GeeCON Prague 2014*
The moose likes Tomcat and the fly likes How to use RBL's to protect Tomcat from compromised systems? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Products » Tomcat
Bookmark "How to use RBL Watch "How to use RBL New topic
Author

How to use RBL's to protect Tomcat from compromised systems?

B Clark
Greenhorn

Joined: Oct 09, 2009
Posts: 3
Hello,

I am looking to protect my Tomcat-based web apps from bots and other infected and compromised systems. I have been doing some research, and found this article on Apache HTTPD and an apache module named mod_access_rbl. Is there anything similar that is available for Tomcat, implemented as either a servlet or a valve?

http://www.gotroot.com/tiki-view_blog.php?blogId=2

Any other ideas you might have in protecting web apps from bots would be welcomed.

Thanks,
Brian Clark
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12791
    
    5
The servlet API provides all you would need to keep track of blacklisted IP addresses and reject connections from them.

The equivalent of that Apache module would be a javax.servlet.Filter implementation which could track a list of IP addresses.

A google search for "servlet blacklist filter" found some examples.

Bill
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16095
    
  21

B Clark wrote:
Any other ideas you might have in protecting web apps from bots would be welcomed.


Don't invent your own security service. Use one that's been tested and proven. Pretty much every do-it-yourself login/authentication system I've seen has had major flaws. No small number of them resemble the stereotypical Western town movie sets, where all that exists is the front of the building, so all you have to do is (figuratively speaking) walk around to the side. Even the better ones tend to break down once they go into maintenance mode and people who don't understand the rules get their hands on the code.

J2EE has a built-in security framework that will actually block really offensive URL requests from even getting to the application at all. While there are things I could do to improve it, I've managed to use it - or frameworks based on it - for pretty much all my security needs, and I work in areas where security is a little more critical than some people's.


Customer surveys are for companies who didn't pay proper attention to begin with.
B Clark
Greenhorn

Joined: Oct 09, 2009
Posts: 3
William Brogden wrote:The servlet API provides all you would need to keep track of blacklisted IP addresses and reject connections from them.

The equivalent of that Apache module would be a javax.servlet.Filter implementation which could track a list of IP addresses.

A google search for "servlet blacklist filter" found some examples.

Bill



Thanks for the tip. I will check this out.

Brian
 
GeeCON Prague 2014
 
subject: How to use RBL's to protect Tomcat from compromised systems?