Hi Chris, Maurice Thanks for the replies.
Was hoping someone would have already done something as I am under a pretty tight deadline. Dont think the denyhosts route will be a goer as hosts.deny will only be writeable as root and dont want to have to run tomcat as root, change permissions, or step outside the process. Might look at that for my personal firewall though, good idea that. Will look at putting something together further down the track to handle this. Does anyone know if any of the other JWS's handle this issue?? Simon On 7/29/06, Maurice Yarrow <[EMAIL PROTECTED]> wrote:
Simon, Chris If you write your own mechanism, you might want to take a look at the configuration script for "DenyHosts", which is a highly configurable tool for port blocking (via mods to /etc/hosts.deny) of sshd upon too-many failed attempts in a given time interval. This is similar to what you are planning. Helpful to look at what they support (look at their "denyhosts.cfg", initially, denyhosts.cfg-dist) in the way of resetting of failed-count upon successful ssh login within permitted interval, purging of denied hosts after configurable interval, etc. And by the way, I have had their denyhosts stuff running for nearly a week now, and it has handled sshd port 22 attacks quite well, which have dwindled significantly as a result. This has led me to conjecture that the attacks are from a community of attackers who work kind of like the [EMAIL PROTECTED] by applying all their cpu resources to a common set of targets. Now that their attack tools have had connection- refused after 5 attempts, their tool has struck my address off their list as being non-fruitful. Just a conjecture, anyway. Maurice Yarrow Christopher Schultz wrote: >Simon, > > > >>Has anyone done anything with tomcat authorisation to configure in a >>maximum number of retries before an address/account is blocked. >> >> > >I'm pretty sure that Tomcat's authentication system does not support >this feature. You could probably write your own authenticator to track >that kind of thing. > >I am going to be adding the same type of feature to an authenticator I >wrote to be used with securityfilter >(http://securityfilter.sourceforge.net/). My plan is to use something >like a synchronized time-sensitive cache of login failures (probably >something from the commons-collections package such as LRUMap) to store >login failures (keyed on username). I'll probably do the same thing with >remote IP address as well (3 failures from the same IP will block future >logins). The only trick is expiring entries ;) > >Let me know if you have any better ideas. I'd love to hear about them. > >-chris > > > > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
