On 11 Apr 2013, at 21:36, Christopher Schultz <ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Esmond, > > On 4/10/13 8:21 PM, Esmond Pitt wrote: >> We had lots of these and finally an attack last year on a Tomcat >> where the manager password somehow hadn't been changed. > > Note that the manager webapp has no default passwords, so I wonder > what you mean when you say it "hadn't been changed". There are > examples in conf/tomcat-users.xml but they are all commented-out. > > You would have had to intentionally enable the "default" password. > >> The attacker installed a viral servlet application that killed the >> server completely, we had to rebuild it. > > I -- like most people I would guess -- don't run under a > SecurityManager, but doing so can significantly limit the damage that > a rogue webapp can do. > >> We: >> >> - Hid the Tomcat behind an Apache HTTPD on port 80. > > Did you also remove manager webapp access through httpd? Otherwise, > this doesn't actually do anything to help. > >> - Closed port 8080, indeed removed all the HTTP Connectors from >> Tomcat and just used AJP connectors running on 127.0.0.1/2/3/4/..., >> all on the same port for simplicity, so there is no zero direct >> access to Tomcat from the outside > > +1, though I would run Apache httpd and Tomcat on different hosts, so > localhost-binding is not possible unless you are doing something like > stunnel (which also might be a good idea if you are traversing an > untrusted network). Respectfully, I have to disagree. Unless the Apache HTTPD is loaded with IDS that can sniff the inbound traffic, you've not achieved much, and now you have two boxes that have to be maintained, secured & patched. HTTPD != firewall. p > >> - Configured Apache HTTPD for LDAP authentication via an OpenLDAP >> server that in turn is configured via the Password Policy overlay >> for finite (5 I think) password retries before locking out the >> account > > +2 -- both good ideas: central access control (LDAP) and enabling > lockout mechanism. Note that Tomcat's lockout mechanism is fairly > primitive and easy to game. > >> - required a very restricted LDAP group membership for access to >> /manager (and the other Tomcat builtins). > > +1 hooray for role-based permissions! > >> No recurrence, not even an attempt. I think actually closing port >> 8080 may have played the biggest part in all this. > > Would you be willing to review the Tomcat documentation on "securing > Tomcat" and make a few comments? It could always use some additional tips: > > http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html > http://wiki.apache.org/tomcat/FAQ/Security > > You can sign-up for the wiki yourself and make any changes you want. > If you want to modify the "official" documentation, create a Bugzilla > enhancement request and (please!) include a patch. I'm sure it will go > right in. > > Thanks, > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.17 (Darwin) > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJRZx7AAAoJEBzwKT+lPKRY+3MP/3c8kZZU43cMaxkXTi/ELXha > Hv6rAeGz4nnpMNn2C002cTRgZ39vomUXYdsLMnNIshn05JDVIZmLLoUXk6UzY9go > uH0QdAubBxhvwC/CWeLjUuSjy/Ei4vKeB7xJNw/FQ2xXEt47FWv36e0vgxOyluX+ > gbkB3KQlN6PXtQENGvkOGT5oWLK9M7WUydGSWq9lXR+akwWeL3jWRAlLl6bHYybQ > n70c5wq/rJbEj+k9yCHsMZvPabYs5ejsz6wHvvw4Emrxcp4LVVjCuY2Z87Yhdtb4 > B43tF48be9GUZCXDvtIjiS5phHMhpqyJakHuZ7GSvzDIeuiNZ96XuoDkIG1bwWjf > Z5SMCSjkSPqDKJ1cXcd8AaSYgI2C3KQnuFrbTD7bVqQHOeq7RJZp3+xE0IUNPl+V > H2PNpUfXD9BDbPiiDt8bcgvcrImejW0RDumQ2fwbTVvt4OaybVsMUsVFW8lUtw3A > YhvFn/WCEdR8VaY9PkqYm84BVMsQJBbBdb5clYiAtVQRky1NPS+hcIihnf85DkNU > vr6rv/oK0aMXAamwUagmRe5OjTHuHczERPYgEUMpppnlXuNV1mLxBib8+HInGg3/ > Y5i28tTd7fS5uo7/CZv+9uEZdDUO7utWGT0W+gBaIkh35/yZI5a1l5wi0szYduQe > t3nftQXUTCYtK1QNwKND > =3s6Q > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
