Return-Path: Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 65255 invoked from network); 5 Mar 2001 06:46:08 -0000 Received: from dnai-216-15-97-206.cust.dnai.com (HELO betaversion.org) (216.15.97.206) by h31.sny.collab.net with SMTP; 5 Mar 2001 06:46:08 -0000 Received: from [192.168.1.100] ([192.168.1.100]) by betaversion.org (8.9.3+Sun/8.9.3) with ESMTP id WAA17641 for ; Sun, 4 Mar 2001 22:50:25 -0800 (PST) User-Agent: Microsoft-Entourage/9.0.2509 Date: Sun, 04 Mar 2001 22:46:27 -0800 Subject: Re: Restricting Access to Tomcat 3.x and Tomcat 4.0 Connectors From: "Pier P. Fumagalli" To: Message-ID: In-Reply-To: <3AA3060D.1C01C492@shore.net> Mime-version: 1.0 Organization: Apache Software Foundation Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-Spam-Rating: h31.sny.collab.net 1.6.2 0/1000/N Dan Milstein wrote: > > The spec for the Ajp2.1 (which was not, AFAIK, ever implemented) has an > excellent section discussing "Security Hazards". Anyone interested can > check that out at: > > http://java.apache.org/jserv/protocol/AJPv21.html Hehehe :) I was one of the co-authors of that spec :) (Nice to see when someone pulls out a work from the past and says it contains "excellent" pointers).... To deny DOS attacks, I suggest using kernel-level IP filtering packages (such as the IPF package for Solaris/*BSD or IPCHAINS for Linux - or whatever it's name is today). They work pretty well, try to connect to port 8080 on kali.betaversion.org :) :) :) (Tomcat is running with the default HTTP connector, but its access is restricted to only 127.0.0.1 and 192.168.1.* if it comes from the right Ethernet interface :) Pier -- ---------------------------------------------------------------------------- Pier Fumagalli