Folks,
Just a short note to let you know that Warren and I have been working this
off-list and have identified how this attack was launched.
I'd like to take this opportunity to publicly thank Warren for taking the
time to work with me on this when he had a lot more important things to do
than answer my questions.
The manager application was installed with a user name and password that
the attackers were able to brute force. Once they had access to the manager
application they were able to install their own web application that
allowed them wider access to the box.
This isn't the first report of a rouge application that we have seen on the
Tomcat security list. Where we have had sufficient detail to trace how the
application was installed, it has always been via an existing management tool.
Therefore, I would like to take the opportunity to remind users to ensure
that any potentially user accessible administration interface is suitably
secured. The following isn't an exhaustive list but things to consider include:
- don't use and standard user names for administrative users
- do use strong passwords, especially for administrative users
- uninstall web applications you don't need (admin, manager, host-manager,
examples, webdav, etc)
- use Remote Host/Address filters to limit access to administrative
applications
- enable access logging so if something does go wrong you have some
information to work with
- regularly review your access logs for evidence of potential attacks
- run Tomcat as a dedicated user with the minimum privileges possible
Finally, a small advert. I am presenting a session on Tomcat security at
ApacheCon in November that will cover the above and a whole lot more.
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
