ANTISPAM: included dnsbl_check - DNS Blackhole Lists check [thanks to joost from http://www.spacebabies.nl ]

2007-01-16 07:16:56 +00:00 · 2007-01-16 07:16:56 +00:00 · bdf5ab51ef
parent d7508a34ab
commit bdf5ab51ef
4 changed files with 96 additions and 2 deletions
--- a/app/controllers/application.rb
+++ b/app/controllers/application.rb
@ -1,8 +1,8 @@
 # The filters added to this controller will be run for all controllers in the application.
 # Likewise will all the methods added be available for all controllers.
 class ApplicationController < ActionController::Base
-
-  before_filter :connect_to_model, :check_authorization, :setup_url_generator, :set_content_type_header, :set_robots_metatag
+#  require 'dnsbl_check'
+  before_filter :dnsbl_check, :connect_to_model, :check_authorization, :setup_url_generator, :set_content_type_header, :set_robots_metatag
  after_filter :remember_location, :teardown_url_generator

  # For injecting a different wiki model implementation. Intended for use in tests
--- a/vendor/plugins/dnsbl_check/README
+++ b/vendor/plugins/dnsbl_check/README
@ -0,0 +1,35 @@
+This plugin checks if the client is listed in RBLs (Real-time Blackhole Lists).
+These are lists of IP addresses misbehaving. There are many RBLs, some are more
+aggressive than others. More information at http://en.wikipedia.org/wiki/DNSBL
+
+This filter will result in one DNS request for every blocklist that you have
+configured. This might be problematic for sites under heavy load, although this
+plugin has been used on high-traffic sites without any problem. One DNS
+request takes a few miliseconds to complete, after all.
+
+
+INSTALLATION
+
+1. Download dnsbl_check-(version).tar.gz. You agree to the license.
+2. Go to your application's 'vendor/plugins' directory
+3. Untar (un-winzip) the above file: tar xvfz dnsbl_check.tar.gz
+4. Restart your application.
+
+
+VERSION HISTORY
+
+0.1			18 June 2006		Initial release
+0.2			10 June 2006		Renamed to dnsbl_check, bugfix
+0.3			20 June 2006		Removed sorbs from distribution, was not supposed to be included (too aggressive)
+0.4			18 July 2006		Explicit return false added, moved to a per-controller basis (not global anymore)
+1.0			16 August 2006		Renamed 0.4 to 1.0. I have been using the plugin very succesfully for months now.
+1.1			17 October 2006	Multithreaded version
+1.2			23 October 2006	Using the native Ruby resolver library for better multithreaded support
+1.2.1			25 October 2006	Accepts a wider range of dns responses
+1.2.2			11 December 2006	dnsbls are seemingly under attack, added code to cope with failing service
+
+
+MORE INFORMATION
+
+http://spacebabies.nl/dnsbl_check/
+joost@spacebabies.nl
--- a/vendor/plugins/dnsbl_check/init.rb
+++ b/vendor/plugins/dnsbl_check/init.rb
@ -0,0 +1 @@
+ActionController::Base.send :include, DNSBL_Check
--- a/vendor/plugins/dnsbl_check/lib/dnsbl_check.rb
+++ b/vendor/plugins/dnsbl_check/lib/dnsbl_check.rb
@ -0,0 +1,58 @@
+# This plugin checks if the client is listed in DNSBLs (DNS Blackhole Lists).
+# These are lists of IP addresses misbehaving. There are many DNSBLs, some are more
+# aggressive than others. More information at http://en.wikipedia.org/wiki/DNSBL
+#
+# This plugin will perform one DNS request per client per blocklist.
+# This plugin will deny service to clients those blocklists have listed.
+# Whether any of this is acceptable is up to you.
+#
+# mailto:joost@spacebabies.nl
+# License: MIT License, like Rails.
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+# Version 1.2
+# http://www.spacebabies.nl/dnsbl_check
+require 'resolv'
+
+module DNSBL_Check
+  $dnsbl_passed ||= []
+  DNSBLS = %w{list.dsbl.org bl.spamcop.net sbl-xbl.spamhaus.org}
+
+  private
+  # Filter to check if the client is listed. This will be run before all requests.
+  def dnsbl_check
+    return true if $dnsbl_passed.include? request.remote_addr
+
+    passed = true
+    threads = []
+    request.remote_addr =~ /(\d+).(\d+).(\d+).(\d+)/
+
+    # Check the remote address against each dnsbl in a separate thread
+    DNSBLS.each do |dnsbl|
+      threads << Thread.new("#$4.#$3.#$2.#$1.#{dnsbl}") do |host|
+        logger.warn("Checking DNSBL #{host}")
+        addr = Resolv.getaddress("#{host}") rescue ''
+        if addr[0,7]=="127.0.0"
+          logger.info("#{request.remote_addr} found using DNSBL #{host}")
+          passed = false
+        end
+      end
+    end
+    threads.each {|thread| thread.join(2)}    # join threads, but use timeout to kill blocked ones
+
+    # Add client ip to global passed cache if no dnsbls objected. else deny service.
+    if passed
+      $dnsbl_passed = $dnsbl_passed[0,49].unshift request.remote_addr
+      logger.warn("#{request.remote_addr} added to DNSBL passed cache")
+    else
+      render :text => 'Access denied', :status => 403
+      return false
+    end
+  end
+end
				`@ -0,0 +1 @@`
				`ActionController::Base.send :include, DNSBL_Check`