I had someone try to guess the password to my Tomee-Plume server last night. Thankfully I changed the default password and the hacker only tried twice
Note that there is no default password in current Tomcat versions.
Internet searches showed me how to stop other applications using the tomcat admin application. I want to stop just the Tomcat admin application not the whole server.
$ rm -rf webapps/manager
Or, if you want to be able to put it back:
$ mv webapps/manager .
That's if you have autodeployment enabled. If you don't, you'll have to use the manager to undeploy itself. They you're stuck, because you can't re-deploy it.
A better solution might be to use the RemoteAddrValve to restrict access to the manager application to a select IP range. The default configuration for it (shipped disabled) in the manager/META-INF/context.xml restricts access to localhost, but it can
easily be extended to your own local subnet e.g. "192.168.d+.d+|10.0.d+.d+", etc.