Java Web intrusion detection and simple implementation-general Linux technology-Linux programming and kernel information, the following is a detailed description. In Java Web applications, especially website development, we sometimes need to add an intrusion detection program for applications to prevent malicious refreshing, prevent Unauthorized users from repeatedly sending data to Web applications. Of course, intrusion detection can be implemented in many ways, including software, hardware firewalls, and many intrusion detection policies. Here we mainly introduce Java Web applications to implement simple intrusion detection and defense through software.
The implementation principle of this method is very simple, that is, when a user accesses the Web system, the information of each user is recorded, then compared, and according to the set policy (for example, refresh the page 10 times in one second) determines whether a user is maliciously refreshed.
Our intrusion detection program should be placed before the execution of all Java Web programs, that is, if you find that the user is maliciously refreshed, it will not continue to execute other content in Java Web, otherwise it will lose its meaning. This requires the intrusion detection program to be put into a Java Web application in the form of a plug-in, so that every time a user accesses the Java Web, the intrusion detection program must report it once, you can only pass the rules.
Java Web applications are roughly divided into two types: a pure JSP (+ Java Bean) method and a framework (such as Struts and EasyJWeb. The first method of Java Web can be implemented through the Filter interface in Java Servlet, that is, to implement a Filter interface, insert the intrusion detection program in its doFilter method, and then web. simple configuration in xml. In Framework-based Web applications, because all applications have an entry point, you can directly Insert the intrusion detection program into the framework entry engine so that the framework itself supports the intrusion detection function. Of course, you can also implement the Filter interface.
Simple intrusion detection programs have been installed in the EasyJWeb framework. Therefore, here we take the EasyJWeb framework as an example to introduce the specific implementation methods and source code, complete code can be found in EasyJWeb source code.
In EasyJWeb-based Java Web applications (such as http://www.easyjf.com/bbs/), by default, you only need to refresh the page continuously too many times, the following error will pop up:
EasyJWeb framework friendly reminder! :-):
You have refreshed the page too quickly. Please wait 60 seconds before refreshing the page!
Please query http://www.easyjf.com for details
Ii. UserConnect. java
This class is a simple Java Bean that mainly represents user information, including the user name, IP address, first access time, Last Logon Time, number of logins, and user status. All
The Code is as follows:
Package com. easyjf. web;
Import java. util. Date;
/**
*
*
Title: user authentication information
*
Description: records user logon information and determines User Logon conditions.
*
Copyright: Copyright (c) 2006
*
Company: www.easyjf.com
* @ Author Cai shiyou
* @ Version 1.0
*/
Public class UserConnect {
Private String userName;
Private String ip;
Private Date firstFailureTime;
Private Date lastLoginTime;
Private int failureTimes; // number of user logon failures
Private int status = 0; // user status 0 indicates normal,-1 indicates locked
Public int getFailureTimes (){
Return failureTimes;
}
Public void setFailureTimes (int failureTimes ){
This. failureTimes = failureTimes;
}
Public Date getFirstFailureTime (){
Return firstFailureTime;
}
Public void setStatus (int status ){
This. status = status;
}
}
Iii. Monitoring thread UserConnectManage. java class
This is the core part of intrusion detection. It mainly implements features such as intrusion detection, recording, determining user information, and refreshing online users, and provides call interfaces for other applications to use this component.
*
Description: used to determine the user's refresh check. The default value is 10 consecutive connections within 10 seconds.
*
Copyright: Copyright (c) 2006
*
Company: www.easyjf.com
* @ Author Cai shiyou
* @ Version 1.0
*/
Public class UserConnectManage {
Private static final Logger logger = (Logger) Logger. getLogger (UserConnectManage. class. getName ());
Private static int maxFailureTimes = 10; // maximum number of Logon failures
Private static long maxFailureInterval = 10000; // in milliseconds, the maximum number of logins is reached and within this time range
Private static long waitInterval = 60000; // wait time for accepting connections after failure. The default value is 1 minute.
Private static int maxOnlineUser = 200; // maximum number of simultaneous online users
Private final static Map users = new HashMap (); // use ip + userName as the key to store user login information UserLoginAuth
Private static Thread checkThread = null;
Private static class CheckTimeOut implements Runnable {
Private Thread parentThread;
Public CheckTimeOut (Thread parentThread)
{
This. parentThread = parentThread;
Synchronized (this ){
If (checkThread = null ){
CheckThread = new Thread (this );
// System. out. println ("Create a New thread! ");
CheckThread. start ();
}
}
}
Public void run (){
While (true)
{
If (parentThread. isAlive ()){
Try {
Thread. sleep (2000 );
Int I = 0;
If (users. size ()> maxOnlineUser) // clear when the maximum number of users reaches
{
Synchronized (users) {// perform the delete operation
Iterator it = users. keySet (). iterator ();
Set set = new HashSet ();
Date now = new Date ();
While (it. hasNext ())
{
Object key = it. next ();
UserConnect user = (UserConnect) users. get (key );
If (now. getTime ()-user. getFirstFailureTime (). getTime ()> maxFailureInterval) // delete a user with a deletion timeout
{
Set. add (key );
Logger.info ("deleting a timeout connection" + I );
I ++;
}
}
If (I <5) // if less than five records are deleted, the 1/2 online records are forcibly deleted to ensure memory performance at the cost of performance.
