Re: JK2 Connector and denial of service attacks
At 10:36 PM 29/03/2004, you wrote: Henri Gomez wrote: Steve Spicer wrote: On standard install it doesn't. I'm not sure why but it still seems the JK connector is connecting to tomcat even though the access checker hook is returning a 403. Any ideas? I will make some tests on it. I make some tests and I didn't see such problems. The first request to http://mymachine/examples/ were forwarded to tomcat, but the rest was forbideen (403) by mod_dosevasive. I used test.pl provided in mod_dosevasise. Same thing with ab (ApacheBench). So what's your problem ? Although I get 403 status it still seems to be spawning lots of HTTPD's and tomcat takes cpu time, surely if the 403 worked the extra HTTPD would not spwan and tomcat would be unaffected? Im beginning to think I have some config issues, I'll check them all out and get back if theres still an issue. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JK2 Connector and denial of service attacks
I agree to your point that DoS protection is out of the scope of the connector, I figured though that it would automatically protect tomcat against such attacks in the common httpd / tomcat / jk2 configuration, I'm not sure if I was a clutz in missing this need for protection, if so then this point is probably irrelevent, but if im not then I think its a very important issue. Perhaps it would be better solved with a document included within JK2 detailing the necessity of such protection and how to configure it? At 05:17 PM 29/03/2004, you wrote: Steve Spicer wrote: Hey, I've been having some serious problems with brute force denail of service attacks on httpd with tomcat 4 and jk2. After sitting down and working out the desired point of redirection I found the mod_dos module which effectively refuses traffic for these attacks, however after installing this module with JK2 tomcat is still activated for some reason on these repeat requests - I suspected it was the order in which the modules were created but couldn't find an config solution. So I merged the mod_dos module with the JK2 module - the result is an out-of-the-box jk2 module that inherits all of the benefits of the anti-DoS module. If this is considered to be useful (and within the scope) of the JK2 project please let me know! From what I see in mod_dosevasive 1.8, this module only use access_checker hook: ap_hook_access_checker(access_checker, NULL, NULL, APR_HOOK_MIDDLE); Well I'm not sure we should implement mod_dosevasive in jk or jk2, since it's not their 'core' business to handle protection about DOS. But we should garantee that mod_dosevasive and jk/jk2 will works together. There is no real order in such case, since we're not using the same hooks. Gleen and Mladen what's your opinions ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JK2 Connector and denial of service attacks
On standard install it doesn't. I'm not sure why but it still seems the JK connector is connecting to tomcat even though the access checker hook is returning a 403. Any ideas? At 09:51 PM 29/03/2004, you wrote: Steve Spicer wrote: I agree to your point that DoS protection is out of the scope of the connector, I figured though that it would automatically protect tomcat against such attacks in the common httpd / tomcat / jk2 configuration, I'm not sure if I was a clutz in missing this need for protection, if so then this point is probably irrelevent, but if im not then I think its a very important issue. Perhaps it would be better solved with a document included within JK2 detailing the necessity of such protection and how to configure it? Of course, this document would be helpfull if there is special settings. BTW, I wonder if jk2 2.0.4 works or not with mod_dos ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JK2 Connector and denial of service attacks
Hey, I've been having some serious problems with brute force denail of service attacks on httpd with tomcat 4 and jk2. After sitting down and working out the desired point of redirection I found the mod_dos module which effectively refuses traffic for these attacks, however after installing this module with JK2 tomcat is still activated for some reason on these repeat requests - I suspected it was the order in which the modules were created but couldn't find an config solution. So I merged the mod_dos module with the JK2 module - the result is an out-of-the-box jk2 module that inherits all of the benefits of the anti-DoS module. If this is considered to be useful (and within the scope) of the JK2 project please let me know! Thanks, Steve Spicer. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_jk.so build problems with SunOS 5.6
I had the exact same problem, opening apxs up in vi noticed it was just a perl script.. after installing mod_ssl, the script had been "recompiled" and needed the linker name and parameters (-G) putting back in! (Lines 78 79) my $CFG_LD_SHLIB = q(); # substituted via Makefile.tmpl my $CFG_LDFLAGS_SHLIB = q(); # substituted via Makefile.tmpl If they look like that, change them to: my $CFG_LD_SHLIB = q(ld); # substituted via Makefile.tmpl my $CFG_LDFLAGS_SHLIB = q(-G); # substituted via Makefile.tmpl and try that! --- Snip sorry.I don't know more UNIX so I don't know how can I do when I got error message. my work station: Solaris 2.6 Apache1.3.14 TOMCAT3.2.1 what I done: apxs -o mod_jk.so -DSOLARIS -I../jk -I${JAVA_HOME}/include -I${JAVA_HOME}/include/so laris -L/lib -lposix4 -c *.c ../jk/*.c and I get error apxs:Break: Command failed with rc=255 but the object jk*.o is done when I do apxs.so I use gcc -o mod_jk.so jk_worker.o jk_util.o jk_uri_worker_map.o jk_sockbuf.o jk_pool. o jk_nwmain.o jk_msg_buff.o jk_map.o jk_lb_worker.o jk_jni_worker.o jk_connect.o jk_ajp13_worker.o jk_ajp13.o jk_ajp12_worker.o mod_jk.o$ to link object for doing my mod_jk.so but I get one error message too jk_jni_worker.o(the symbol is depend /usr/lib/libdl.so.1 tacitly) - Original Message - ??? : "James Courtney" [EMAIL PROTECTED] ?? : [EMAIL PROTECTED] CC : [EMAIL PROTECTED] : 2001?1?30? 4:32 ?? : RE: mod_jk.so build problems with SunOS 5.6 Here's a makefile that's been working for me on Solaris 2.7. -Jamey -Original Message- From: Timothy S. Tsai [mailto:[EMAIL PROTECTED]] Sent: Monday, January 29, 2001 8:03 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: mod_jk.so build problems with SunOS 5.6 Hello, Has anyone gotten an answer for this post? I ran into the same problem also. tt At 03:45 PM 1/29/01 +0900, you wrote: hi, I failed to build mod_jk.so.what can tell me how can I do. I get a error message when I use apxs -o mod_jk.so jk_worker.o jk_util.o jk_uri_worker_map.o jk_sockbuf.o jk_pool.o jk_nwmain.o jk_msg_buff.o jk_map.o jk_lb_worker.o jk_jni_worker.o jk_connect.o j k_ajp13_worker.o jk_ajp13.o jk_ajp12_worker.o mod_jk.o -lrt apxs:Break: Command failed with rc=255 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] Steve Spicer Systems Manager -- IT Worldwide | http://www.itworldwide.net Providing Internet Services | [EMAIL PROTECTED] Integration and Innovation | +44 020 8597 8901 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]