Every few days my tomcat application breaks down. I can make requests but anything requiring access to the mysql database returns an error. I checked catalina.out and am seeing a lot of these:
Jan 26, 2016 4:25:15 AM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "admin"
Jan 26, 2016 4:25:15 AM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "root"
Jan 26, 2016 4:25:15 AM org.apache.catalina.realm.LockOutRealm authenticate
WARNING: An attempt was made to authenticate the locked user "tomcat"
Always in that order, sometimes over and over again. If I restart the tomcat server i'm good to go, but it will inevitably happen again, which is annoying because who knows how long things have been going haywire before I discovered it.
So how do I diagnose what's going on and how do I prevent it in the future? Everything I can find on google leads to a brute force attack happening on tomcat manager. How do I verify this is my case? And if so is disabling the manager completely an option to prevent this?
Best Answer
Sounds like your tomcat instance is open to the public and a script kiddy is coming along trying to brute-force logins.
You should see access attempts in your logs, assuming you are logging them.
You could restrict access to the manager by IP address. You could also change the URL to something the scripts aren't searching for. My favorite method is to use a VPN or ssh tunnel to gain access to the manager.