Proper DNSBL implementation. Very sexy.

This commit is contained in:
Michael Save 2012-03-18 06:34:34 +11:00
parent b561066a4c
commit 35a1e05787
2 changed files with 50 additions and 13 deletions

View File

@ -165,12 +165,29 @@
// Same as above but different IP address
$config['flood_time_same'] = 30;
// DNS blacklists (DNSBL) http://www.dnsbl.info/dnsbl-list.php
$config['dnsbl'][] = 'tor.dnsbl.sectoor.de'; // Tor exit nodes
//$config['dnsbl'][] = 'dnsbl.sorbs.net';
// A better way to check for Tor exit nodes (https://www.torproject.org/projects/tordnsel.html.en):
// server-port.reverse-server-ip.ip-port.exitlist.torproject.org
// $config['dnsbl'][] = $_SERVER['PORT'] . '.' . '4.3.2.1' . '.ip-port.exitlist.torproject.org';
// DNS blacklists (DNSBL) http://tinyboard.org/docs/dnsbl.html
// http://www.sectoor.de/tor.php
//$config['dnsbl'][] = Array('tor.dnsbl.sectoor.de', 1); // Tor exit servers
// http://www.sorbs.net/using.shtml
// $config['dnsbl'][] = Array('dnsbl.sorbs.net', Array(2, 3, 4, 5, 6, 7, 8, 9));
// http://www.projecthoneypot.org/httpbl.php
// $config['dnsbl'][] = Array('<your access key>.%.dnsbl.httpbl.org', function($ip) {
// $octets = explode('.', $ip);
//
// // days since last activity
// if($octets[1] > 14)
// return false;
//
// // "thread score" (http://www.projecthoneypot.org/threat_info.php)
// if($octets[2] < 5)
// return false;
//
// return true;
// }, 'dnsbl.httpbl.org'); // hide our access key
// Skip checking certain IP addresses against blacklists (for troubleshooting or whatever)
$config['dnsbl_exceptions'][] = '127.0.0.1';

View File

@ -1292,6 +1292,7 @@
function checkDNSBL() {
global $config;
if(isIPv6())
return; // No IPv6 support yet.
@ -1303,13 +1304,32 @@
$ip = ReverseIPOctets($_SERVER['REMOTE_ADDR']);
foreach($config['dnsbl'] as &$blacklist) {
$lookup = $ip . '.' . $blacklist;
$host = DNS($lookup);
if($host !== false) {
// On NXDOMAIN (meaning it's not in the blacklist), gethostbyname() returns the host unchanged.
if(preg_match('/^127\.0\.0\./', $host) && $host != '127.0.0.10')
error(sprintf($config['error']['dnsbl'], $blacklist));
foreach($config['dnsbl'] as $blacklist) {
if(!is_array($blacklist) == 1)
$blacklist = Array($blacklist);
if(($lookup = str_replace('%', $ip, $blacklist[0])) == $blacklist[0])
$lookup = $ip . '.' . $blacklist[0];
if(!$ip = DNS($lookup))
continue; // not in list
$blacklist_name = isset($blacklist[2]) ? $blacklist[2] : $blacklist[0];
if(!isset($blacklist[1])) {
// If you're listed at all, you're blocked.
error(sprintf($config['error']['dnsbl'], $blacklist_name));
} elseif(is_array($blacklist[1])) {
foreach($blacklist[1] as $octet) {
if($ip == $octet || $ip == '127.0.0.' . $octet)
error(sprintf($config['error']['dnsbl'], $blacklist_name));
}
} elseif(is_callable($blacklist[1])) {
if($blacklist[1]($ip))
error(sprintf($config['error']['dnsbl'], $blacklist_name));
} else {
if($ip == $blacklist[1] || $ip == '127.0.0.' . $blacklist_name)
error(sprintf($config['error']['dnsbl'], $blacklist_name));
}
}
}