-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Esmond,
On 4/10/13 8:21 PM, Esmond Pitt wrote: > We had lots of these and finally an attack last year on a Tomcat > where the manager password somehow hadn't been changed. Note that the manager webapp has no default passwords, so I wonder what you mean when you say it "hadn't been changed". There are examples in conf/tomcat-users.xml but they are all commented-out. You would have had to intentionally enable the "default" password. > The attacker installed a viral servlet application that killed the > server completely, we had to rebuild it. I -- like most people I would guess -- don't run under a SecurityManager, but doing so can significantly limit the damage that a rogue webapp can do. > We: > > - Hid the Tomcat behind an Apache HTTPD on port 80. Did you also remove manager webapp access through httpd? Otherwise, this doesn't actually do anything to help. > - Closed port 8080, indeed removed all the HTTP Connectors from > Tomcat and just used AJP connectors running on 127.0.0.1/2/3/4/..., > all on the same port for simplicity, so there is no zero direct > access to Tomcat from the outside +1, though I would run Apache httpd and Tomcat on different hosts, so localhost-binding is not possible unless you are doing something like stunnel (which also might be a good idea if you are traversing an untrusted network). > - Configured Apache HTTPD for LDAP authentication via an OpenLDAP > server that in turn is configured via the Password Policy overlay > for finite (5 I think) password retries before locking out the > account +2 -- both good ideas: central access control (LDAP) and enabling lockout mechanism. Note that Tomcat's lockout mechanism is fairly primitive and easy to game. > - required a very restricted LDAP group membership for access to > /manager (and the other Tomcat builtins). +1 hooray for role-based permissions! > No recurrence, not even an attempt. I think actually closing port > 8080 may have played the biggest part in all this. Would you be willing to review the Tomcat documentation on "securing Tomcat" and make a few comments? It could always use some additional tips: http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html http://wiki.apache.org/tomcat/FAQ/Security You can sign-up for the wiki yourself and make any changes you want. If you want to modify the "official" documentation, create a Bugzilla enhancement request and (please!) include a patch. I'm sure it will go right in. Thanks, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRZx7AAAoJEBzwKT+lPKRY+3MP/3c8kZZU43cMaxkXTi/ELXha Hv6rAeGz4nnpMNn2C002cTRgZ39vomUXYdsLMnNIshn05JDVIZmLLoUXk6UzY9go uH0QdAubBxhvwC/CWeLjUuSjy/Ei4vKeB7xJNw/FQ2xXEt47FWv36e0vgxOyluX+ gbkB3KQlN6PXtQENGvkOGT5oWLK9M7WUydGSWq9lXR+akwWeL3jWRAlLl6bHYybQ n70c5wq/rJbEj+k9yCHsMZvPabYs5ejsz6wHvvw4Emrxcp4LVVjCuY2Z87Yhdtb4 B43tF48be9GUZCXDvtIjiS5phHMhpqyJakHuZ7GSvzDIeuiNZ96XuoDkIG1bwWjf Z5SMCSjkSPqDKJ1cXcd8AaSYgI2C3KQnuFrbTD7bVqQHOeq7RJZp3+xE0IUNPl+V H2PNpUfXD9BDbPiiDt8bcgvcrImejW0RDumQ2fwbTVvt4OaybVsMUsVFW8lUtw3A YhvFn/WCEdR8VaY9PkqYm84BVMsQJBbBdb5clYiAtVQRky1NPS+hcIihnf85DkNU vr6rv/oK0aMXAamwUagmRe5OjTHuHczERPYgEUMpppnlXuNV1mLxBib8+HInGg3/ Y5i28tTd7fS5uo7/CZv+9uEZdDUO7utWGT0W+gBaIkh35/yZI5a1l5wi0szYduQe t3nftQXUTCYtK1QNwKND =3s6Q -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
