From 35a1e05787032c2017aed6d4d25f6f5ff4751551 Mon Sep 17 00:00:00 2001 From: Michael Save Date: Sun, 18 Mar 2012 06:34:34 +1100 Subject: [PATCH] Proper DNSBL implementation. Very sexy. --- inc/config.php | 29 +++++++++++++++++++++++------ inc/functions.php | 34 +++++++++++++++++++++++++++------- 2 files changed, 50 insertions(+), 13 deletions(-) diff --git a/inc/config.php b/inc/config.php index 87cbadce..465281b1 100644 --- a/inc/config.php +++ b/inc/config.php @@ -165,12 +165,29 @@ // Same as above but different IP address $config['flood_time_same'] = 30; - // DNS blacklists (DNSBL) http://www.dnsbl.info/dnsbl-list.php - $config['dnsbl'][] = 'tor.dnsbl.sectoor.de'; // Tor exit nodes - //$config['dnsbl'][] = 'dnsbl.sorbs.net'; - // A better way to check for Tor exit nodes (https://www.torproject.org/projects/tordnsel.html.en): - // server-port.reverse-server-ip.ip-port.exitlist.torproject.org - // $config['dnsbl'][] = $_SERVER['PORT'] . '.' . '4.3.2.1' . '.ip-port.exitlist.torproject.org'; + // DNS blacklists (DNSBL) http://tinyboard.org/docs/dnsbl.html + + // http://www.sectoor.de/tor.php + //$config['dnsbl'][] = Array('tor.dnsbl.sectoor.de', 1); // Tor exit servers + + // http://www.sorbs.net/using.shtml + // $config['dnsbl'][] = Array('dnsbl.sorbs.net', Array(2, 3, 4, 5, 6, 7, 8, 9)); + + // http://www.projecthoneypot.org/httpbl.php + // $config['dnsbl'][] = Array('.%.dnsbl.httpbl.org', function($ip) { + // $octets = explode('.', $ip); + // + // // days since last activity + // if($octets[1] > 14) + // return false; + // + // // "thread score" (http://www.projecthoneypot.org/threat_info.php) + // if($octets[2] < 5) + // return false; + // + // return true; + // }, 'dnsbl.httpbl.org'); // hide our access key + // Skip checking certain IP addresses against blacklists (for troubleshooting or whatever) $config['dnsbl_exceptions'][] = '127.0.0.1'; diff --git a/inc/functions.php b/inc/functions.php index 39420402..fff5b3f8 100644 --- a/inc/functions.php +++ b/inc/functions.php @@ -1292,6 +1292,7 @@ function checkDNSBL() { global $config; + if(isIPv6()) return; // No IPv6 support yet. @@ -1303,13 +1304,32 @@ $ip = ReverseIPOctets($_SERVER['REMOTE_ADDR']); - foreach($config['dnsbl'] as &$blacklist) { - $lookup = $ip . '.' . $blacklist; - $host = DNS($lookup); - if($host !== false) { - // On NXDOMAIN (meaning it's not in the blacklist), gethostbyname() returns the host unchanged. - if(preg_match('/^127\.0\.0\./', $host) && $host != '127.0.0.10') - error(sprintf($config['error']['dnsbl'], $blacklist)); + foreach($config['dnsbl'] as $blacklist) { + if(!is_array($blacklist) == 1) + $blacklist = Array($blacklist); + + if(($lookup = str_replace('%', $ip, $blacklist[0])) == $blacklist[0]) + $lookup = $ip . '.' . $blacklist[0]; + + if(!$ip = DNS($lookup)) + continue; // not in list + + $blacklist_name = isset($blacklist[2]) ? $blacklist[2] : $blacklist[0]; + + if(!isset($blacklist[1])) { + // If you're listed at all, you're blocked. + error(sprintf($config['error']['dnsbl'], $blacklist_name)); + } elseif(is_array($blacklist[1])) { + foreach($blacklist[1] as $octet) { + if($ip == $octet || $ip == '127.0.0.' . $octet) + error(sprintf($config['error']['dnsbl'], $blacklist_name)); + } + } elseif(is_callable($blacklist[1])) { + if($blacklist[1]($ip)) + error(sprintf($config['error']['dnsbl'], $blacklist_name)); + } else { + if($ip == $blacklist[1] || $ip == '127.0.0.' . $blacklist_name) + error(sprintf($config['error']['dnsbl'], $blacklist_name)); } } }