-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 11/25/13, 5:08 AM, Mark Thomas wrote: > Folks that disabled the LockOutRealm in server.xml that protects > against brute-force password attacks (against any app - not just > the Manager) should probably be worried. I had configured my Manager using a custom manager.xml file and had overlooked that particular protection. Thanks for the reminder. I am using localhost-only and a password, so I should be all set, but it hurts nothing to add LockOutRealm and gives a modicum of additional protection. > The one thing that is new is that this exploit appears to be > self-replicating. +1 ... which isn't really that creative. > Unrelated to this issue, I have recently expanded the section of > the docs that covers securing the default applications. The updates > will be in the next release. Until then you can read it via the > copy of the docs built by the CI system: > http://ci.apache.org/projects/tomcat/tomcat8/docs/security-howto.html#Default_web_applications > > The one question this raises for me is should the Manager > application be limited to localhost be default? I'd be interested > in the community's views on that. I would support such a change. Anyone who wants to run a remotely-accessible Manager should be [forced to be] competent enough to modify that restriction. > Personally, I can't stand the taste if caffe but I did enjoy my > beverage of choice. Aw. Note that Coffee and Espresso are quite different experiences. I highly recommend trying the latter if you haven't recently. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSk6jjAAoJEBzwKT+lPKRYdUAP/Raj0Y5guBUArwpvWiQaWH4m vG/f9pPPBXs99Lc+Ysy+gHCMzoHxpswc0xYGX+K/UaRJGnaq2jEnAcNo4zZ1L/OQ WV4rsbAk8mVx8f97cGZm9EGfTfI2H8SiIz7FK5U1UtvDoMQ/HAKIYFd4WHkBjjj6 i810IgdDEp609SFw1Bu728VsFUSYMzSov1+Z1J+g5tI+OgQYhEJemy/KlLaOS0CZ qvleRFJM0fEwn1nRHkInYBUUZ860Ou2w0PAYTPX1EwBR9e2cyLXckIXOqJPHd1VJ k9pEPxhK6o9wUOb9A4/KzvfdEeL5Ntf5CkHd+q3xHkM7BJuq0lJ2KVw0u6RusGD7 IY5g8Bvoc7yJ/amkkEc8UVpTGMYSVtHtDtnLgmERvLHhoOjIEBzRGEqpkq4OuBIo rK+iIoOSAWISpary1nf2yRn9Y5zizpCOl4ZqwaPd3YWIBLxQk1lvmfgucM+4JHM8 a/lk2oHnYXbflVm/jr+TKdXuBjzR4rBEbK6EzEtKCHnFnlBUvXwKnhcbipfuffqc TI+yNPbF8I49FyEk0TRgd1GMkbIwDff2/hlAkA08vePHs5hBLZ+JvA7Mxlg8vF4H +ErB+l4qlbruEe4r0unkmk6q8ZBDZMA7IOBi3/ephKkRYArVFED0knG3kgosTmZT GzoLnrKo45pvcUh3NDTj =+7KQ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
