I want to preface this with - I am not a security expert so am happy to be corrected/advised/educated and any naive comments here are naive not stupid or ill intended.
I've been experiencing problems with my server running for a number of days then if there are a few days of inactivity (aka me staring out the window seeking motivation) when I return to the server it has stopped responding.
This manifests itself as the log polling for a period of time before becoming non responsive. The fix (but not the solution) has been to restart the server.
I've started digging into logs for Tomcat and found that I have been getting probed by a range of Russian and Chinese IP addresses all interrogating Tomcat/manager. Sometimes this has been repeated over very short periods of time (a DoS if you like). I don't know if this is the cause but I have started the laborious task of adding all of these IP addresses to my firewall (shared at Firewall Deny IP Ranges>). I realise that this might be an overzealous approach, but my target clients will not be from Russia or China.
As I started to so more research into things I can do to harden Tomcat I came across these
https://www.mkyong.com/tomcat/how-to-change-tomcat-manager-default-path/ - change the name of the manager directory, and
https://www.owasp.org/index.php/Securing_tomcat - which has some interesting details specifically changing the name of the SHUTDOWN command and obfuscating the server header details from Tomcat to Apache.
Renaming the manager app is obviously merely obfuscation but given the number of calls being made to my manager, it might help a little in the short term.
Are the items here contentious or likely to stuff Aware?
