In my case, the server is controlled via a shell interface.
Statistical data is gathered for every connection, such as BadLoginAttempts,
FailedCommands, SuccessFullCommands, AccessDeniedCount, etc.
With these in hand, it's easy to know which are bad clients.
I don't think that permanently banning is something nice. Maybe one hour?
Until the server restarts?
Just nothing permanent, or at least make it permanent in extreme cases (for
the exxxxtreme cases).
Rodrigo
On 6/22/07, Mark Webb <[EMAIL PROTECTED]> wrote:
I guess we would have to figure out how to detect if a client is bad. In
my
example, if a connection is dropped and that IP address is sent to the
blacklist, then you would never let that IP address back in? Seems a
little
extreme to me. I might need to know more about your program I guess.
On 6/22/07, Rodrigo Madera <[EMAIL PROTECTED]> wrote:
>
> In my application I need something like this.
>
> If the clients are detected to be "bad", then they will be sent to the
> blacklist.
>
> This would be a great plus for MINA.
>
> Regards,
> Rodrigo
>
> On 6/22/07, Mark Webb <[EMAIL PROTECTED]> wrote:
> >
> > This is what I was thinking. I will create a JIRA entry and add this
> code
> > in....
> >
> > --START--------------------------------------------
> > import java.net.InetSocketAddress;
> > import java.net.SocketAddress;
> >
> > import org.apache.mina.common.IoFilterAdapter;
> > import org.apache.mina.common.IoSession;
> > import org.apache.mina.util.ExpiringMap;
> > import org.apache.mina.util.SessionLog;
> >
> > public class ConnThrottleFilter extends IoFilterAdapter {
> > private static final long DEFAULT_TIME = 1000;
> > private long waitTime;
> > private final ExpiringMap<String,Long> clients;
> >
> > public ConnThrottleFilter() {
> > this( DEFAULT_TIME );
> > }
> >
> > public ConnThrottleFilter( long millis ){
> > this.waitTime = millis;
> > clients = new ExpiringMap<String,Long>(60);
> > }
> >
> > public void setWaitTime(long waitTime) {
> > this.waitTime = waitTime;
> > }
> >
> > private synchronized boolean isConnectionOk( IoSession session ){
> > SocketAddress remoteAddress = session.getRemoteAddress();
> > if( remoteAddress instanceof InetSocketAddress )
> > {
> > long now = System.currentTimeMillis();
> > InetSocketAddress addr = (InetSocketAddress)remoteAddress;
> > String host = addr.getAddress().getHostAddress();
> > if( clients.containsKey(host)){
> > Long time = clients.get(host);
> > if( (now-time) > waitTime ){
> > return false;
> > }
> > } else {
> > clients.put( addr.getAddress().getHostAddress(), now
);
> > return true;
> > }
> > }
> >
> > return false;
> > }
> >
> > @Override
> > public void sessionCreated(NextFilter nextFilter, IoSession
session)
> > throws Exception {
> > if( ! isConnectionOk(session)){
> > SessionLog.info( session, "Connections coming in too
fast;
> > closing." );
> > session.close();
> > }
> > }
> > }
> > --END--------------------------------------------------------
> >
> > On 6/22/07, Norman Maurer <[EMAIL PROTECTED]> wrote:
> > >
> > > Hi Mat,
> > >
> > > it depends on your protocol. You should think about how many
connects
> > are
> > > asspected ;-)
> > >
> > > bye
> > > Norman
> > >
> > > On Fri, 22 Jun 2007 15:15:29 +0800, mat <[EMAIL PROTECTED]>
> > wrote:
> > > > Can you give some idea what the configured time could be?
> > > >
> > > > On 6/22/07, Norman Maurer <[EMAIL PROTECTED]> wrote:
> > > >>
> > > >> You could write a IOFilter which limit the connections per Ip in
a
> > > >> configured time. I did the same in a project for limiting the
> > > > connections
> > > >> per time on a smtpserver.
