I run Debian on my server, and I often find that my server is being attacked by other computers. Brute force SSH attacks, viruses scanning for the ability to spread, things like that. I'll go into the SSH brute force defenses in a later post, but for now I'll cover how to easily block an IP address.

First, I'll assume you are already using iptables. If you need help setting that up, use Google, Debian comes with it out of the box.

I have a small script called "block" which looks like this:
#!/bin/bash
sudo iptables -I INPUT -s $1 -j DROP
sudo bash -c "iptables-save > /etc/network/iptables.save"

Whenever I find a "bad" IP in my logs or notifications, I just run:

block bad.ip.add.18

Substituting the bad ip for that nonesense above. This adds it to the list of IP address which iptables will simply drop any incoming packets from, and saves the in memory iptables configuration, so that it is preserved through reboots.

Then in your /etc/network/interfaces file, just add this at the bottom:

post-up iptables-restore /etc/network/iptables.save

World-facing websites always have to be written carefully in order to prevent malicious attacks. There are tons of additional vulnerabilities and attack vectors which need to be addressed as well, but in this post I'm going to talk about the two most common: Cross Site Scripting (XSS) and SQL Injection.

If you already know what these are, feel free to skip down a bit to the section where I talk about where ATG Dynamo helps and where there are still some gaps.

Cross Site Scripting is essentially when someone malicious gets your website to source in their content, from their site usually (hence the "cross site"), to what you serve to your users. This can take many forms including embedding a malicious page inside an existing frame in your website, sourcing in javascript which runs on your user's computer as if it had come from your site, embedding an inappropriate image in a page, or using tricks (or javascript) to redirect the user from your site to a competitor or even a site that LOOKS like yours, but isn't.

It is an attack against your users, not your servers.

(more...)

10MinuteMail was highlighted in the latest podcast (#70) from jobacle.com. I've been listening to a couple of their podcasts and it seems like a good site and a podcast that is definately worth your time, so check it out here: jobacle.com

If you see 10MinuteMail mentioned anywhere else, let me know:)

If you have a RepositoryItem which has a collection of other RepositoryItems as a property, editing things on them via a single form and RepositoryFormHandler can pose some difficulties.

For instance, you have an Item called Garage, and it has a List of Car RepositoryItems as a property named cars. If you are using a different type of collection, some of the following will need to be adjusted accordingly, but the overall approach is the same. A Car Item has a name and an option picture as properties. If you have a form to display and allow for editing of a Garage, including all of its cars, which is handled by a sub-class of a RepositoryFormHandler, you can edit values on both the Garage, as well as the Cars within cars, without much difficulty.

What gets tricky is if you need to access form submission values for properties on the Cars. For instance if you wanted to allow a user to delete a car by simply blanking it's name, or if you wanted to automatically assign a picture based on the make and model in the name field. You can't just access the submitted but un-updated values (say from within the preUpdateItem method) using simple nested getValueProperties. Here is what you can do:

(more...)

A hidden gem in ATG Dynamo is the simple, but VERY useful, and totally undocumented StringUtils class. It lives in the atg.core.util package in DAS/lib/classes.jar. It has several methods, but the most commonly used are isEmpty(String) and isBlank(String). Both return a boolean, and are very useful for validating form input and the like.

One thing to note is the important difference between the two methods. isEmpty() will return true for a null or a String with a length of zero. isBlank() will return true for null, or a String with a length of zero, OR a String of just whitespace. It basically adds a trim() call to it's checks.

So when you're validating user input, use isBlank() not isEmpty() otherwise you can easily end up with a database full of single space, " ", names, passwords, e-mails, etc....

Remember, using undocumented classes or APIs is at your own risk, however this class, and these methods have been around for ages and are pretty stable.