1

The web interface http://localhost:8080/manager/html. Is there a way to disable or completely remove it? Just asking so I don't mess up some settings by going in and deleting things willy nilly.

Reason I want to get rid of it is because the server keeps getting blocked due to what I think is malicious scripts brute forcing the password. It locks down and secures itself but I also am unaware this has happened until I check manually. I don't use the web manager so I figure the best way to solve this is to just get rid of it completely. That said if you have another suggestion i'd be open to that as well. I've tried setting up a RemoteAddrValve in manager.xml like below, but i'm still having the issue.

//I changed the ip address for this example.
<Context path="/manager" 
    docBase="/usr/share/tomcat7-admin/manager" 
    antiResourceLocking="false" privileged="true">

    <Valve className="org.apache.catalina.valves.RemoteAddrValve"
    allow="0\.0\.0\.0" denyStatus="404" />
</Context>
ryandlf
  • 27,155
  • 37
  • 106
  • 162

1 Answers1

1

Per the Tomcat 7 documents:

"The Manager application is not accessible by default as no users are configured with the necessary access."

If you think there is a user enabled in the manager app, you can edit $CATALINA_BASE/conf/tomcat-users.xml. Just comment or remove any active roles or usernames in that file and restart the server to prevent access to the Manager app.

Another approach per OWASP (somewhat out of date) is to rename your manager app. This is a "security by obscurity" approach, but might work if some botnet just randomly targeted your server.

Finally, I tested removing the manager webapp on Tomcat7 and bouncing the server. The Tomcat example webapp ran fine after that, so I suspect you can remove the manager with no bad effects, as long as you don't depend on it to deploy webapps.

Also, the docbase used in the your remoteAddrValve looks strange. I would expect it to be /usr/share/tomcat7-admin/webapps/manager unless you've gone through the trouble to change the docbase for your whole server.

lreeder
  • 12,047
  • 2
  • 56
  • 65
  • 1
    I don't have any users setup. I think it still shows a login window which if brute forced will lock tomcat. – ryandlf Jan 29 '16 at 03:40
  • It does send a basic auth response back to the client, but how can it be brute forced if there's no users enabled, and thus no working password? – lreeder Jan 29 '16 at 03:44
  • I'm pretty sure based on the access logs whats happening is something is accessing the manager, a login window pops up, and they just attempt password after password until tomcat locks up completely. It blocks the access but it also makes it to where my applications stop responding. – ryandlf Jan 29 '16 at 03:45
  • What about removing it completely so it just shows 404? I can't find any documentation on that. – ryandlf Jan 29 '16 at 03:46
  • Ah, maybe someone doing a DDOS attack that uses all available threads for tomcat, thus preventing access to your other apps. Regarding removing the manager completely, I've seen that done with Tomcat 4? with no ill effects. I don't know what would happen in Tomcat 7. I'm guessing nothing, but you may want to try with a test server. – lreeder Jan 29 '16 at 03:50
  • Any way you could include what you did to remove the manager? Sorry i'm not great at this stuff...is it just sudo apt-get remove tomcat7-admin? – ryandlf Jan 29 '16 at 03:59
  • No - that will remove the whole sererver. I just simply "moved" the manager directory/folder. If your manager webapp is at /usr/share/tomcat7-admin/webapps/manager, just do "sudo mv /usr/share/tomcat7-admin/webapps/manager /tmp". Then restart tomcat, and verify functionality of your other apps. If problems. move the manager back in place with "sudo mv /tmp/manager usr/share/tomcat7-admin/webapps/" and restart tomcat. Verify the location of the manager webapp before running these commands. Note that local server policy may clean /tmp on reboot or periodically. – lreeder Jan 29 '16 at 04:05
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/101962/discussion-between-ryandlf-and-lreeder). – ryandlf Jan 29 '16 at 04:10