> > > >>
> > > >> Bye
> > > >> Norman
> > > >>
> > > >>
> > > >> On Fri, 22 Jun 2007 14:16:53 +0800, mat <[EMAIL PROTECTED]
>
> > > > wrote:
> > > >> > Thanks. My concern is what if some clients write a loop keep
> > opening
> > > >> socket
> > > >> > connection and my server keeps accepting and eventually mina
core
> > > will
> > > >> > reject any new connections. Is that possible to happen? Correct
> me
> > if
> > > > i
> > > >> am
> > > >> > wrong,
> > > >> >
> > > >> > On 6/22/07, 凌晨 <[EMAIL PROTECTED]> wrote:
> > > >> >>
> > > >> >> Dear mat:
> > > >> >> I think you should implement your own handler to detect
this
> > kind
> > > > of
> > > >> >> connections from time to time then kill them all.
> > > >> >> You send some detecting packets to these connected
connetions,no
> > > >> >> response,no connection.
> > > >> >> Best Wishes
> > > >> >>
> > > >> >> ----- Original Message -----
> > > >> >> From: "Mark Webb" <[EMAIL PROTECTED]>
> > > >> >> To: <dev@mina.apache.org>
> > > >> >> Sent: Friday, June 22, 2007 8:56 AM
> > > >> >> Subject: Re: malicious client
> > > >> >>
> > > >> >>
> > > >> >> > maybe a variant of the throttle filter which only allows one
> > > >> > connection
> > > >> >> per
> > > >> >> > IP at a time.
> > > >> >> >
> > > >> >> > On 6/21/07, mat <[EMAIL PROTECTED]> wrote:
> > > >> >> >>
> > > >> >> >> Thanks. But how should I set the TIMEOUT since the
malicious
> > > >> >> client could
> > > >> >> >> connect by programming a loop, couldn't he?
> > > >> >> >>
> > > >> >> >> 2007/6/21, Mark Webb <[EMAIL PROTECTED]>:
> > > >> >> >> >
> > > >> >> >> > an IoFilter could probably work. This is related to the
> > filter
> > > >> > work
> > > >> >> >> that
> > > >> >> >> > was discussed a while back that dealt with heartbeats.
> > > >> >> >> >
> > > >> >> >> > On 6/21/07, Julien Vermillard <[EMAIL PROTECTED]>
> wrote:
> > > >> >> >> > >
> > > >> >> >> > > On Thu, 21 Jun 2007 20:46:55 +0800
> > > >> >> >> > > mat <[EMAIL PROTECTED]> wrote:
> > > >> >> >> > >
> > > >> >> >> > > > I wonder whether any function could prevent Mina from
a
> > > >> > malicious
> > > >> >> >> > > > client attacking by opening connections and not
sending
> > any
> > > >> > data.
> > > >> >> If
> > > >> >> >> > > > NOT, how could I do? Thanks.
> > > >> >> >> > >
> > > >> >> >> > > Hi,
> > > >> >> >> > >
> > > >> >> >> > > Just detect IDLEness, in your IoHandler sessionIdle.
> > > >> >> >> > > If a client doesn't send enought data, close it.
> > > >> >> >> > >
> > > >> >> >> > > HTH
> > > >> >> >> > >
> > > >> >> >> > > Julien
> > > >> >> >> > >
> > > >> >> >> >
> > > >> >> >> >
> > > >> >> >> >
> > > >> >> >> > --
> > > >> >> >> > ..Cheers
> > > >> >> >> > Mark
> > > >> >> >> >
> > > >> >> >>
> > > >> >> >
> > > >> >> >
> > > >> >> >
> > > >> >> > --
> > > >> >> > ..Cheers
> > > >> >> > Mark
> > > >> >> >
> > > >> >
> > > >> >
> > > >> >
> > > >> >
> > > >> >
> > > >>
> > > >>
> > > >
> > > >
> > > > !DSPAM:1,467b7764240371295747258!
> > > >
> > > >
> > >
> > >
> >
> >
> > --
> > ..Cheers
> > Mark
> >
>
--
..Cheers
Mark
