Proper DNSBL implementation. Very sexy.

2012-03-18 06:34:34 +11:00 · 2012-03-18 06:34:34 +11:00 · 35a1e05787
commit 35a1e05787
parent b561066a4c
2 changed files with 50 additions and 13 deletions
--- a/inc/config.php
+++ b/inc/config.php
@ -165,12 +165,29 @@
 	// Same as above but different IP address
 	$config['flood_time_same'] = 30;
 	
-	// DNS blacklists (DNSBL) http://www.dnsbl.info/dnsbl-list.php
-	$config['dnsbl'][] = 'tor.dnsbl.sectoor.de'; // Tor exit nodes
-	//$config['dnsbl'][] = 'dnsbl.sorbs.net';
-	// A better way to check for Tor exit nodes (https://www.torproject.org/projects/tordnsel.html.en):
-	// server-port.reverse-server-ip.ip-port.exitlist.torproject.org
-	// $config['dnsbl'][] = $_SERVER['PORT'] . '.' . '4.3.2.1' . '.ip-port.exitlist.torproject.org';
+	// DNS blacklists (DNSBL) http://tinyboard.org/docs/dnsbl.html
+	
+	// http://www.sectoor.de/tor.php
+	//$config['dnsbl'][] = Array('tor.dnsbl.sectoor.de', 1); // Tor exit servers
+	
+	// http://www.sorbs.net/using.shtml
+	// $config['dnsbl'][] = Array('dnsbl.sorbs.net', Array(2, 3, 4, 5, 6, 7, 8, 9));
+	
+	// http://www.projecthoneypot.org/httpbl.php
+	// $config['dnsbl'][] = Array('<your access key>.%.dnsbl.httpbl.org', function($ip) {
+	//	$octets = explode('.', $ip);
+	//	
+	//	// days since last activity
+	//	if($octets[1] > 14)
+	//		return false;
+	//	
+	//	// "thread score" (http://www.projecthoneypot.org/threat_info.php)
+	//	if($octets[2] < 5)
+	//		return false;
+	//	
+	//	return true;
+	// }, 'dnsbl.httpbl.org'); // hide our access key
+	
 	
 	// Skip checking certain IP addresses against blacklists (for troubleshooting or whatever)
 	$config['dnsbl_exceptions'][] = '127.0.0.1';
--- a/inc/functions.php
+++ b/inc/functions.php
@ -1292,6 +1292,7 @@
 	function checkDNSBL() {
 		global $config;
 		
+		
 		if(isIPv6())
 			return; // No IPv6 support yet.
 		
@ -1303,13 +1304,32 @@
 		
 		$ip = ReverseIPOctets($_SERVER['REMOTE_ADDR']);
 		
-		foreach($config['dnsbl'] as &$blacklist) {
-			$lookup = $ip . '.' . $blacklist;
-			$host = DNS($lookup);
-			if($host !== false) {
-				// On NXDOMAIN (meaning it's not in the blacklist), gethostbyname() returns the host unchanged.
-				if(preg_match('/^127\.0\.0\./', $host) && $host != '127.0.0.10')
-					error(sprintf($config['error']['dnsbl'], $blacklist));
+		foreach($config['dnsbl'] as $blacklist) {
+			if(!is_array($blacklist) == 1)
+				$blacklist = Array($blacklist);
+			
+			if(($lookup = str_replace('%', $ip, $blacklist[0])) == $blacklist[0])
+				$lookup = $ip . '.' . $blacklist[0];
+			
+			if(!$ip = DNS($lookup))
+				continue; // not in list
+			
+			$blacklist_name = isset($blacklist[2]) ? $blacklist[2] : $blacklist[0];
+			
+			if(!isset($blacklist[1])) {
+				// If you're listed at all, you're blocked.
+				error(sprintf($config['error']['dnsbl'], $blacklist_name));
+			} elseif(is_array($blacklist[1])) {
+				foreach($blacklist[1] as $octet) {
+					if($ip == $octet || $ip == '127.0.0.' . $octet)
+						error(sprintf($config['error']['dnsbl'], $blacklist_name));
+				}
+			} elseif(is_callable($blacklist[1])) {
+				if($blacklist[1]($ip))
+					error(sprintf($config['error']['dnsbl'], $blacklist_name));
+			} else {
+				if($ip == $blacklist[1] || $ip == '127.0.0.' . $blacklist_name)
+					error(sprintf($config['error']['dnsbl'], $blacklist_name));
 			}
 		}
 	}