Return-Path: 
 <users-return-241103-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 322B0F1E2
	for <apmail-tomcat-users-archive@www.apache.org>;
 Wed, 10 Apr 2013 20:33:31 +0000 (UTC)
Received: (qmail 43975 invoked by uid 500); 10 Apr 2013 20:33:27 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 43924 invoked by uid 500); 10 Apr 2013 20:33:27 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 43915 invoked by uid 99); 10 Apr 2013 20:33:27 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Apr 2013 20:33:27 +0000
X-ASF-Spam-Status: No, hits=0.7 required=5.0
	tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (nike.apache.org: local policy)
Received: from [76.96.59.243] (HELO qmta13.westchester.pa.mail.comcast.net)
 (76.96.59.243)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Apr 2013 20:33:20 +0000
Received: from omta15.westchester.pa.mail.comcast.net ([76.96.62.87])
	by qmta13.westchester.pa.mail.comcast.net with comcast
	id NJmW1l0051swQuc5DLYyHu; Wed, 10 Apr 2013 20:32:58 +0000
Received: from Christophers-MacBook-Pro.local ([69.143.109.145])
	by omta15.westchester.pa.mail.comcast.net with comcast
	id NLYv1l00j38FjT13bLYw0h; Wed, 10 Apr 2013 20:32:57 +0000
Message-ID: <5165CC77.5090508@christopherschultz.net>
Date: Wed, 10 Apr 2013 16:32:55 -0400
From: Christopher Schultz <chris@christopherschultz.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8;
 rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Tomcat access log reveals hack attempt: "HEAD /manager/html
 HTTP/1.0"
 404
References: 
 <CAGV1rDL1c5xPvK5Ysevr1ZB4mn0F3qv_DYfrkS3MDF=jhj+gXQ@mail.gmail.com>
 <51659AD9.6000607@christopherschultz.net>
 <CAGV1rD+zmo+255OiYxL29Yq5Z44=hgqDah2Jr7nbZy-96-8Uyw@mail.gmail.com>
In-Reply-To: 
 <CAGV1rD+zmo+255OiYxL29Yq5Z44=hgqDah2Jr7nbZy-96-8Uyw@mail.gmail.com>
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net;
	s=q20121106; t=1365625978;
	bh=LhCdak4REV9OIhoWutoheusV0MMU9iUcNYb0Rw8yyKg=;
	h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject:
	 Content-Type;
	b=oHX0EKs/c3II2RmAKq5RKk8RC9p2NghkoqTAlhgAB0RRPlxGRJ0sLaTDLAUrwClph
	 7TcYUPlc1sacn2flLPTg1Ve/KHzyvIqURUbhTeCeMGaJGCHYTs90jz+DwsnS/jWoDs
	 ar+Ys6uTPfcXMBAdlj8BAxYfPUr0OkQS8q/NEZTXZpJJi5C5rYb3W78DWf9DEKisKX
	 V6Eaj0QrBsidA2gclZUgKRBRP6rojKaN9npdHjrr0UpEO7ctXk91IYNfufqtnsNu5r
	 x3yn43S7Y1LCiVyB6/KnG/+RQgjT5l7ZVxaTw74+upv+svwGT4hw7CUOZ59j16m8fC
	 Iyk0BR+/JPETQ==
X-Virus-Checked: Checked by ClamAV on apache.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Howard,

On 4/10/13 1:23 PM, Howard W. Smith, Jr. wrote:
>> As others have mentioned, I wouldn't give this too much thought: 
>> someone is scanning you for vulnerabilities. I'll bet if you log
>> the full headers of those requests, you'll see something like 
>> "admin/admin" or "scott/tiger" in the WWW-Authenticate headers.
>> Just someone knocking on your door to see if the latch works. Can
>> you mostly ignore them.
>> 
> 
> Nice analogy, and definitely, I can ignore and have been ignoring
> them. Just thought I might ask the list, and see if my current
> securing-tomcat approach is common and/or sufficient. :)

There is a free utility for *NIX systems called fail2ban which can be
configured to scan log files (and other data sources) for certain
patterns. You can do things like say "if we get 10 or more failed
requests from a certain IP address, update the firewall to drop all
packets from that IP for a while". I wonder if there exists something
like that for the Windows world.

You can have fail2ban watch things like failed attempts to login to
ssh, and I think you could probably do something like that with 404
responses from your web-service logs, too. Of course, you have to make
sure that your site doesn't have too many "legit" 404s on it that
people will trigger this rather draconian response, but you can always
un-ban them fairly easily :)

>> On the other hand, I wonder why you are seeing these requests in
>> your Tomcat logs, since you:
>> 
>>> I mentioned earlier that I removed the manager apps. The server
>>> is behind a firewall router, port 8080 is port-forwarded from
>>> the router to the server, the web app has login page (and
>>> login servlet/filter in place), but SSL is not configured just
>>> yet. That is definitely on my to-do list to complete, ASAP, as
>>> the CEO has given me the go-ahead.
>> 
>> Are you not filtering by URL anywhere?
> 
> 
> Good question. not filtering any IP addresses at the firewall
> level, and really don't have a need unless some
> really-serious-harmful infiltration occurred. Looking at the
> localhost access logs, I am able to develop a reliable list of IP
> addresses to add to a 'safe list', but i have not found that
> necessary to do...just yet.

If you find that you are getting lots of penetration attempts from a
small set of IP addresses, just firewall them out.

>> If you don't expect anyone in Asia to be legitimately accessing
>> your site, you could do something drastic like close your site to
>> some CIDR pattern that blocks all that stuff.
> 
> Interesting. Earlier, Chuck mentioned, "GIYF", and agreed on that
> point, and that would be my first step, if I needed to learn a bit
> more about CIDR. :)

192.168.1.223/17

It allows you to specify a bit pattern and bitmask at the same time.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRZcx2AAoJEBzwKT+lPKRYIaIP/iuhaVAkSUzpT17vIcPYipow
SIHqIo291znp7kedMDsg3Md8uPw3hfREM/aRmbcFmFYIMPbja0YcM3AukeLHNRxu
wY+YhzFxCkaBP+blxCheQXHGWV2YM3hWlPigHhmhHvx/e382mGBqJl/YhasdVh3b
vE1gmbpIPbhr2lUjX+Kp8k27Pf1fNFIgUEh0rqlGZ0F1WxNizr9uGnk/qQyXwSd5
6AjEiWufODbzSEOBTX1DkL8ixaH5tisHOBicsesuDt0dZaW2JfoDoqJn+Qa+lEsa
c8O2DHw1hlXT+T7IEjpVcvC36HnfC5uUHBAFiXyqQJuJhbtgUJRuR69DHCUDKzx8
+4HULQ5t40BKP/xw4eFtiObEH2vkwUEmLXwe74mcWWrb5BzyuZurJygqFyWFlIwV
KLMIHrqsgDdxImFqJBbE627xnANQVa6C+nkAjSs9sqqJC1InL/rbuE0ZFccdEjIz
JfUR4/yXlySzaVxBdOHdFD7cOTf0AR/hLnTf5aiASHxL8eV7y/n07tmda7+KJ4HK
QCP0LvXu/cP2atoY40qHkn9kCIjaEZgj0dnBtgZHw0nu7YsTkMAs5fBsUXU/Fb35
rPNcHwKJWwdc4J0RXsdXOTbYkeVZNxMrDETxb37hZva3UeNrs8dWXgfVe1SGwhWY
hug9wCMjxUKNhh+3lSly
=TBia
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org