Tomcat Manager Attacks: 400 IPs in Coordinated Brute-Force Attack
Audio is streamed directly from the publisher (media.transistor.fm) as published in their RSS feed. Play Podcasts does not host this file. Rights-holders can request removal through the copyright & takedown page.
Show Notes
On June 5, 2025, GreyNoise flagged a massive spike in coordinated brute-force login attempts targeting Apache Tomcat Manager interfaces. Nearly 400 unique IP addresses, many traced back to DigitalOcean infrastructure, were involved in a widespread and opportunistic campaign. In this episode, we dissect the attack pattern, what makes Apache Tomcat a recurring target, and why this surge should be treated as an early warning signal—not just random noise.
We go deep into the authentication and configuration weaknesses that attackers exploit and walk through concrete hardening steps every Tomcat admin should implement—starting with strong password hashing (like Argon2id), multi-factor authentication, and locking down management interfaces. We also highlight specific Tomcat security configurations—from Realms and RemoteAddrValve tuning to disabling TRACE, SSLv3, and limiting directory listings.
The discussion also covers essential logging and incident response measures, such as setting up AccessLogValve, conducting regular log analysis, enabling secure session management, and building a living incident response plan. Whether you’re running a public-facing Tomcat server or managing multiple internal environments, this episode offers a focused breakdown of proactive defense strategies to secure against both opportunistic and targeted threats.
Tune in to learn how to defend your systems before they become someone else’s reconnaissance experiment.