On Fri, Sep 2, 2016 at 4:28 AM, Yuval Schwartz <yuval.schwa...@gmail.com> wrote:
> Tomcat: 8.0.22 > JDK: 1.8.0_05 > > Hello, > > I am currently running a web application. > > I would like to restrict access to the manager app (it is currently being > hit by spammers every so often who are unable to connect (get a message > "...an attempt was made to authenticate the locked user")). > > I was thinking of adding a "manager.xml" file to > $CATALINA_BASE/conf/[enginename]/[hostname]/ that will contain the > following context container: > > <Context privileged="true" docBase="[path_to_manager]"> > <Valve className="org.apache.catalina.valves.RemoteAddrValve" > allow="[my_ip]"/> > </Context> > > Is this the correct way to achieve my goal of limiting access to the > manager app to only my IP. > > Of course, I do not want the rest of my webapp's access limited (which > is on the ROOT path). I only want access to the manager app limited. > > (I know I can also place the context container in my webapp's > META-INF/context.xml file, is there any preference to doing this over > what I suggested above?) > > Thank you > _ > Another way to keep them from hammering away with login attempts is to simply rename the manager webapp. Redeploy it to something like /manager123 instead of just /manager and the bots will never find it. It's obviously security theater, but it works great against scanners.
