I have Tomcat set up on port 8443. There is a user config file for access in /conf/tomcat-users.xml
Is it advisable to leave this accessible over the web? If a person suspects it’s there, then they simply add the port number to the URL and start guessing the credentials.
Also, the Tomcat web admin is configured to a specific URL, not server wide, so it’s not possible to use any other virtual host to access it, only the specific host I’ve named in the server.xml file.
I know that there are other ways to secure this, such as port forwarding which I will do.
But, if you don’t plan on using the tomcat admin/web gui, is there a reason to leave it accessible, or a reason to remove it?