On Wed, Apr 10, 2013 at 8:21 PM, Esmond Pitt <esmond.p...@bigpond.com>wrote:
> We had lots of these and finally an attack last year on a Tomcat where the > manager password somehow hadn't been changed. The attacker installed a > viral > servlet application that killed the server completely, we had to rebuild > it. > > We: > > - Hid the Tomcat behind an Apache HTTPD on port 80. > - Closed port 8080, indeed removed all the HTTP Connectors from Tomcat and > just used AJP connectors running on 127.0.0.1/2/3/4/..., all on the same > port for simplicity, so there is no zero direct access to Tomcat from the > outside > - Configured Apache HTTPD for LDAP authentication via an OpenLDAP server > that in turn is configured via the Password Policy overlay for finite (5 I > think) password retries before locking out the account > - required a very restricted LDAP group membership for access to /manager > (and the other Tomcat builtins). > > No recurrence, not even an attempt. I think actually closing port 8080 may > have played the biggest part in all this. > > EJP > > +1 I like what you all did! I'm currently not using Apache HTTPD, 'yet'. Before I start TomEE/tomcat, I always copy my edited version of tomee/tomcat's user file, and I have a strong password in place. when I first started using TomEE, and when I had port 3389 open on my Windows Server 2008 'development server', I saw someone connect to the tomee and tomcat manager apps, and they tried 'many' times to login to those manager app pages. I LOL at them, because even though the manager apps were available, i already beat them to the punch, because I secured tomee/tomcat by commenting out users and/or user groups in the user file, and created my own custom user that had a strong password. So, after I saw those blatent-and-sorry-hacker attempts, I resolved that by removing manager apps whenever I install new version of tomee/tomcat. Problem solved!!! :) And yes, i eventually, closed port 3389 on my router, since I really don't need it since I am in the office 99.99999% of the time doing my work. Sometimes, if I have to travel somewhere or sit in waiting room, while my vehicle is being service, I do get tempted to open 3389 port on my router and do some work at that time. :) I really like the idea of LDAP, but honestly, I have no need for that, since endusers of the app connect to the web app via mobile devices, from laptop/PCs (via their home ISPs), etc...
