问题
Hi I have an amazon ec2 server and I'm using this server for my Java applications but from last couple of days I'm facing one very unusual issue and I'm worried that some one might playing with my server.
When I logged into my tomcat manager using ipaddress:8080/manager. It asked me to enter username and password which I have in tomcat-user.xml file. When I logged in to the system it shows only one active instance after few Minutes it shows me that there are more than one user using tomcat manager but the question is I didn't share my credential with any one. Please check this screenshot.
As you can see there are 94 session id available for my tomcat manager but none of them have Username and they are also not active. Only one is active from which I logged in using username admin.
When I checked server logs I also found that some is trying to authenticate using following roles root-tomcat-manager. Attached are the logs.
Sep 28, 2015 4:54:02 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "root"
Sep 28, 2015 4:55:07 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "admin"
Sep 28, 2015 4:56:44 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "manager"
Sep 29, 2015 7:08:16 AM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "root"
Sep 29, 2015 7:08:16 AM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "tomcat"
Sep 29, 2015 7:08:16 AM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "manager"
Sep 29, 2015 7:08:16 AM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "manager"
Sep 29, 2015 7:08:19 AM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "tomcat"
Sep 29, 2015 7:08:19 AM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "tomcat"
I did some google and I update tomcat permission from 755 to 750 and also update it's user which explained in many questions. But I'm keep facing this issue.
I'm not able to resolve this issue and I'm worried that some one is keep playing with my system. So, my question is how can I prevent attacks like this from my server or This is just a bug in tomcat(not sure about this).
Any help will be appreciated. Thanks in advance.
回答1:
As explained by @aldebober we can implement it but there is another easy solution to decrease number of attacks on your server.
Tomcat basically work on port 8080 so it's easy to guess by anyone that if we are hosting java web applications than it'll be running on port 8080. But we can change it's default port number so that number of attack can be reduce to do so we need to make one small change in Server.xml file in tomcat/conf folder.
Changes
<Connector port="8585" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" redirectPort="8443" />
Update
Make sure you have strong password for your tomcat admin manager instead of default password.
回答2:
As it was mentioned in comments you should restrict access to your manager in manager.xml:
manager.xml
<Context path="/manager" debug="0" privileged="true">
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1,192.168.1.107"/>
</Context>
Where 192.168.1.107 is your IP. It's better to use only 127.0.0.1 and create ssh tunnel:
ssh -L 8080:localhost:8080 ipaddress_of_tomcat
Then open in your browser http://localhost:8080/manager
来源:https://stackoverflow.com/questions/32863522/tomcat7-shows-number-of-inactive-users-in-tomcat-manager