On 13 Apr 2013, at 03:33, Esmond Pitt <esmond.p...@bigpond.com> wrote:
> I agree with your comment. Adding a second box for Tomcat only means I also > have to configure a firewall between them, whereas using 127.0.0.x for > Tomcat protects it completely. No it doesn't! Obfuscation or indirection != security. HTTPD doesn't magically provide you with some extra security capability. p > > -----Original Message----- > From: Pïd stèr [mailto:p...@pidster.com] > Sent: Saturday, 13 April 2013 3:54 AM > To: Tomcat Users List > Subject: Re: Tomcat access log reveals hack attempt: "HEAD /manager/html > HTTP/1.0" 404 > > On 11 Apr 2013, at 21:36, Christopher Schultz <ch...@christopherschultz.net> > wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> Esmond, >> >> On 4/10/13 8:21 PM, Esmond Pitt wrote: >>> We had lots of these and finally an attack last year on a Tomcat >>> where the manager password somehow hadn't been changed. >> >> Note that the manager webapp has no default passwords, so I wonder >> what you mean when you say it "hadn't been changed". There are >> examples in conf/tomcat-users.xml but they are all commented-out. >> >> You would have had to intentionally enable the "default" password. >> >>> The attacker installed a viral servlet application that killed the >>> server completely, we had to rebuild it. >> >> I -- like most people I would guess -- don't run under a >> SecurityManager, but doing so can significantly limit the damage that >> a rogue webapp can do. >> >>> We: >>> >>> - Hid the Tomcat behind an Apache HTTPD on port 80. >> >> Did you also remove manager webapp access through httpd? Otherwise, >> this doesn't actually do anything to help. >> >>> - Closed port 8080, indeed removed all the HTTP Connectors from >>> Tomcat and just used AJP connectors running on 127.0.0.1/2/3/4/..., >>> all on the same port for simplicity, so there is no zero direct >>> access to Tomcat from the outside >> >> +1, though I would run Apache httpd and Tomcat on different hosts, so >> localhost-binding is not possible unless you are doing something like >> stunnel (which also might be a good idea if you are traversing an >> untrusted network). > > Respectfully, I have to disagree. Unless the Apache HTTPD is loaded with IDS > that can sniff the inbound traffic, you've not achieved much, and now you > have two boxes that have to be maintained, secured & patched. HTTPD != > firewall. > > > p > > >> >>> - Configured Apache HTTPD for LDAP authentication via an OpenLDAP >>> server that in turn is configured via the Password Policy overlay for >>> finite (5 I think) password retries before locking out the account >> >> +2 -- both good ideas: central access control (LDAP) and enabling >> lockout mechanism. Note that Tomcat's lockout mechanism is fairly >> primitive and easy to game. >> >>> - required a very restricted LDAP group membership for access to >>> /manager (and the other Tomcat builtins). >> >> +1 hooray for role-based permissions! >> >>> No recurrence, not even an attempt. I think actually closing port >>> 8080 may have played the biggest part in all this. >> >> Would you be willing to review the Tomcat documentation on "securing >> Tomcat" and make a few comments? It could always use some additional tips: >> >> http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html >> http://wiki.apache.org/tomcat/FAQ/Security >> >> You can sign-up for the wiki yourself and make any changes you want. >> If you want to modify the "official" documentation, create a Bugzilla >> enhancement request and (please!) include a patch. I'm sure it will go >> right in. >> >> Thanks, >> - -chris >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG/MacGPG2 v2.0.17 (Darwin) >> Comment: GPGTools - http://gpgtools.org >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >> >> iQIcBAEBCAAGBQJRZx7AAAoJEBzwKT+lPKRY+3MP/3c8kZZU43cMaxkXTi/ELXha >> Hv6rAeGz4nnpMNn2C002cTRgZ39vomUXYdsLMnNIshn05JDVIZmLLoUXk6UzY9go >> uH0QdAubBxhvwC/CWeLjUuSjy/Ei4vKeB7xJNw/FQ2xXEt47FWv36e0vgxOyluX+ >> gbkB3KQlN6PXtQENGvkOGT5oWLK9M7WUydGSWq9lXR+akwWeL3jWRAlLl6bHYybQ >> n70c5wq/rJbEj+k9yCHsMZvPabYs5ejsz6wHvvw4Emrxcp4LVVjCuY2Z87Yhdtb4 >> B43tF48be9GUZCXDvtIjiS5phHMhpqyJakHuZ7GSvzDIeuiNZ96XuoDkIG1bwWjf >> Z5SMCSjkSPqDKJ1cXcd8AaSYgI2C3KQnuFrbTD7bVqQHOeq7RJZp3+xE0IUNPl+V >> H2PNpUfXD9BDbPiiDt8bcgvcrImejW0RDumQ2fwbTVvt4OaybVsMUsVFW8lUtw3A >> YhvFn/WCEdR8VaY9PkqYm84BVMsQJBbBdb5clYiAtVQRky1NPS+hcIihnf85DkNU >> vr6rv/oK0aMXAamwUagmRe5OjTHuHczERPYgEUMpppnlXuNV1mLxBib8+HInGg3/ >> Y5i28tTd7fS5uo7/CZv+9uEZdDUO7utWGT0W+gBaIkh35/yZI5a1l5wi0szYduQe >> t3nftQXUTCYtK1QNwKND >> =3s6Q >> -----END PGP SIGNATURE----- >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org