Tomcat 7 security - attempt to login?

Question

After deploying our app on Tomcat 7 we got lots of this:

<date> org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "admin"

and in the access log we have found lots of this:

91.121.4.141 - - <date> "GET /manager/html HTTP/1.1" 401 2486

that seems a france ISP (OVH SAS).

So.. what's going on? Are they try to log, ping? Is it a botnet?

How can we protect from this attempts to login?

Answer 1

That looks like a brute force attack against the Manager application. The LockoutRealm has done its job and locked the user to prevent the attack from being successful. However, it does mean the legitimate user won't be able to log in either. Assuming the attacks are coming from a single IP, block that IP as early as you can in your network and move on.

Answer 2

helpful information may be is here: https://serverfault.com/questions/244614/is-it-normal-to-get-hundreds-of-break-in-attempts-per-day

and how to check (on CentOS/RedHat) Failed

cat /var/log/secure | grep 'sshd.*Invalid'

Succeeded login attempts

cat /var/log/secure | grep 'sshd.*opened'

to block users which attempts every 15 seconds

iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP
iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT

and Full report about Auth

aureport

And additional tools info is here

http://www.tecmint.com/5-best-practices-to-secure-and-protect-ssh-server/

And some security technics is here

https://wiki.centos.org/HowTos/Network/SecuringSSH