On Thu, Apr 11, 2013 at 4:39 PM, Christopher Schultz < ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Jeffrey, > > On 4/11/13 9:47 AM, Jeffrey Janner wrote: > >> -----Original Message----- From: Howard W. Smith, Jr. > >> [mailto:smithh032...@gmail.com] Sent: Wednesday, April 10, 2013 > >> 7:35 PM To: Esmond Pitt Cc: Tomcat Users List Subject: Re: Tomcat > >> access log reveals hack attempt: "HEAD /manager/html HTTP/1.0" > >> 404 > >> > >> On Wed, Apr 10, 2013 at 8:21 PM, Esmond Pitt > >> <esmond.p...@bigpond.com>wrote: > >> > >>> We had lots of these and finally an attack last year on a > >>> Tomcat > >> where > >>> the manager password somehow hadn't been changed. The attacker > >>> installed a viral servlet application that killed the server > >>> completely, we had to rebuild it. > >>> > >>> We: > >>> > >>> - Hid the Tomcat behind an Apache HTTPD on port 80. - Closed > >>> port 8080, indeed removed all the HTTP Connectors from > >> Tomcat > >>> and just used AJP connectors running on 127.0.0.1/2/3/4/..., > >>> all on the same port for simplicity, so there is no zero direct > >>> access to Tomcat from the outside - Configured Apache HTTPD for > >>> LDAP authentication via an OpenLDAP server that in turn is > >>> configured via the Password Policy overlay for finite (5 I > >>> think) password retries before locking out the account - > >>> required a very restricted LDAP group membership for access to > >>> /manager (and the other Tomcat builtins). > >>> > >>> No recurrence, not even an attempt. I think actually closing > >>> port > >> 8080 > >>> may have played the biggest part in all this. > >>> > >>> EJP > >>> > >>> > >> +1 I like what you all did! I'm currently not using Apache > >> HTTPD, 'yet'. > >> > >> Before I start TomEE/tomcat, I always copy my edited version of > >> tomee/tomcat's user file, and I have a strong password in place. > >> when I first started using TomEE, and when I had port 3389 open > >> on my Windows Server 2008 'development server', I saw someone > >> connect to the tomee and tomcat manager apps, and they tried > >> 'many' times to login to those manager app pages. > >> > >> I LOL at them, because even though the manager apps were > >> available, i already beat them to the punch, because I secured > >> tomee/tomcat by commenting out users and/or user groups in the > >> user file, and created my own custom user that had a strong > >> password. So, after I saw those blatent-and-sorry-hacker > >> attempts, I resolved that by removing manager apps whenever I > >> install new version of tomee/tomcat. Problem solved!!! :) And > >> yes, i eventually, closed port 3389 on my router, since I really > >> don't need it since I am in the office 99.99999% of the time > >> doing my work. Sometimes, if I have to travel somewhere or sit in > >> waiting room, while my vehicle is being service, I do get tempted > >> to open 3389 port on my router and do some work at that time. :) > >> > > > > FYI, Howard, this is why they invented VPN technology. > > +1 > > OpenVPN is cheap and relatively easy to set up. > Interesting. Thanks Chris. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.17 (Darwin) > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJRZx+eAAoJEBzwKT+lPKRYTD8P/RYPp4fq476XkWWnBQ+Z5hQn > sGNkos89wTDvMWDTSaDclZ3zcc8RDGDBq4Mv/iN6TXev9ztZAiw5iQIbWqg1TiMx > sEgaL++mtvC825epomP8vzxrc7EmAlM/iTLsnUxIxJSFXp93/ntLWy4drPPERxNr > nXoRBNL9pdwAMln4e693I2TUsezH3zr+bppjfe3pzKWk0JU/Y1+Cp/XycwPKklwK > qNhtgztqrL7URx28r/GPQ6/yUEoXzEe4PFBB+rZ7XyDqPlH30XmnUBXAU+B0Lr1D > wekhHVSjVzl4UhgiAFxm1VF4FAuAG/Lvuia7Z4Jt074H7UaGVfsyauurWFn5JC0l > 8NDVlBqRufHHmUPgZSIctR8vyqp4vbRKCcdL5CdXQ9TgScEWI+cVYzi4VjVz4kyR > FRKhMZXC4K8lqvMkecLNjNLISp8KhAaGkM9sffzOLzWyqxPG8u7us26MScBKoAaJ > 60gTJcDZ5jU0mywhJrGBK+X9ceKEIX0fafSiPbQ64Rb/MNxgkD9r92AiE4Ycslbg > cAEHxioCrrTumCVeFCb9b9a+ZMXVw0LlBtUUeo8V5q/9KXTfQ5WFhXKPadN6tbP3 > ERGTFXZUU+8Kbe5ziv5m/039RUaOXnAFLUN46JcNfT2sKn/KkirV9DifxmnP3roh > E/MwnaE4+YWdG5WSdvRa > =28Nh > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
