On Wed, Apr 17, 2013 at 10:45 AM, chris derham <ch...@derham.me.uk> wrote:
> The OWASP recommendations for securing tomcat suggest removing all items > under > catalina_home/webapps as a first step. Just a thought. > > The first step an attacker performs when conducting a focused attack, > is to map out the server. The presence of a response to > http://server:8080/manager/html/ would seem to indicate a default > install of tomcat. Once that have this initial reconnaissance > performed, they will move onto using known exploits against it. By > removing manager app from the default install, this would be made one > step harder. You can't really prevent a dedicated attacker, but making > it one step harder to attack your server, might make the > not-bothered-which-server-I-attack guy move on to easier pickings > +1 Chris! When I migrated from Glassfish 3.1.2.2 to Tomcat/tomee late last year, this is really what I wanted. I forgot the default port (since I'm no longer a Glassfish user), but I liked how Glassfish defaulted home-grown web apps on port 8080, and Glassfish Admin web application was on port 4848 (just remembered that). When I experienced my first 'attack' on my development server, that is what I wanted. it would be nice to know how to re-configure my tomcat/tomee, so the manager app will be on port 4848, or something like that, but being the novice that I am, I did not know how to do it, and I honestly confess that I did not read the tomcat documentation on how to do it. :) Trying to catch up on all the responses. I wanted to respond to a few other posts, but thought I might keep reading. Now, I will go back to reading more of the responses. > If you deliberately delay 404 by a known amount of time, it will still > stick out, and they can use this just as much as a positive > indication. > I agree with this. 'delay 404' sounds like a good idea, but how many of those botnet developers are on this list 'today', reading this discussion? In no time, and IMHO, I'm sure they can/will develop a botnet that is 'tolerant' of delay 404, or something similar.
