禁用 Tomcat7 管理器 [英] Disable Tomcat7 Manager

问题描述

网络界面 http://localhost:8080/manager/html.有没有办法禁用或完全删除它?只是问一下，这样我就不会因为随意进入并删除内容而弄乱某些设置.

The web interface http://localhost:8080/manager/html. Is there a way to disable or completely remove it? Just asking so I don't mess up some settings by going in and deleting things willy nilly.

我想摆脱它的原因是因为我认为服务器不断被阻止，因为我认为是恶意脚本暴力破解密码.它会锁定并保护自己，但我也不知道发生了这种情况，直到我手动检查.我不使用网络管理器，所以我认为解决这个问题的最好方法就是完全摆脱它.也就是说，如果您有其他建议，我也会对此持开放态度.我已经尝试在 manager.xml 中设置一个 RemoteAddrValve，如下所示，但问题仍然存在.

Reason I want to get rid of it is because the server keeps getting blocked due to what I think is malicious scripts brute forcing the password. It locks down and secures itself but I also am unaware this has happened until I check manually. I don't use the web manager so I figure the best way to solve this is to just get rid of it completely. That said if you have another suggestion i'd be open to that as well. I've tried setting up a RemoteAddrValve in manager.xml like below, but i'm still having the issue.

//I changed the ip address for this example.
<Context path="/manager" 
    docBase="/usr/share/tomcat7-admin/manager" 
    antiResourceLocking="false" privileged="true">

    <Valve className="org.apache.catalina.valves.RemoteAddrValve"
    allow="0\.0\.0\.0" denyStatus="404" />
</Context>

推荐答案

根据 Tomcat 7 文档:

默认情况下无法访问 Manager 应用程序，因为没有用户配置有必要的访问权限."

"The Manager application is not accessible by default as no users are configured with the necessary access."

如果您认为管理器应用中启用了某个用户，您可以编辑 $CATALINA_BASE/conf/tomcat-users.xml.只需评论或删除该文件中的任何活动角色或用户名，然后重新启动服务器即可阻止对管理器应用的访问.

If you think there is a user enabled in the manager app, you can edit $CATALINA_BASE/conf/tomcat-users.xml. Just comment or remove any active roles or usernames in that file and restart the server to prevent access to the Manager app.

根据 OWASP(有些过时)的另一种方法是重命名您的经理应用程序.这是一种默默无闻的安全"方法，但如果某些僵尸网络只是随机针对您的服务器，则可能会奏效.

Another approach per OWASP (somewhat out of date) is to rename your manager app. This is a "security by obscurity" approach, but might work if some botnet just randomly targeted your server.

最后，我测试了删除 Tomcat7 上的管理器 webapp 并弹跳服务器.Tomcat 示例 webapp 在那之后运行良好，所以我怀疑你可以删除管理器而不会产生不良影响，只要你不依赖它来部署 webapps.

Finally, I tested removing the manager webapp on Tomcat7 and bouncing the server. The Tomcat example webapp ran fine after that, so I suspect you can remove the manager with no bad effects, as long as you don't depend on it to deploy webapps.

此外，您的 remoteAddrValve 中使用的文档库看起来很奇怪.我希望它是/usr/share/tomcat7-admin/webapps/manager ，除非您遇到了为整个服务器更改文档库的麻烦.

Also, the docbase used in the your remoteAddrValve looks strange. I would expect it to be /usr/share/tomcat7-admin/webapps/manager unless you've gone through the trouble to change the docbase for your whole server.

这篇关于禁用 Tomcat7 管理器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！