0

For various reasons I want to shutdown my server after a certain period of idle time. I am running Tomcat 8.5.29 and Apache2 (not sure the version) on Debian 4.9.88. I wrote a script to look at the last time Tomcat had an access. I only have one app on the server and it is at "http://hostname/source/". My problem is that there are number of webserver vulnerabilities out there and I am getting a constant flow of requests to: "GET / HTTP/1.1" "POST /GponForm/diag_Form?images/ HTTP/1.1" "GET /jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system%3Aservice%3DMainDeployer HTTP/1.1" "POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1"

What I would like to do is stop anything that doesn't begin with "/source" from even getting to tomcat. I presume that a rewrite or something in Apache can do it, but I am not sure how the requests get to Tomcat in the first place. Any ideas?

Brian Utterback
  • 61
  • 6

1 Answers1

0

There are two possible ways for requests to reach Tomcat:

  1. The probes send requests directly to the Tomcat port (typically port 8080). You can fix this by restricting Tomcat's listening address to the loopback address, by adding the attribute address="127.0.0.1" to the corresponding Connector element in conf/server.xml. Or you can just block port 8080 in your firewall.

  2. The requests are forwarded from Apache to Tomcat via a reverse proxy configuration in Apache. This means there is a line such as the following in one of the Apache configuration files:

    ProxyPass / http://127.0.0.1:8080/

    If you add an explicit path prefix to both arguments, you can restrict which requests are passed to Tomcat:

    ProxyPass /source http://127.0.0.1:8080/source

    This ensures that only requests that begin with "/source" are forwarded to Tomcat.

    Some Apache configurations use the AJP protocol instead of HTTP for proxying, but the same reasoning applies.

Cuspy Code
  • 184
  • 1
  • 5