• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Jeanne Boyarsky
  • Tim Cooke
Sheriffs:
  • Bear Bibeault
  • Henry Wong
  • Devaka Cooray
Saloon Keepers:
  • salvin francis
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Frits Walraven
Bartenders:
  • Jj Roberts
  • Carey Brown
  • Scott Selikoff

How to use RBL's to protect Tomcat from compromised systems?

 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,

I am looking to protect my Tomcat-based web apps from bots and other infected and compromised systems. I have been doing some research, and found this article on Apache HTTPD and an apache module named mod_access_rbl. Is there anything similar that is available for Tomcat, implemented as either a servlet or a valve?

http://www.gotroot.com/tiki-view_blog.php?blogId=2

Any other ideas you might have in protecting web apps from bots would be welcomed.

Thanks,
Brian Clark
 
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The servlet API provides all you would need to keep track of blacklisted IP addresses and reject connections from them.

The equivalent of that Apache module would be a javax.servlet.Filter implementation which could track a list of IP addresses.

A google search for "servlet blacklist filter" found some examples.

Bill
 
Saloon Keeper
Posts: 23280
158
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

B Clark wrote:
Any other ideas you might have in protecting web apps from bots would be welcomed.



Don't invent your own security service. Use one that's been tested and proven. Pretty much every do-it-yourself login/authentication system I've seen has had major flaws. No small number of them resemble the stereotypical Western town movie sets, where all that exists is the front of the building, so all you have to do is (figuratively speaking) walk around to the side. Even the better ones tend to break down once they go into maintenance mode and people who don't understand the rules get their hands on the code.

J2EE has a built-in security framework that will actually block really offensive URL requests from even getting to the application at all. While there are things I could do to improve it, I've managed to use it - or frameworks based on it - for pretty much all my security needs, and I work in areas where security is a little more critical than some people's.
 
B Clark
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

William Brogden wrote:The servlet API provides all you would need to keep track of blacklisted IP addresses and reject connections from them.

The equivalent of that Apache module would be a javax.servlet.Filter implementation which could track a list of IP addresses.

A google search for "servlet blacklist filter" found some examples.

Bill




Thanks for the tip. I will check this out.

Brian
reply
    Bookmark Topic Watch Topic
  • New Topic