bryan wrote:
Hi all,
I don't know how many of you come from a systems administration/*nix background
but there is a really cool feature that you can use with linux
iptables ( and yes I know
bsd is better ... yawn ).
The feature is called portsentry and what it does is this.
1) Creates listeners on a random series of unused server ports.
2) Waits for attackers to carry out a portscan and hit this predefined
series of ports.
3) Dynamically creates a firewall rule and blocks access to the server
from that IP
address for a predetermined period of time and logs the attempted portscan.
This is good because it slows down the attacker and alerts you to the fact that
someone is reconoitering your system.
So 2 things that I think would be cool, as in *really* cool would be
the following.
Login throttling and realtime ip blacklisting ( web app specific ).
a) Count the number of login attempts for a username and ip address.
b) If they exceed a certain number in a certain period block all http logon
attempts from that IP address for a predetermined period of time ( 1 hour )
and notify the administrator.
Login throttling and realtime ip blacklisting ( server based )
a) Create a JNI library that interfaces with linux built in IPTABLES or
portsentry libraries.
b) Count the number of login attempts for a username and ip address.
b) If they exceed a certain number in a certain period call the
portsentry/iptables
module and do a systemwide block on their ip address for whatever the
systemwide configured block time happens to be.
I know there are people who hate portsentry in the sys admin community
but equally there are those who love it ( including me ) .
Ben do you have any thoughts on something like this ? Incidentally I am working
on my hibernate based authentication DAO and it is going well.
If anyone was interested in developing the java side of things I would be more
than happy to build the JNI implimentation as I think it would be a
very popular
feature in enterprise installations.
--b
The hooks to achieve this already exist via the
net.sf.acegisecurity.providers.dao.event package. One could write a
listener which maintains an in-memory and/or database-persisted list of
problematic IP addresses. A subclass of DaoAuthenticationProvider which
overrides isPasswordCorrect(Authentication, UserDetails) could consult
the problematic IP address list and return false if appropriate.
Alternatively, if a DisabledException is adequate, the AuthenticationDao
could perform this check and return a UserDetails which has an
enabled=false property. The listener could also interface with the JNI
library and/or other operating system level security libraries as required.
Ben
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
