Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0F3CCF0BB for ; Fri, 12 Apr 2013 17:54:51 +0000 (UTC) Received: (qmail 69738 invoked by uid 500); 12 Apr 2013 17:54:47 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 69689 invoked by uid 500); 12 Apr 2013 17:54:47 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 69680 invoked by uid 99); 12 Apr 2013 17:54:47 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 12 Apr 2013 17:54:47 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of pid@pidster.com designates 209.85.215.179 as permitted sender) Received: from [209.85.215.179] (HELO mail-ea0-f179.google.com) (209.85.215.179) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 12 Apr 2013 17:54:43 +0000 Received: by mail-ea0-f179.google.com with SMTP id f15so1335539eak.24 for ; Fri, 12 Apr 2013 10:54:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pidster.com; s=google; h=x-received:references:from:in-reply-to:mime-version:date:message-id :subject:to:content-type; bh=acsuxl2T+KBQpQbwdblklo8SpLARO7mn9t4ReR9W+uI=; b=CzjdpiVKp6RKEnmlHY1O916+FjJv2MhMsu30ipWzB8JEsfr2TChc3FTSn6hXz2m5E8 DG7wlNXS5agnlnEztS/tWyfqmVrT582DA2A7bI1cdlu01q0Tl+MmrSb7kHbMRbLQeHaX VhdhggMJ51Lxo0juWCGNRlLGpnvuHHtS14RkU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:references:from:in-reply-to:mime-version:date:message-id :subject:to:content-type:x-gm-message-state; bh=acsuxl2T+KBQpQbwdblklo8SpLARO7mn9t4ReR9W+uI=; b=QqjrLf76lntM98Q8/aJq8MXLp5qyCeyWEnWiqTuE8D81TObVP105WPY1UzZjq8iDWc kaWZV312igAELqgSFqB9YlX81kISWrjuneU3PzrsszkHrxRgMbyqg1oX/teIEzN/zuyA C+4DvfZM9AjdE1SHCIqNFXQbZajueC9y5pXPTczNFfw7Uv31ywnVxcDvSxepX8xFjwt8 kj/7Pz5S0A4SPql2OpnPhkaNbDjnBcj5mU5++qTQQwmINtBkDT8oCbA7ytYmxVrweMRX 1zgyA1kjLVhJkZsxK+eXBQrQrXMDqfsGXbNCH2Qc9ovgV2WkjuQY0wIP/xmlpwLRilh4 EpCQ== X-Received: by 10.15.32.142 with SMTP id a14mr30660538eev.22.1365789260533; Fri, 12 Apr 2013 10:54:20 -0700 (PDT) References: <99C8B2929B39C24493377AC7A121E21FC4A7CE620C@USEA-EXCH8.na.uis.unisys.com> <51671EC1.1000305@christopherschultz.net> From: =?UTF-8?B?UMOvZCBzdMOocg==?= In-Reply-To: <51671EC1.1000305@christopherschultz.net> Mime-Version: 1.0 (1.0) Date: Fri, 12 Apr 2013 18:54:16 +0100 Message-ID: <-6557982305128822109@unknownmsgid> Subject: Re: Tomcat access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" 404 To: Tomcat Users List Content-Type: text/plain; charset=UTF-8 X-Gm-Message-State: ALoCoQl/lmjZ2b4q6msdiEdOTLUDa6ObToI43dFmWNyy/sIV6MrLssxEsjmu0hyNqqpkhTycIAl6 X-Virus-Checked: Checked by ClamAV on apache.org On 11 Apr 2013, at 21:36, Christopher Schultz wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Esmond, > > On 4/10/13 8:21 PM, Esmond Pitt wrote: >> We had lots of these and finally an attack last year on a Tomcat >> where the manager password somehow hadn't been changed. > > Note that the manager webapp has no default passwords, so I wonder > what you mean when you say it "hadn't been changed". There are > examples in conf/tomcat-users.xml but they are all commented-out. > > You would have had to intentionally enable the "default" password. > >> The attacker installed a viral servlet application that killed the >> server completely, we had