Hi Ognjen, On 12.7.2013 6:51, Chanaka Dharmarathna wrote: > >> I'm using Tomcat 7.0.40 for hosted application. I have not configured any >> user accounts for tomcat (admin, manager, user etc.). Recently my deployed >> web application was damaged. Restarting tomcat recovered it back. >> >> But it seems someone tried to access my tomcat and delete some files(I >> guess class file of index.jsp as mentioned in the log). I have added my >> log >> files [0], [1], [2] and [3]. Currently I have my jsp directory outside the >> WEB-INF directory (yes, it's bad practice and I'll correct it). >> > > Tomcat is complaining that it is not able to read class files of compiled > JSPs (index.jsp, and 401.jsp). It is not clear how are those class files > deleted -- was it through application security breach, Tomcat, OS or local > user accidentally deleted them, or changed access privileges. From the log > files I am unable to tell that. > > Keep in mind that if the attacker was able to modify Tomcat's work > directory he was most certainly able to modify logs directory as well, so > there is a possibility that log files are altered. > > > > 1. Do you see any issues after looking my log files ? May be due to a bad >> configuration/practice etc. >> > > For start, remove ALL web applications you don't need -- probably > everything except your own application. If you don't use manager > application, remove it. If you do need it, configure manager application to > accept connections only from trusted IP addresses, use unexpected username > (something different from "manager", "admin" or "tomcat"), and use strong > password. > > Run Tomcat service always as unprivileged user (e.g. tomcat, not root). > > Start reading and practicing what is written here: > > http://tomcat.apache.org/**tomcat-7.0-doc/security-howto.**html<http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html> > > > > > 2. And can someone delete files if there are no user accounts for tomcat ? >> > > Tomcat process must be able to modify work, logs and temp directories, in > order to work properly. Therefore, poorly written webapp, or (less likely) > bug in Tomcat, may allow remote attacker to modify or delete files at least > in those three directories. If other Tomcat directories are writable by > user running Tomcat, attacker may also do other nasty things (alter JSPs, > install new webapps and so on). In worst case, if you run your Tomcat > service as user root, a bug in your webapp might allow attacker to take > full control over your server. >
Thanks for your valuable thoughts on this. I'll follow these instructions to secure my tomcat. Regards ! -- *Chanaka*
