derham <chris@derham.me.uk> wrote:

> The OWASP recommendations for securing tomcat suggest removing all items
> under
> catalina_home/webapps as a first step. Just a thought.
>
> The first step an attacker performs when conducting a focused attack,
> is to map out the server. The presence of a response to
> http://server:8080/manager/html/ would seem to indicate a default
> install of tomcat. Once that have this initial reconnaissance
> performed, they will move onto using known exploits against it. By
> removing manager app from the default install, this would be made one
> step harder. You can't really prevent a dedicated attacker, but making
> it one step harder to attack your server, might make the
> not-bothered-which-server-I-attack guy move on to easier pickings
>

+1 Chris! When I migrated from Glassfish 3.1.2.2 to Tomcat/tomee late last
year, this is really what I wanted. I forgot the default port (since I'm no
longer a Glassfish user), but I liked how Glassfish defaulted home-grown
web apps on port 8080, and Glassfish Admin web application was on port 4848
(just remembered that).

When I experienced my first 'attack' on my development server, that is what
I wanted. it would be nice to know how to re-configure my tomcat/tomee, so
the manager app will be on port 4848, or something like that, but being the
novice that I am, I did not know how to do it, and I honestly confess that
I did not read the tomcat documentation on how to do it. :)

Trying to catch up on all the responses. I wanted to respond to a few other
posts, but thought I might keep reading. Now, I will go back to reading
more of the responses.



> If you deliberately delay 404 by a known amount of time, it will still
> stick out, and they can use this just as much as a positive
> indication.
>

I agree with this. 'delay 404' sounds like a good idea, but how many of
those botnet developers are on this list 'today', reading this discussion?
In no time, and IMHO, I'm sure they can/will develop a botnet that is
'tolerant' of delay 404, or something similar.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message