to rebuild it. > > I -- like most people I would guess -- don't run under a > SecurityManager, but doing so can significantly limit the damage that > a rogue webapp can do. > >> We: >> >> - Hid the Tomcat behind an Apache HTTPD on port 80. > > Did you also remove manager webapp access through httpd? Otherwise, > this doesn't actually do anything to help. > >> - Closed port 8080, indeed removed all the HTTP Connectors from >> Tomcat and just used AJP connectors running on 127.0.0.1/2/3/4/..., >> all on the same port for simplicity, so there is no zero direct >> access to Tomcat from the outside > > +1, though I would run Apache httpd and Tomcat on different hosts, so > localhost-binding is not possible unless you are doing something like > stunnel (which also might be a good idea if you are traversing an > untrusted network). Respectfully, I have to disagree. Unless the Apache HTTPD is loaded with IDS that can sniff the inbound traffic, you've not achieved much, and now you have two boxes that have to be maintained, secured & patched. HTTPD != firewall. p > >> - Configured Apache HTTPD for LDAP authentication via an OpenLDAP >> server that in turn is configured via the Password Policy overlay >> for finite (5 I think) password retries before locking out the >> account > > +2 -- both good ideas: central access control (LDAP) and enabling > lockout mechanism. Note that Tomcat's lockout mechanism is fairly > primitive and easy to game. > >> - required a very restricted LDAP group membership for access to >> /manager (and the other Tomcat builtins). > > +1 hooray for role-based permissions! > >> No recurrence, not even an attempt. I think actually closing port >> 8080 may have played the biggest part in all this. > > Would you be willing to review the Tomcat documentation on "securing > Tomcat" and make a few comments? It could always use some additional tips: > > http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html > http://wiki.apache.org/tomcat/FAQ/Security > > You can sign-up for the wiki yourself and make any changes you want. > If you want to modify the "official" documentation, create a Bugzilla > enhancement request and (please!) include a patch. I'm sure it will go > right in. > > Thanks, > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.17 (Darwin) > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJRZx7AAAoJEBzwKT+lPKRY+3MP/3c8kZZU43cMaxkXTi/ELXha > Hv6rAeGz4nnpMNn2C002cTRgZ39vomUXYdsLMnNIshn05JDVIZmLLoUXk6UzY9go > uH0QdAubBxhvwC/CWeLjUuSjy/Ei4vKeB7xJNw/FQ2xXEt47FWv36e0vgxOyluX+ > gbkB3KQlN6PXtQENGvkOGT5oWLK9M7WUydGSWq9lXR+akwWeL3jWRAlLl6bHYybQ > n70c5wq/rJbEj+k9yCHsMZvPabYs5ejsz6wHvvw4Emrxcp4LVVjCuY2Z87Yhdtb4 > B43tF48be9GUZCXDvtIjiS5phHMhpqyJakHuZ7GSvzDIeuiNZ96XuoDkIG1bwWjf > Z5SMCSjkSPqDKJ1cXcd8AaSYgI2C3KQnuFrbTD7bVqQHOeq7RJZp3+xE0IUNPl+V > H2PNpUfXD9BDbPiiDt8bcgvcrImejW0RDumQ2fwbTVvt4OaybVsMUsVFW8lUtw3A > YhvFn/WCEdR8VaY9PkqYm84BVMsQJBbBdb5clYiAtVQRky1NPS+hcIihnf85DkNU > vr6rv/oK0aMXAamwUagmRe5OjTHuHczERPYgEUMpppnlXuNV1mLxBib8+HInGg3/ > Y5i28tTd7fS5uo7/CZv+9uEZdDUO7utWGT0W+gBaIkh35/yZI5a1l5wi0szYduQe > t3nftQXUTCYtK1QNwKND > =3s6Q > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org