You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "James H. H. Lampert" <ja...@touchtonecorp.com.INVALID> on 2021/12/10 16:25:28 UTC
Odd messages in catalina.out
Could anybody here shed some light on this message? A whole bunch of
them appeared in catalina.out.
WARNING [https-jsse-nio-443-exec-29]
org.apache.catalina.realm.LockOutRealm.filterLockedAccounts An attempt
was made to authenticate the locked user [user]
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Odd messages in catalina.out
Posted by Christopher Schultz <ch...@christopherschultz.net>.
James,
On 12/10/21 11:52, James H. H. Lampert wrote:
> On 12/10/21 8:38 AM, Mark Thomas wrote:
> . . .
>> The messages are there to warn you that you might have a malicious
>> actor trying a brute force attack on your server.
>
> Can anybody point me to a good tutorial for constructing a regular
> expression for RemoteAddrValve?
>
>> allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1"
>
> obviously can't work for a server that's incapable of running a browser
Anything can be a "browser" such as curl (a real HTTP client), telnet,
nc, or openssl s_client. No GUI is required; only an available network
connection.
> and at any rate, I can't make head or tail of the regular expression
> syntax in use here.
The regular expression is pretty simple: Tomcat checks that the client's
IP address "matches" the regular expression.
In the expression above, the | characters separate alternatives: any of
them could match, separately. The \ characters are escapes, turning a
"." (which usually means "any character") into a literal dot. So this
doesn't match if the client's IP address is (improbably) "127a1b1c1d1"
but only matches legitimate (for now[1]) "local" 127.x.y.z IPv4 addresses.
The addresses ::1 and 0:0:0:0:0:0:0:1 are aliases of each other and mean
"localhost". So the pattern above says "anyone local matches this."
Note that it's vitally important that if you have any reverse-proxies in
front of Tomcat that the client's *real* IP address is being forwarded
to Tomcat in a secure way. Otherwise, if you maybe had e.g. httpd
running on the same host as Tomcat, all requests might look like they
were coming "from" localhost instead of random.your.isp.net.
Hope that helps,
-chris
[1] https://www.ietf.org/id/draft-schoen-intarea-unicast-127-00.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Odd messages in catalina.out
Posted by "James H. H. Lampert" <ja...@touchtonecorp.com.INVALID>.
On 12/10/21 8:38 AM, Mark Thomas wrote:
. . .
> The messages are there to warn you that you might have a malicious actor
> trying a brute force attack on your server.
Can anybody point me to a good tutorial for constructing a regular
expression for RemoteAddrValve?
> allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1"
obviously can't work for a server that's incapable of running a browser,
and at any rate, I can't make head or tail of the regular expression
syntax in use here.
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Odd messages in catalina.out
Posted by Mark Thomas <ma...@apache.org>.
On 10/12/2021 16:25, James H. H. Lampert wrote:
> Could anybody here shed some light on this message? A whole bunch of
> them appeared in catalina.out.
>
> WARNING [https-jsse-nio-443-exec-29]
> org.apache.catalina.realm.LockOutRealm.filterLockedAccounts An attempt
> was made to authenticate the locked user [user]
Someone has got their authentication credentials wrong too many times in
a row and the LockOutRealm has locked them out. They need to stop trying
for 5 minutes (by default) and then try again with the correct password.
The user will have no idea what is going on as the response for "wrong
password" and "locked user" is identical.
The messages are there to warn you that you might have a malicious actor
trying a brute force attack on your server.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org