Hi
I have recently started using GeoServer 2.11
As part of my organisation’s requirement I had run a security scan on the server and found Slow HTTP Denial of Service attack open.
I tried using DoS filter for jetty as below in webapps/geoserver/web.xml, however, the issue still persists and I could not find any other way to mitigate this risk on the geoserver.
Request if you could help me on the ASAP as my urgent release is on a hold in the absence of fixing this risk.
DoSFilter
org.eclipse.jetty.servlets.DoSFilter
maxRequestsPerSec
30
delayMs
0
maxRequestMs
10000
maxIdleTrackerMs
10000
true
DoSFilter
/*
Regards
Himani Aggarwal
Other than setting the WMS interpolation default to “nearest neighbor”, I don’t see a way to do this. Within the area that contains data, I do want interpolation to occur. In the past, I’ve tried using a footprint shapefile, and that did not fix the problem.
I’m using GeoServer version 2.9.2. The data was created by using gdal_translate and gdalwarp to reproject the original file from Lambert Conformal Conic to EPSG:4326 and convert it to Byte type. The no-data value is 255.
It seems you can easily fix this using any number of servers (https://blog.qualys.com/securitylabs/2011/11/02/how-to-protect-against-slow-http-attacks) but not Jetty which isn’t really designed for critical production usage.
However if this is truly critical to your organization there are plenty of commercial support organisations (http://geoserver.org/support/) who may be able to help.
All the best
Ian
···
On 26 May 2017 at 13:25, Himani Aggarwal <Himani.Aggarwal@anonymised.com> wrote:
Hi
I have recently started using GeoServer 2.11
As part of my organisation’s requirement I had run a security scan on the server and found Slow HTTP Denial of Service attack open.
I tried using DoS filter for jetty as below in webapps/geoserver/web.xml, however, the issue still persists and I could not find any other way to mitigate this risk on the geoserver.
Request if you could help me on the ASAP as my urgent release is on a hold in the absence of fixing this risk.
DoSFilter
org.eclipse.jetty.servlets.DoSFilter
maxRequestsPerSec
30
delayMs
0
maxRequestMs
10000
maxIdleTrackerMs
10000
true
DoSFilter
/*
Regards
Himani Aggarwal
============================================================================================================================
Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at http://www.techmahindra.com/Disclaimer.html externally http://tim.techmahindra.com/tim/disclaimer.html internally within TechMahindra.
============================================================================================================================
Check out the vibrant tech community on one of the world’s most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Geoserver-users mailing list
Geoserver-users@anonymised.com.382…sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
–
Ian Turton
Hi Devin,
for higher order interpolations we are still working on fixes. The good news is that they are basically done,
the bad one is that they are not in any release and not even in nightly builds yet.
We’ll have to:
- release a new version of jai-ext
- make geotools and geoserver depend on it (at this point they will be in nightly builds and, when the time comes, in releases)
- you’ll have to enable jai-ext support in GeoServer (which is available, but still considered experimental, hopefully that will change in GeoServer 2.12, in September). See also http://docs.geoserver.org/stable/en/user/configuration/image_processing/index.html#jai-ext
I believe in a matter of weeks it will be testable out of nightly builds, but I don’t know exactly when
Cheers
Andrea
···
On Fri, May 26, 2017 at 5:15 PM, Devin Eyre <Devin.Eyre@anonymised.com> wrote:
Other than setting the WMS interpolation default to “nearest neighbor”, I don’t see a way to do this. Within the area that contains data, I do want interpolation to occur. In the past, I’ve tried using a footprint shapefile, and that did not fix the problem.
I’m using GeoServer version 2.9.2. The data was created by using gdal_translate and gdalwarp to reproject the original file from Lambert Conformal Conic to EPSG:4326 and convert it to Byte type. The no-data value is 255.
Check out the vibrant tech community on one of the world’s most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Geoserver-users mailing list
Geoserver-users@anonymised.com.382…sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
–
==
GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.
The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.