LOG: An attempt was made to authenticate the locked user...

Jaymer

Jul 07, 2017 6:01:52 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "admin"

I'm getting lots of these entries in my Tomcat Output log.

Q: In my Login Options screen, I DO NOT have the option checked to Disallow login after 'x' attempts, so why does Tomcat/Aware think its a locked out user?
And when did it "unlock", cause I just logged in as Admin without issue?
Is there another log somewhere where I can see activity? This is Win 2012 Asure server.

confused,
jaymer...

PointsWell

Have a look at Tomcat/logs/

The logs there will tell you the source IP address attempting to access Tomcat.

I found that with the default setup I had a lot of drive by login attempts.

183.57.38.82 - - [04/May/2017:12:31:26 +0000] "GET /manager/html HTTP/1.1" 401 2538
183.57.38.82 - - [04/May/2017:12:31:26 +0000] "GET /manager/html HTTP/1.1" 401 2538
183.57.38.82 - - [04/May/2017:12:31:26 +0000] "GET /manager/html HTTP/1.1" 401 -
93.174.93.136 - - [04/May/2017:15:16:41 +0000] "GET /cache/global/img/gs.gif HTTP/1.1" 404 -
222.186.21.42 - - [04/May/2017:20:42:31 +0000] "GET /manager/html HTTP/1.1" 401 2538
222.186.21.42 - - [04/May/2017:20:42:31 +0000] "GET /manager/html HTTP/1.1" 401 2538
222.186.21.42 - - [04/May/2017:20:42:32 +0000] "GET /manager/html HTTP/1.1" 401 2538
222.186.21.42 - - [04/May/2017:20:42:32 +0000] "GET /manager/html HTTP/1.1" 401 2538
222.186.21.42 - - [04/May/2017:20:42:32 +0000] "GET /manager/html HTTP/1.1" 401 2538
222.186.21.42 - - [04/May/2017:20:42:32 +0000] "GET /manager/html HTTP/1.1" 401 2538

I would find that after a while my server would just stop responding.

There's a few things I did to reduce these:

Blocked entire ranges my firewall if IP addresses that I found in the log Firewall Deny IP Ranges>

Changed the name of the Manager and Host-manager in Tomcat/webapps to something random (this generates a 404 to the log entries above)

209.126.136.4 - - [10/Jul/2017:14:27:53 +0000] "GET / HTTP/1.1" 404 -
180.101.144.61 - - [10/Jul/2017:14:33:02 +0000] "GET /manager/html HTTP/1.1" 404 -
60.191.38.77 - - [10/Jul/2017:23:48:19 +0000] "GET / HTTP/1.1" 404 -

Updated the server.xml to rename the SHUTDOWN command to something less obvious
```
<Server port="8005" shutdown="SHUTDOWN">
```

Updated the server.xml to remove the Apache advert in the header

    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />

     <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" 
               server=""/>

After doing this I had significantly less shady traffic on my server.

Jaymer

mark,
cool, i will do those things.

but answer me this... when I'm getting an attempted login, is that a login to Aware (where a user enters business space, id, pw),
OR
a login to some Tomcat program? (and those you mention, like 'manager', i don't even know they are there or what they are used for)

thx
jaymer...

Jaymer

After doing # 2 above (by changing the names of those directories), this appeared in the Tomcat log. Tomcat seemed to notice the name change and installed the new ones. All other changes made without incident. Seems ok to ignore all this:

