mod_dnsbl_lookup, Apache module

mod_dnsbl_lookup, Apache module

am 16.08.2005 06:25:35 von Jem Berkes

I have been working on an Apache 2.x module, mod_dnsbl_lookup
http://www.sysdesign.ca/archive/mod_dnsbl_lookup-0.91.tar.gz

You might be familiar with Blars's Mod_Access_RBL. Mine is somewhat
different. It's not involved with access control but rather sits as an
independent module. Its purpose is to provide some utility functions to any
other module that wants to use them ("optional functions" in 2.x).

For example, if you write your own module and want to take advantage of
both DNSBL and RHSBL functions, you can use these functions:

dnsbl_lookup_ip(chain, address)
dnsbl_lookup_domain(chain, domain)

The DNSBL configuration is contained in httpd.conf, e.g.

DnsblZone spammers sbl.spamhaus.org. any
DnsblZone spammers dnsbl.sorbs.net. 127.0.0.5
DnsblZone spammers dnsbl.sorbs.net. 127.0.0.6
DnsblZone spammers dnsbl.sorbs.net. 127.0.0.9
RhsblZone spammers rhsbl.ahbl.org. 127.0.0.2

The chain name in the above directives (e.g. spammers but could also be
whitelists, not my problem) matches up to the chain you use in your
function calls. Then dnsbl_lookup_ip() for DNSBL or _domain() for RHSBL
will try to find a positive match within the chain you ask for.

I think this should provide generic enough functionality to give you an
easy to configure and easy to use DNSBL querying backend for whatever
application you want to implement.

--
Jem Berkes
Software design for Windows and Linux/Unix-like systems
http://www.sysdesign.ca/

Re: mod_dnsbl_lookup, Apache module

am 16.08.2005 22:23:45 von AK

Jem Berkes wrote:

> I have been working on an Apache 2.x module, mod_dnsbl_lookup
> http://www.sysdesign.ca/archive/mod_dnsbl_lookup-0.91.tar.gz
>
> You might be familiar with Blars's Mod_Access_RBL. Mine is somewhat
> different. It's not involved with access control but rather sits as an
> independent module. Its purpose is to provide some utility functions to any
> other module that wants to use them ("optional functions" in 2.x).
>
> For example, if you write your own module and want to take advantage of
> both DNSBL and RHSBL functions, you can use these functions:
>
> dnsbl_lookup_ip(chain, address)
> dnsbl_lookup_domain(chain, domain)
>
> The DNSBL configuration is contained in httpd.conf, e.g.
>
> DnsblZone spammers sbl.spamhaus.org. any
> DnsblZone spammers dnsbl.sorbs.net. 127.0.0.5
> DnsblZone spammers dnsbl.sorbs.net. 127.0.0.6
> DnsblZone spammers dnsbl.sorbs.net. 127.0.0.9
> RhsblZone spammers rhsbl.ahbl.org. 127.0.0.2
>
> The chain name in the above directives (e.g. spammers but could also be
> whitelists, not my problem) matches up to the chain you use in your
> function calls. Then dnsbl_lookup_ip() for DNSBL or _domain() for RHSBL
> will try to find a positive match within the chain you ask for.
>
> I think this should provide generic enough functionality to give you an
> easy to configure and easy to use DNSBL querying backend for whatever
> application you want to implement.
>

Jem,

Quite an intriguing and interesting item; however, towards whom did you
develop/target this module. Is this geared towards those who wish to
have/host something similar to www.openrbl.org locally?

I gather this functionality might be added to an interface that deals
with email. i.e. there are forms on the site that generate emails to
users or outbound. One could integrate your module to limit IPs listed
on an RBL from accessing your server/these forms.

AK

Re: mod_dnsbl_lookup, Apache module

am 16.08.2005 22:46:38 von Jem Berkes

> Quite an intriguing and interesting item; however, towards whom did
> you develop/target this module. Is this geared towards those who wish
> to have/host something similar to www.openrbl.org locally?

It was developed under the Google sponsored "Summer of Code" program. The
immediate use is for Apache's new mod_smtpd module which was one of the
Apache Foundation's wish list items. I was surprised to learn this too, but
the 2.x stream of Apache is really more than a web server. It's more of a
network application platform and modules can be written to support
arbitrary protocols including ftp (already written) and now SMTP. I wanted
to provide generic blocklist functionality for the SMTP side.

But it turns out there are other uses of mod_dnsbl_lookup too, as you
suggested it could indeed be used for something like an openrbl site. It
could also be used as a tool when building web technologies, for example a
blog site might consult RBLs to help prevent comment spam. HTTP proxies
could consult RBLs to deny service to suspicious clients.

> I gather this functionality might be added to an interface that deals
> with email. i.e. there are forms on the site that generate emails to
> users or outbound. One could integrate your module to limit IPs
> listed on an RBL from accessing your server/these forms.

Email (as in mod_smtpd) is the main idea, but the RBLs could also be
applied to HTTP/proxy clients themselves.

--
Jem Berkes
Software design for Windows and Linux/Unix-like systems
http://www.sysdesign.ca/

Re: mod_dnsbl_lookup, Apache module

am 17.08.2005 02:42:14 von Brian Bruns

Jem Berkes wrote in
news:Xns96B4A080FA6EDjbuserspc9org@205.200.16.73:

> It was developed under the Google sponsored "Summer of Code" program.
> The immediate use is for Apache's new mod_smtpd module which was one
> of the Apache Foundation's wish list items. I was surprised to learn
> this too, but the 2.x stream of Apache is really more than a web
> server. It's more of a network application platform and modules can
> be written to support arbitrary protocols including ftp (already
> written) and now SMTP. I wanted to provide generic blocklist
> functionality for the SMTP side.

I've also made an updated version of the Blars code available that is
based on the latest Apache mod_access source which works with Apache
1.3.x.

Might come in handy for something too.

--
Brian Bruns
The Summit Open Source Development Group
http://www.sosdg.org / http://blog.sosdg.org/bruns

The Abusive Hosts Blocking List
http://www.ahbl.org