• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Configure Valve setting to Catch Malicious activity in Tomcat Access log?

 
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello Tomcat Experts,

I'm trying to devise a way to properly configure tomcat access log to track malicious hacking activity occurring on tomcat deployed within a production environment. I've identified the following settings, which can be altered to try and expose xss and sql injection techniques, but wanted to confirm this is the best practice to implement this logging to try and catch hackers in the tomcat access log.

Propose changing default tomcat valve setting from:


TO:



Is this the best way to do this? Is there any performance overhead with making this change? Am I correct in understanding that most of this malicious activity will not be caught with the tomcat default valve settings? I found this site helpful in advising on the above changes, but wanted to see if any other tomcat admins here have any further guidance in critical area for ensuring tomcat is running as secure as possible.

Thanks in advance, because I can see this benefiting the tomcat community as a whole, whether you're on windows or linux, perhaps it will help someone else when advising on changes to be made to show malicious activity happening on web servers we've helped to deploy.
 
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I changed the Code style on your second example because it was set for Java and it colored some of the XML funny.

You can certainly format your logs anyway you like. As to efficiency, we don't second-guess, we measure. Only if you're seeing serious performance issues would it be worth investing time worrying about it.

My servers use a reverse proxy server (ngnix, formerly using apache) to be the public face of my Tomcat servers, and I can get URL logs from there so I don't use the logging Valve. I also have the Unix fail2ban app scanning those logs, so offenders can be locked out. I see thousands of attacks a day and my servers are small potatoes, but I take security seriously.
 
Kris Thomson
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Makes sense about the performance impact, but if performance is negligible why not incorporate the valve settings even if you're front-ending tomcat with a apache or IIS jakarta redirector? Wouldn't setting up the valve forensics provide another layer of logging where perhaps you can see attackers infecting or cracking on the second layer too or is that something that should be ignored? What if both are on the same host? Does that increase the risk that they could be malicious attempts both in the front end app and within tomcat itself?

I guess what I'm saying is I think I'd prefer to error on the side of caution, and enabling additional logging within the standard access log so that it can be properly monitored, rather than ignored seems like it would increase the chances that malicious activity would be tracked.

Thanks,
Kris.
 
Tim Holloway
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I won't stop you, but in my case there is no direct outside communication with Tomcat, only proxy connections, so all the incoming URL requests are already seen by the proxy server and thus logging at the Valve level would be duplication. Actually, I'm not even sure that anything tunneling through port 8009 (the proxy port) would be seen by that Valve anyway.

If you are running both Proxy and Tomcat on the same machine, a proxy connection would use the loopback port, so you'd want to firewall Tomcat's ports to the external connections anyway. In my case, I'm forwarding to VM's and Docker containers, but they run on a different subnet/virtual NIC than public traffic does, so again it's easy to firewall.
 
Think of how stupid the average person is. And how half of them are stupider than that. But who reads this tiny ad?
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic