Keep Tomcat Admin open to world? (Port 8443)

derrickpeavy · March 18, 2019, 3:47pm

I have Tomcat set up on port 8443. There is a user config file for access in /conf/tomcat-users.xml

Is it advisable to leave this accessible over the web? If a person suspects it’s there, then they simply add the port number to the URL and start guessing the credentials.

Also, the Tomcat web admin is configured to a specific URL, not server wide, so it’s not possible to use any other virtual host to access it, only the specific host I’ve named in the server.xml file.

I know that there are other ways to secure this, such as port forwarding which I will do.

But, if you don’t plan on using the tomcat admin/web gui, is there a reason to leave it accessible, or a reason to remove it?

Zackster · March 18, 2019, 4:02pm

I would never leave anything open to the web which doesn’t need to be

derrickpeavy · March 18, 2019, 4:22pm

Agreed. And I never use it. Just wondering if there is some advantage to having it?

andreas · March 18, 2019, 5:33pm

I use tomcat behind IIS, und HTTP and HTTPs is only served on :80 and :443. Tomcat can be accessed only directly on :8888 by ssh tunneling. IIS serves static and cached files directly, .cfm files or dynamic .html files (with CFML) are connected to Tomcat.

I would delete the tomcat admin JSPs in tomcats webroot and harden everything manually in the config-files. I wouldn’t let any other port open.