-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jeffrey,
On 4/11/13 9:47 AM, Jeffrey Janner wrote: >> -----Original Message----- From: Howard W. Smith, Jr. >> [mailto:smithh032...@gmail.com] Sent: Wednesday, April 10, 2013 >> 7:35 PM To: Esmond Pitt Cc: Tomcat Users List Subject: Re: Tomcat >> access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" >> 404 >> >> On Wed, Apr 10, 2013 at 8:21 PM, Esmond Pitt >> <esmond.p...@bigpond.com>wrote: >> >>> We had lots of these and finally an attack last year on a >>> Tomcat >> where >>> the manager password somehow hadn't been changed. The attacker >>> installed a viral servlet application that killed the server >>> completely, we had to rebuild it. >>> >>> We: >>> >>> - Hid the Tomcat behind an Apache HTTPD on port 80. - Closed >>> port 8080, indeed removed all the HTTP Connectors from >> Tomcat >>> and just used AJP connectors running on 127.0.0.1/2/3/4/..., >>> all on the same port for simplicity, so there is no zero direct >>> access to Tomcat from the outside - Configured Apache HTTPD for >>> LDAP authentication via an OpenLDAP server that in turn is >>> configured via the Password Policy overlay for finite (5 I >>> think) password retries before locking out the account - >>> required a very restricted LDAP group membership for access to >>> /manager (and the other Tomcat builtins). >>> >>> No recurrence, not even an attempt. I think actually closing >>> port >> 8080 >>> may have played the biggest part in all this. >>> >>> EJP >>> >>> >> +1 I like what you all did! I'm currently not using Apache >> HTTPD, 'yet'. >> >> Before I start TomEE/tomcat, I always copy my edited version of >> tomee/tomcat's user file, and I have a strong password in place. >> when I first started using TomEE, and when I had port 3389 open >> on my Windows Server 2008 'development server', I saw someone >> connect to the tomee and tomcat manager apps, and they tried >> 'many' times to login to those manager app pages. >> >> I LOL at them, because even though the manager apps were >> available, i already beat them to the punch, because I secured >> tomee/tomcat by commenting out users and/or user groups in the >> user file, and created my own custom user that had a strong >> password. So, after I saw those blatent-and-sorry-hacker >> attempts, I resolved that by removing manager apps whenever I >> install new version of tomee/tomcat. Problem solved!!! :) And >> yes, i eventually, closed port 3389 on my router, since I really >> don't need it since I am in the office 99.99999% of the time >> doing my work. Sometimes, if I have to travel somewhere or sit in >> waiting room, while my vehicle is being service, I do get tempted >> to open 3389 port on my router and do some work at that time. :) >> > > FYI, Howard, this is why they invented VPN technology. +1 OpenVPN is cheap and relatively easy to set up. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRZx+eAAoJEBzwKT+lPKRYTD8P/RYPp4fq476XkWWnBQ+Z5hQn sGNkos89wTDvMWDTSaDclZ3zcc8RDGDBq4Mv/iN6TXev9ztZAiw5iQIbWqg1TiMx sEgaL++mtvC825epomP8vzxrc7EmAlM/iTLsnUxIxJSFXp93/ntLWy4drPPERxNr nXoRBNL9pdwAMln4e693I2TUsezH3zr+bppjfe3pzKWk0JU/Y1+Cp/XycwPKklwK qNhtgztqrL7URx28r/GPQ6/yUEoXzEe4PFBB+rZ7XyDqPlH30XmnUBXAU+B0Lr1D wekhHVSjVzl4UhgiAFxm1VF4FAuAG/Lvuia7Z4Jt074H7UaGVfsyauurWFn5JC0l 8NDVlBqRufHHmUPgZSIctR8vyqp4vbRKCcdL5CdXQ9TgScEWI+cVYzi4VjVz4kyR FRKhMZXC4K8lqvMkecLNjNLISp8KhAaGkM9sffzOLzWyqxPG8u7us26MScBKoAaJ 60gTJcDZ5jU0mywhJrGBK+X9ceKEIX0fafSiPbQ64Rb/MNxgkD9r92AiE4Ycslbg cAEHxioCrrTumCVeFCb9b9a+ZMXVw0LlBtUUeo8V5q/9KXTfQ5WFhXKPadN6tbP3 ERGTFXZUU+8Kbe5ziv5m/039RUaOXnAFLUN46JcNfT2sKn/KkirV9DifxmnP3roh E/MwnaE4+YWdG5WSdvRa =28Nh -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
