From bdf5ab51ef83013466d25c5cacd31ec50f02cd19 Mon Sep 17 00:00:00 2001 From: Matthias Tarasiewicz Date: Tue, 16 Jan 2007 07:16:56 +0000 Subject: [PATCH] ANTISPAM: included dnsbl_check - DNS Blackhole Lists check [thanks to joost from http://www.spacebabies.nl ] --- app/controllers/application.rb | 4 +- vendor/plugins/dnsbl_check/README | 35 +++++++++++ vendor/plugins/dnsbl_check/init.rb | 1 + vendor/plugins/dnsbl_check/lib/dnsbl_check.rb | 58 +++++++++++++++++++ 4 files changed, 96 insertions(+), 2 deletions(-) create mode 100644 vendor/plugins/dnsbl_check/README create mode 100644 vendor/plugins/dnsbl_check/init.rb create mode 100644 vendor/plugins/dnsbl_check/lib/dnsbl_check.rb diff --git a/app/controllers/application.rb b/app/controllers/application.rb index 31cbd687..59c43eb0 100644 --- a/app/controllers/application.rb +++ b/app/controllers/application.rb @@ -1,8 +1,8 @@ # The filters added to this controller will be run for all controllers in the application. # Likewise will all the methods added be available for all controllers. class ApplicationController < ActionController::Base - - before_filter :connect_to_model, :check_authorization, :setup_url_generator, :set_content_type_header, :set_robots_metatag +# require 'dnsbl_check' + before_filter :dnsbl_check, :connect_to_model, :check_authorization, :setup_url_generator, :set_content_type_header, :set_robots_metatag after_filter :remember_location, :teardown_url_generator # For injecting a different wiki model implementation. Intended for use in tests diff --git a/vendor/plugins/dnsbl_check/README b/vendor/plugins/dnsbl_check/README new file mode 100644 index 00000000..dcbfb8d7 --- /dev/null +++ b/vendor/plugins/dnsbl_check/README @@ -0,0 +1,35 @@ +This plugin checks if the client is listed in RBLs (Real-time Blackhole Lists). +These are lists of IP addresses misbehaving. There are many RBLs, some are more +aggressive than others. More information at http://en.wikipedia.org/wiki/DNSBL + +This filter will result in one DNS request for every blocklist that you have +configured. This might be problematic for sites under heavy load, although this +plugin has been used on high-traffic sites without any problem. One DNS +request takes a few miliseconds to complete, after all. + + +INSTALLATION + +1. Download dnsbl_check-(version).tar.gz. You agree to the license. +2. Go to your application's 'vendor/plugins' directory +3. Untar (un-winzip) the above file: tar xvfz dnsbl_check.tar.gz +4. Restart your application. + + +VERSION HISTORY + +0.1 18 June 2006 Initial release +0.2 10 June 2006 Renamed to dnsbl_check, bugfix +0.3 20 June 2006 Removed sorbs from distribution, was not supposed to be included (too aggressive) +0.4 18 July 2006 Explicit return false added, moved to a per-controller basis (not global anymore) +1.0 16 August 2006 Renamed 0.4 to 1.0. I have been using the plugin very succesfully for months now. +1.1 17 October 2006 Multithreaded version +1.2 23 October 2006 Using the native Ruby resolver library for better multithreaded support +1.2.1 25 October 2006 Accepts a wider range of dns responses +1.2.2 11 December 2006 dnsbls are seemingly under attack, added code to cope with failing service + + +MORE INFORMATION + +http://spacebabies.nl/dnsbl_check/ +joost@spacebabies.nl diff --git a/vendor/plugins/dnsbl_check/init.rb b/vendor/plugins/dnsbl_check/init.rb new file mode 100644 index 00000000..19da77fd --- /dev/null +++ b/vendor/plugins/dnsbl_check/init.rb @@ -0,0 +1 @@ +ActionController::Base.send :include, DNSBL_Check diff --git a/vendor/plugins/dnsbl_check/lib/dnsbl_check.rb b/vendor/plugins/dnsbl_check/lib/dnsbl_check.rb new file mode 100644 index 00000000..b891aa8b --- /dev/null +++ b/vendor/plugins/dnsbl_check/lib/dnsbl_check.rb @@ -0,0 +1,58 @@ +# This plugin checks if the client is listed in DNSBLs (DNS Blackhole Lists). +# These are lists of IP addresses misbehaving. There are many DNSBLs, some are more +# aggressive than others. More information at http://en.wikipedia.org/wiki/DNSBL +# +# This plugin will perform one DNS request per client per blocklist. +# This plugin will deny service to clients those blocklists have listed. +# Whether any of this is acceptable is up to you. +# +# mailto:joost@spacebabies.nl +# License: MIT License, like Rails. +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +# +# Version 1.2 +# http://www.spacebabies.nl/dnsbl_check +require 'resolv' + +module DNSBL_Check + $dnsbl_passed ||= [] + DNSBLS = %w{list.dsbl.org bl.spamcop.net sbl-xbl.spamhaus.org} + + private + # Filter to check if the client is listed. This will be run before all requests. + def dnsbl_check + return true if $dnsbl_passed.include? request.remote_addr + + passed = true + threads = [] + request.remote_addr =~ /(\d+).(\d+).(\d+).(\d+)/ + + # Check the remote address against each dnsbl in a separate thread + DNSBLS.each do |dnsbl| + threads << Thread.new("#$4.#$3.#$2.#$1.#{dnsbl}") do |host| + logger.warn("Checking DNSBL #{host}") + addr = Resolv.getaddress("#{host}") rescue '' + if addr[0,7]=="127.0.0" + logger.info("#{request.remote_addr} found using DNSBL #{host}") + passed = false + end + end + end + threads.each {|thread| thread.join(2)} # join threads, but use timeout to kill blocked ones + + # Add client ip to global passed cache if no dnsbls objected. else deny service. + if passed + $dnsbl_passed = $dnsbl_passed[0,49].unshift request.remote_addr + logger.warn("#{request.remote_addr} added to DNSBL passed cache") + else + render :text => 'Access denied', :status => 403 + return false + end + end +end