禁用Tomcat7管理器
[英]Disable Tomcat7 Manager
问题描述
The web interface http://localhost:8080/manager/html . 
Web界面http:// localhost:8080 / manager / html 。 Is there a way to disable or completely remove it? 有没有办法禁用或完全删除它? Just asking so I don't mess up some settings by going in and deleting things willy nilly. 只是问一个问题,这样我就不会进入并删除一些恶意的东西来弄乱某些设置。
Reason I want to get rid of it is because the server keeps getting blocked due to what I think is malicious scripts brute forcing the password. 我想要摆脱它的原因是,由于我认为恶意脚本强行强制使用密码,导致服务器不断被阻止。 It locks down and secures itself but I also am unaware this has happened until I check manually. 它会锁定并自我保护,但我也没有意识到这种情况,直到我手动检查为止。 I don't use the web manager so I figure the best way to solve this is to just get rid of it completely. 我不使用Web管理器,所以我认为解决此问题的最佳方法是完全摆脱它。 That said if you have another suggestion i'd be open to that as well. 就是说,如果您还有其他建议,我也会接受。 I've tried setting up a RemoteAddrValve in manager.xml like below, but i'm still having the issue. 我曾尝试在manager.xml中设置如下所示的RemoteAddrValve,但仍然存在问题。
//I changed the ip address for this example.
<Context path="/manager"
docBase="/usr/share/tomcat7-admin/manager"
antiResourceLocking="false" privileged="true">
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="0\.0\.0\.0" denyStatus="404" />
</Context>
1 个解决方案
解决方案1
1 已采纳 2016-01-29 03:31:22
Per the Tomcat 7 documents : 根据Tomcat 7文档 :
"The Manager application is not accessible by default as no users are configured with the necessary access." “默认情况下,无法访问Manager应用程序,因为没有为用户配置必要的访问权限。”
If you think there is a user enabled in the manager app, you can edit $CATALINA_BASE/conf/tomcat-users.xml. 如果您认为经理应用中启用了用户,则可以编辑$ CATALINA_BASE / conf / tomcat-users.xml。 Just comment or remove any active roles or usernames in that file and restart the server to prevent access to the Manager app. 只需注释或删除该文件中的任何活动角色或用户名,然后重新启动服务器即可阻止访问Manager应用程序。
Another approach per OWASP (somewhat out of date) is to rename your manager app. 每个OWASP的另一种方法(有些过时)是重命名您的管理器应用程序。 This is a "security by obscurity" approach, but might work if some botnet just randomly targeted your server. 这是一种“默默无闻的安全性”方法,但是如果某个僵尸网络只是随机地将服务器作为目标,则该方法可能会起作用。
Finally, I tested removing the manager webapp on Tomcat7 and bouncing the server. 最后,我测试了在Tomcat7上删除管理器webapp并启动服务器。 The Tomcat example webapp ran fine after that, so I suspect you can remove the manager with no bad effects, as long as you don't depend on it to deploy webapps. 之后,Tomcat示例webapp运行良好,因此,只要您不依赖于它来部署webapp,我怀疑您可以删除管理器而不会产生不良影响。
Also, the docbase used in the your remoteAddrValve looks strange. 另外,在remoteAddrValve中使用的文档库看起来很奇怪。 I would expect it to be /usr/share/tomcat7-admin/ webapps /manager unless you've gone through the trouble to change the docbase for your whole server. 我希望它是/ usr / share / tomcat7-admin / webapps / manager,除非您遇到麻烦来更改整个服务器的文档库。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.