{
Int num = maxOnlineUser/2;
It = users. keySet (). iterator ();
While (it. hasNext () & I {
Set. add (it. next ());
Logger.info ("deleting a redundant connection" + I );
I ++;
}
}
Users. keySet (). removeAll (set );
}
}
}
Catch (Exception e)
{
E. printStackTrace ();
}
}
Else
{
Break;
}
}
Logger.info ("the monitoring program is running! ");
}
}
// Use checkLoginValidate to determine whether a logon connection is valid. If the connection is valid, the connection is resumed. If the connection is invalid, the connection is executed.
Public static boolean checkLoginValidate (String ip, String userName) // only check the number of authentication failures
{
Boolean ret = true;
Date now = new Date ();
String key = ip + ":" + userName;
UserConnect auth = (UserConnect) users. get (key );
If (auth = null) // Add the user's current access information to the users container
{
Auth = new UserConnect ();
Auth. setIp (ip );
Auth. setUserName (userName );
Auth. setFailureTimes (0 );
Auth. setFirstFailureTime (now );
Users. put (key, auth );
If (checkThread = null) new CheckTimeOut (Thread. currentThread ());
}
Else
{
If (auth. getFailureTimes ()> maxFailureTimes)
{
// If the time interval is specified, information about user connection rejection is returned.
If (now. getTime ()-auth. getFirstFailureTime (). getTime ()){
Ret = false;
Auth. setStatus (-1 );
}
Else if (auth. getStatus () =-1 & (now. getTime ()-auth. getFirstFailureTime (). getTime () <(maxFailureInterval + waitInterval) // reset the counter
{
Ret = false;
}
Else
{
Auth. setFailureTimes (0 );
Auth. setFirstFailureTime (now );
Auth. setStatus (0 );
}
}
// The number of logins increases by 1
Auth. setFailureTimes (auth. getFailureTimes () + 1 );
}
// System. out. println (key + ":" + auth. getFailureTimes () + ":" + ret + ":" + (now. getTime ()-auth. getFirstFailureTime (). getTime ()));
Return ret;
}
Public static void reset (String ip, String userName) // reset user information
{
Date now = new Date ();
String key = ip + ":" + userName;
UserConnect auth = (UserConnect) users. get (key );
If (auth = null) // Add the user's current access information to the users container
{
Auth = new UserConnect ();
Auth. setIp (ip );
Auth. setUserName (userName );
Auth. setFailureTimes (0 );
Auth. setFirstFailureTime (now );
Users. put (key, auth );
}
Else
{
Auth. setFailureTimes (0 );
Auth. setFirstFailureTime (now );
}
}
Public static void remove (String ip, String userName) // delete a user's record in the container
{
String key = ip + ":" + userName;
Users. remove (key );
}
Public static void clear () // clear the content in the container
{
If (! Users. isEmpty () users. clear ();
}
Public static long getMaxFailureInterval (){
Return maxFailureInterval;
}
Public static long getWaitInterval (){
Return waitInterval;
}
Public static void setWaitInterval (long waitInterval ){
UserConnectManage. waitInterval = waitInterval;
}
Iv. Call Interfaces
You can directly use the checkLoginValidate method in the UserConnectManage class where you need to perform intrusion detection and judgment. For example, core Servlet of EasyJWeb
Code for calling UserConnectManage in com. easyjf. web. ActionServlet:
If (! UserConnectManage. checkLoginValidate (request. getRemoteAddr (), "guest "))
{
Info (request, response, new Exception ("You have refreshed the page too fast, please wait" + UserConnectManage. getWaitInterval ()/1000 + "seconds
Then refresh the page! "));
Return;
}
V. Summary
Of course, the method provided here is just a simple implementation example. Because the above user information is directly stored in the memory, if the code is occupied when the number of concurrent users is large, you can consider introducing a database to record user access information. Of course, the execution efficiency must be reduced. In the above implementation, the intrusion detection and judgment policy only includes two elements: user access times and time interval. You can also add other detection elements based on your implementation.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.