> -----Original Message----- > From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com] > Sent: Wednesday, April 10, 2013 7:35 PM > To: Esmond Pitt > Cc: Tomcat Users List > Subject: Re: Tomcat access log reveals hack attempt: "HEAD > /manager/html HTTP/1.0" 404 > > On Wed, Apr 10, 2013 at 8:21 PM, Esmond Pitt > <esmond.p...@bigpond.com>wrote: > > > We had lots of these and finally an attack last year on a Tomcat > where > > the manager password somehow hadn't been changed. The attacker > > installed a viral servlet application that killed the server > > completely, we had to rebuild it. > > > > We: > > > > - Hid the Tomcat behind an Apache HTTPD on port 80. > > - Closed port 8080, indeed removed all the HTTP Connectors from > Tomcat > > and just used AJP connectors running on 127.0.0.1/2/3/4/..., all on > > the same port for simplicity, so there is no zero direct access to > > Tomcat from the outside > > - Configured Apache HTTPD for LDAP authentication via an OpenLDAP > > server that in turn is configured via the Password Policy overlay for > > finite (5 I > > think) password retries before locking out the account > > - required a very restricted LDAP group membership for access to > > /manager (and the other Tomcat builtins). > > > > No recurrence, not even an attempt. I think actually closing port > 8080 > > may have played the biggest part in all this. > > > > EJP > > > > > +1 I like what you all did! I'm currently not using Apache HTTPD, > 'yet'. > > Before I start TomEE/tomcat, I always copy my edited version of > tomee/tomcat's user file, and I have a strong password in place. when I > first started using TomEE, and when I had port 3389 open on my Windows > Server 2008 'development server', I saw someone connect to the tomee > and tomcat manager apps, and they tried 'many' times to login to those > manager app pages. > > I LOL at them, because even though the manager apps were available, i > already beat them to the punch, because I secured tomee/tomcat by > commenting out users and/or user groups in the user file, and created > my own custom user that had a strong password. So, after I saw those > blatent-and-sorry-hacker attempts, I resolved that by removing manager > apps whenever I install new version of tomee/tomcat. Problem solved!!! > :) And yes, i eventually, closed port 3389 on my router, since I > really don't need it since I am in the office 99.99999% of the time > doing my work. > Sometimes, if I have to travel somewhere or sit in waiting room, while > my vehicle is being service, I do get tempted to open 3389 port on my > router and do some work at that time. :) >
FYI, Howard, this is why they invented VPN technology. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
