Introduction
I made security a top priority for my consumer application from the very beginning. My application is a Mobile App with a Server component currently made up of Tomcat7 and MySql. Given the recent frequency of cyber attacks, both DDoS and those for stealing proprietary data and credentials, its quite clear that security is something that even a new startup cannot put off for later rounds of development. Compromises of your applications can instantly put you out of business and so even delaying the release of a new application in order to secure it, is worth the time spent, in my opinion. This just means that you have to plan your startup development to include this time and cost so that there are no surprises.
One of the security related developments that I did for my application was to setup IP Blocklists and Filters on my web servers to control access to my web services. On my Management Applications, I limited access specifically only from my management IPs. On my App Web Services, I specifically filtered out known malicious IP address sources.
IP Blocklists and Filters don’t mitigate DDoS attacks of course. For that, you should look at services such as CloudFlare. However, IP Blocklists and Filters are a simple way to cut the probability of malicious users gaining access to your Web Services. Another thing is also judicous use of Firewalls to ensure that e.g., SSH access (TCP 22) is only possible from your specific management IPs.
The example configurations below are from my setup of Ubuntu 14.04 LTS instances setup in AWS EC2.
Sources for IP Blocklists
There are several standard IP address ranges that should always be blocked such as IANA Reserved Address Ranges and the Bogon Addresses. IP packets sourced from these addresses are unexpected on the public Internet. Then there are organizations such as DShield that put together IP Blocklists and update these regularly based on active tracking of malicious source IP addresses.
There are organizations that provide more IP Blocklists and those to which you can outsource your IP Blocklist Management entirely. Its upto you how much money you want to spend on services and how many addresses you want to block. IP Blocklists are not an exact science and there is always the off chance that you may block good traffic. Its upto you how you balance risk with reward.
These are some examples and I won’t tell you which sources I used or which ones you should use. It suffices to say that this is something you should consider though.
Tomcat7’s Remote Address Filter
Tomcat7 has a built-in remote address filter that can automatically filter requests based on source IP addresses. The ranges that you have explicitly denied and the ranges that you have not explicitly permitted are dropped by Tomcat7 and your application’s context never receives these. Of course to keep things simple you should either use the deny rules or the permit rules – avoid using both unless you really have to.
I used the permit rules for the Tomcat7 management apps, manager and host-manager – I permit only the IP address of my management machine to access these applications.
For my App Web Services, I used the deny rules to deny the specific address ranges that I did not want contacting these services.
Configuring the Remote Address Filter on the Tomcat7 Management Applications
The default manager and host-manager applications that are included in the tomcat7-admin package allow any source IP address to connect to them. Locking this access down is simple.
- The
managercontext andhost-managercontext are configured in
/etc/tomcat7/Catalina/localhost/manager.xml, and
/etc/tomcat7/Catalina/localhost/host-manager.xml respectively- You must add the
RemoteAddrValveto these two contexts
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="<regular expression matching your management IP addresses, e.g., "12\.12\.12\.12|12\.12\.12\.14">" denyStatus="404" />- So the overall
contextconfiguration looks something like this
<Context path="/manager" docBase="/usr/share/tomcat7-admin/manager" antiResourczeLocking="false" privileged="true" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="<regular expression matching your management IP addresses, e.g., "12\.12\.12\.12|12\.12\.12\.14">" denyStatus="404" />
</Context>Configuring the Remote Address Filter on your Web Application
Similar to the above, add a RemoteAddrValve to your web application’s context.xml file as well. In my case, I only denied IP address ranges in my application’s context.xml to keep things simple.
You simply replace the allow attribute with a deny attribute in the Valve tag.
Servlet Filters
So clearly the RemoteAddrValve works well for static IP address ranges or those that are not frequently updated. Some IP Blocklists, e.g., the DShield Blocklist however, are updated very often – multiple times in a single day.
I obviously did not want to mess with the deployed context.xml files that often. Hence, I used a Java Servlet Filter since my App Web Services are written as Java Servlets.
Writing a Java Servlet Filter is very simple and covered in numerous books and online resources so I won’t cover it here.
What I did was simple, I wrote a Java application that downloads the IP Blocklists as text files from my sources, parses the address ranges out of the text files, and updates a table in my database. My Servlet Filter retrieves the remote address of every HttpServletRequest and then compares it to the address ranges in my database. If a remote address matches a blocked address range in my database, then that request is dropped.
The Java application that downloads the IP Blocklists and then updates my database is run periodically via a cron job.
References
- http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Access_Control
- http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml
- http://www.team-cymru.org/bogon-reference.html
- https://dshield.org/
- http://feeds.dshield.org/block.txt
- http://www.bluetack.co.uk/premium/index.php
- http://blocklistpro.com/