ANTISPAM: included dnsbl_check - DNS Blackhole Lists check [thanks to joost from http://www.spacebabies.nl ]

This commit is contained in:
Matthias Tarasiewicz 2007-01-16 07:16:56 +00:00
parent d7508a34ab
commit bdf5ab51ef
4 changed files with 96 additions and 2 deletions

View file

@ -1,8 +1,8 @@
# The filters added to this controller will be run for all controllers in the application. # The filters added to this controller will be run for all controllers in the application.
# Likewise will all the methods added be available for all controllers. # Likewise will all the methods added be available for all controllers.
class ApplicationController < ActionController::Base class ApplicationController < ActionController::Base
# require 'dnsbl_check'
before_filter :connect_to_model, :check_authorization, :setup_url_generator, :set_content_type_header, :set_robots_metatag before_filter :dnsbl_check, :connect_to_model, :check_authorization, :setup_url_generator, :set_content_type_header, :set_robots_metatag
after_filter :remember_location, :teardown_url_generator after_filter :remember_location, :teardown_url_generator
# For injecting a different wiki model implementation. Intended for use in tests # For injecting a different wiki model implementation. Intended for use in tests

35
vendor/plugins/dnsbl_check/README vendored Normal file
View file

@ -0,0 +1,35 @@
This plugin checks if the client is listed in RBLs (Real-time Blackhole Lists).
These are lists of IP addresses misbehaving. There are many RBLs, some are more
aggressive than others. More information at http://en.wikipedia.org/wiki/DNSBL
This filter will result in one DNS request for every blocklist that you have
configured. This might be problematic for sites under heavy load, although this
plugin has been used on high-traffic sites without any problem. One DNS
request takes a few miliseconds to complete, after all.
INSTALLATION
1. Download dnsbl_check-(version).tar.gz. You agree to the license.
2. Go to your application's 'vendor/plugins' directory
3. Untar (un-winzip) the above file: tar xvfz dnsbl_check.tar.gz
4. Restart your application.
VERSION HISTORY
0.1 18 June 2006 Initial release
0.2 10 June 2006 Renamed to dnsbl_check, bugfix
0.3 20 June 2006 Removed sorbs from distribution, was not supposed to be included (too aggressive)
0.4 18 July 2006 Explicit return false added, moved to a per-controller basis (not global anymore)
1.0 16 August 2006 Renamed 0.4 to 1.0. I have been using the plugin very succesfully for months now.
1.1 17 October 2006 Multithreaded version
1.2 23 October 2006 Using the native Ruby resolver library for better multithreaded support
1.2.1 25 October 2006 Accepts a wider range of dns responses
1.2.2 11 December 2006 dnsbls are seemingly under attack, added code to cope with failing service
MORE INFORMATION
http://spacebabies.nl/dnsbl_check/
joost@spacebabies.nl

1
vendor/plugins/dnsbl_check/init.rb vendored Normal file
View file

@ -0,0 +1 @@
ActionController::Base.send :include, DNSBL_Check

View file

@ -0,0 +1,58 @@
# This plugin checks if the client is listed in DNSBLs (DNS Blackhole Lists).
# These are lists of IP addresses misbehaving. There are many DNSBLs, some are more
# aggressive than others. More information at http://en.wikipedia.org/wiki/DNSBL
#
# This plugin will perform one DNS request per client per blocklist.
# This plugin will deny service to clients those blocklists have listed.
# Whether any of this is acceptable is up to you.
#
# mailto:joost@spacebabies.nl
# License: MIT License, like Rails.
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#
# Version 1.2
# http://www.spacebabies.nl/dnsbl_check
require 'resolv'
module DNSBL_Check
$dnsbl_passed ||= []
DNSBLS = %w{list.dsbl.org bl.spamcop.net sbl-xbl.spamhaus.org}
private
# Filter to check if the client is listed. This will be run before all requests.
def dnsbl_check
return true if $dnsbl_passed.include? request.remote_addr
passed = true
threads = []
request.remote_addr =~ /(\d+).(\d+).(\d+).(\d+)/
# Check the remote address against each dnsbl in a separate thread
DNSBLS.each do |dnsbl|
threads << Thread.new("#$4.#$3.#$2.#$1.#{dnsbl}") do |host|
logger.warn("Checking DNSBL #{host}")
addr = Resolv.getaddress("#{host}") rescue ''
if addr[0,7]=="127.0.0"
logger.info("#{request.remote_addr} found using DNSBL #{host}")
passed = false
end
end
end
threads.each {|thread| thread.join(2)} # join threads, but use timeout to kill blocked ones
# Add client ip to global passed cache if no dnsbls objected. else deny service.
if passed
$dnsbl_passed = $dnsbl_passed[0,49].unshift request.remote_addr
logger.warn("#{request.remote_addr} added to DNSBL passed cache")
else
render :text => 'Access denied', :status => 403
return false
end
end
end