-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Howard,
On 4/10/13 7:32 AM, Howard W. Smith, Jr. wrote: > Every now and then, I like to review localhost_access_log files, > just to see who might be trying to access my web app, running on > TomEE 1.6.0 snapshot (Tomcat 7.0.39). So, a few minutes ago, I saw > the following in the log: > > 113.11.200.30 - - [09/Apr/2013:19:26:58 -0400] "HEAD /manager/html > HTTP/1.0" 404 - > > This is an unfamiliar ip address to me, and I have already prepared > the app/tomcat for these type of attacks. How? by removing any/all > tomee/tomcat (manager/web) apps. I did that some time ago, when I > first migrated from glassfish to tomee/tomcat, and that was the > best/easiest way I knew how to prevent these type of attacks. > > Can someone please give/share some background on this type of > attack? As others have mentioned, I wouldn't give this too much thought: someone is scanning you for vulnerabilities. I'll bet if you log the full headers of those requests, you'll see something like "admin/admin" or "scott/tiger" in the WWW-Authenticate headers. Just someone knocking on your door to see if the latch works. Can you mostly ignore them. On the other hand, I wonder why you are seeing these requests in your Tomcat logs, since you: > I mentioned earlier that I removed the manager apps. The server is > behind a firewall router, port 8080 is port-forwarded from the > router to the server, the web app has login page (and login > servlet/filter in place), but SSL is not configured just yet. That > is definitely on my to-do list to complete, ASAP, as the CEO has > given me the go-ahead. Are you not filtering by URL anywhere? I guess it's uncommon to do content-filtering at the firewall level (unless you are talking about porno filters or whatever) but there are ways to block these requests before they even get to your web server. If you don't expect anyone in Asia to be legitimately accessing your site, you could do something drastic like close your site to some CIDR pattern that blocks all that stuff. Most of the traffic we get from China is of the type you describe: requests for /manager/html or various commonly poorly-configured PHP or IIS apps, etc. None of them make any difference to us because they will all fail. On the other hand, we actually have some customers in China and blocking them is neither acceptable nor necessary. It's just log noise. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRZZrYAAoJEBzwKT+lPKRYpS8P/AlNfy7I60ixXNleF3IJGD62 Ey/jRyfOgPnEfS4J/rt8007qhpxTXeuXqmY20nrWr+dIsQVsllXTrhasKqsQR6Ba CAlSkTUHRFMFjHnFmH/uzGCS/LB0iFqdxWf/2HrGJevinPt10J1O5j1TsmmIIqiK d6wNpbAh0+jNgTsgKduEvJxNo+7QDWs3qJuAdUFDBeQCGIofpSvfzj68W1mY2kvS iuZ24MWW+wuU3DgNjAWmnctcC8CDnXHB9YwNoQM5jKzaldelukQ3CFzBCEDa7utp jVYFAGI16OOjwqV/fbzTcVAqWp4AOjcFhv2u9vAPkJXSZujkbD/9x+5mNwqts6LX 5MoqlFnAatGgOEKKQMa5IWhXlo+kGjR+kIbdPeklTnDSRUpKplpo/NSVLv3TvezZ t+lz1Ya07/03mMTbiepHTR3PjeXXQP1VNSjdVyyNLirgdmW7pfcXq+uTzw/dJHyQ WzWtbKz2U1B3kySWx8mNaK5i2T2hr8oN8yCtfoGMlGKJujvUjU9vgVRjRZR4cfCk BRKhZsJ3nENoixg8FPZNA6jXMI6j8YW/8ZEJYVLe9gL0gHHriZu1xAOYNXNcmpsI 00OffGtR7Cao0Q7kwgVnfPxdUJ/I7PUsJWgFBEzxZ+dUOZUqYI6sik+MsHVlhVoh gC43QxSpD7NMnqhdC7bU =WYC0 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