Jul 11, 2017 3:57:09 PM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "jlklklkj"
Jul 11, 2017 3:59:12 PM org.apache.catalina.startup.HostConfig undeploy
INFO: Undeploying context [/manager]
Jul 11, 2017 3:59:12 PM org.apache.catalina.startup.ExpandWar deleteDir
SEVERE: [C:\AwareIM\Tomcat\work\Catalina\localhost\manager] could not be completely deleted. The presence of the remaining files may cause problems
Jul 11, 2017 3:59:12 PM org.apache.catalina.startup.ExpandWar delete
SEVERE: [C:\AwareIM\Tomcat\work\Catalina\localhost\manager] could not be completely deleted. The presence of the remaining files may cause problems
Jul 11, 2017 3:59:12 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory C:\AwareIM\Tomcat\webapps\xx_manager
Jul 11, 2017 3:59:14 PM org.apache.jasper.servlet.TldScanner scanJars
INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
Jul 11, 2017 3:59:14 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory C:\AwareIM\Tomcat\webapps\xx_manager has finished in 2,787 ms
Jul 11, 2017 3:59:25 PM org.apache.catalina.startup.HostConfig undeploy
INFO: Undeploying context [/host-manager]
Jul 11, 2017 3:59:25 PM org.apache.catalina.startup.ExpandWar deleteDir
SEVERE: [C:\AwareIM\Tomcat\work\Catalina\localhost\host-manager] could not be completely deleted. The presence of the remaining files may cause problems
Jul 11, 2017 3:59:25 PM org.apache.catalina.startup.ExpandWar delete
SEVERE: [C:\AwareIM\Tomcat\work\Catalina\localhost\host-manager] could not be completely deleted. The presence of the remaining files may cause problems
Jul 11, 2017 3:59:25 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory C:\AwareIM\Tomcat\webapps\xx_host-manager
Jul 11, 2017 3:59:28 PM org.apache.jasper.servlet.TldScanner scanJars
INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
Jul 11, 2017 3:59:28 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory C:\AwareIM\Tomcat\webapps\xx_host-manager has finished in 2,656 ms

PointsWell

This looks like the Aware log not the Tomcat log.

If you go to AwareIM/Tomcat/logs/ there should be a bunch of console logs there. If you play around with the login level you can get down to the user / business space / database and the steps of the process running at the time.

Re the errors that you've shown

SEVERE: [C:\AwareIM\Tomcat\work\Catalina\localhost\host-manager] could not be completely deleted. The presence of the remaining files may cause problems

Did you shut down Tomcat before renaming it? It looks like something odd is going on there. I shutdown Tomcat renamed the directory and then restarted it.

From your other log entries it looks like 'the call is coming from inside the house'. Don't know how the Aware users interact with Tomcat.

Jaymer

RE: Pointswell - yes, that was the Aware Tomcat log - thx

Mark, after "hardening", almost 100% of my Tomcat log entries are now 404's (except from legit users):

Most like this:
132.148.22.79 - - [13/Jul/2017:10:02:17 -0400] "GET /muieblackcat HTTP/1.1" 404 1018
132.148.22.79 - - [13/Jul/2017:10:02:17 -0400] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 1052
132.148.22.79 - - [13/Jul/2017:10:02:17 -0400] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 1052
132.148.22.79 - - [13/Jul/2017:10:02:17 -0400] "GET //pma/scripts/setup.php HTTP/1.1" 404 1038
132.148.22.79 - - [13/Jul/2017:10:02:17 -0400] "GET //myadmin/scripts/setup.php HTTP/1.1" 404 1046
132.148.22.79 - - [13/Jul/2017:10:02:17 -0400] "GET //MyAdmin/scripts/setup.php HTTP/1.1" 404 1046

where they are just fishing for an installed package to try and penetrate.

And the odd one like these, from Russian Federation:
79.120.15.4 - - [13/Jul/2017:13:56:29 -0400] "GET / HTTP/1.1" 302 -
79.120.15.4 - - [13/Jul/2017:13:56:30 -0400] "GET /OL HTTP/1.1" 302 -
79.120.15.4 - - [13/Jul/2017:13:56:30 -0400] "GET /OL/ HTTP/1.1" 200 8616

This one was unique, where it appears there's some embedded crap they are trying to infuse.
72.133.73.172 - - [13/Jul/2017:10:25:55 -0400] "k ]—‹ÀcKmÝF ”°…-æÀ%ƒÕ¶ºq„ÓÒö$qWgNpúýá‘Xþ˜‘òvyô .k5¢²‚¢ŸˆÈ " 400 -

PointsWell

Easiest thing to do is add the IP range that these IP addresses are within to your firewall ingress rules to exclude them.