tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Maurice Yarrow <yar...@best.com>
Subject Re: Password retries
Date Fri, 28 Jul 2006 18:42:23 GMT
Simon, Chris

If you write your own mechanism, you might want to take a look
at the configuration script for "DenyHosts", which is a highly
configurable tool for port blocking (via mods to /etc/hosts.deny)
of sshd upon too-many failed attempts in a given time interval.
This is similar to what you are planning.  Helpful to look at what
they support (look at their "denyhosts.cfg", initially,
denyhosts.cfg-dist) in the way of resetting of failed-count upon
successful ssh login within permitted interval, purging
of denied hosts after configurable interval, etc.

And by the way, I have had their denyhosts stuff running for
nearly a week now, and it has handled sshd port 22 attacks
quite well, which have dwindled significantly as a result.
This has led me to conjecture that the attacks are from a
community of attackers who work kind of like the SETI@home
by applying all their cpu resources to a common set of
targets.  Now that their attack tools have had connection-
refused after 5 attempts, their tool has struck my address
off their list as being non-fruitful.  Just a conjecture, anyway.

Maurice Yarrow


Christopher Schultz wrote:

>Simon,
>
>  
>
>>Has anyone done anything with tomcat authorisation to configure in a
>>maximum number of retries before an address/account is blocked.
>>    
>>
>
>I'm pretty sure that Tomcat's authentication system does not support
>this feature. You could probably write your own authenticator to track
>that kind of thing.
>
>I am going to be adding the same type of feature to an authenticator I
>wrote to be used with securityfilter
>(http://securityfilter.sourceforge.net/). My plan is to use something
>like a synchronized time-sensitive cache of login failures (probably
>something from the commons-collections package such as LRUMap) to store
>login failures (keyed on username). I'll probably do the same thing with
>remote IP address as well (3 failures from the same IP will block future
>logins). The only trick is expiring entries ;)
>
>Let me know if you have any better ideas. I'd love to hear about them.
>
>-chris
>
>
>  
>



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message