tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Simon O'Malley" <>
Subject Re: Password retries
Date Mon, 31 Jul 2006 07:22:14 GMT
Hi Chris, Maurice

Thanks for the replies.

Was hoping someone would have already done something as I am under a pretty
tight deadline.

Dont think the denyhosts route will be a goer as hosts.deny will only be
writeable as root and dont want to have to run tomcat as root, change
permissions, or step outside the process.
Might look at that for my personal firewall though, good idea that.

Will look at putting something together further down the track to handle
this. Does anyone know if any of the other JWS's handle this issue??


On 7/29/06, Maurice Yarrow <> wrote:
> Simon, Chris
> If you write your own mechanism, you might want to take a look
> at the configuration script for "DenyHosts", which is a highly
> configurable tool for port blocking (via mods to /etc/hosts.deny)
> of sshd upon too-many failed attempts in a given time interval.
> This is similar to what you are planning.  Helpful to look at what
> they support (look at their "denyhosts.cfg", initially,
> denyhosts.cfg-dist) in the way of resetting of failed-count upon
> successful ssh login within permitted interval, purging
> of denied hosts after configurable interval, etc.
> And by the way, I have had their denyhosts stuff running for
> nearly a week now, and it has handled sshd port 22 attacks
> quite well, which have dwindled significantly as a result.
> This has led me to conjecture that the attacks are from a
> community of attackers who work kind of like the SETI@home
> by applying all their cpu resources to a common set of
> targets.  Now that their attack tools have had connection-
> refused after 5 attempts, their tool has struck my address
> off their list as being non-fruitful.  Just a conjecture, anyway.
> Maurice Yarrow
> Christopher Schultz wrote:
> >Simon,
> >
> >
> >
> >>Has anyone done anything with tomcat authorisation to configure in a
> >>maximum number of retries before an address/account is blocked.
> >>
> >>
> >
> >I'm pretty sure that Tomcat's authentication system does not support
> >this feature. You could probably write your own authenticator to track
> >that kind of thing.
> >
> >I am going to be adding the same type of feature to an authenticator I
> >wrote to be used with securityfilter
> >( My plan is to use something
> >like a synchronized time-sensitive cache of login failures (probably
> >something from the commons-collections package such as LRUMap) to store
> >login failures (keyed on username). I'll probably do the same thing with
> >remote IP address as well (3 failures from the same IP will block future
> >logins). The only trick is expiring entries ;)
> >
> >Let me know if you have any better ideas. I'd love to hear about them.
> >
> >-chris
> >
> >
> >
> >
> ---------------------------------------------------------------------
> To start a new topic, e-mail:
> To unsubscribe, e-mail:
> For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message