Block Spam, Preventing URL Injection And Block HTTP Attacks With mod_dnsblacklist

Want to support HowtoForge? Become a subscriber!
 
Submitted by euronymous (Contact Author) (Forums) on Tue, 2009-12-08 13:08. :: Lighttpd | Security

Block Spam, Preventing URL Injection And Block HTTP Attacks With mod_dnsblacklist

mod_dnsblacklist is a Lighttpd module that use DNSBL in order to block spam relay via web forms, preventing URL injection, block http DDoS attacks from bots and generally protecting your web service denying access to a known bad IP address. Official site:

http://www.lucaercoli.it/

To install it you must download the source code and compile by running these commands:

make mod_dnsblacklist.o

gcc -shared -o mod_dnsblacklist.so mod_dnsblacklist.o

/usr/bin/install -c mod_dnsblacklist.so /usr/local/lib/mod_dnsblacklist.so

The module accepts these directives:

dnsblacklist.method
    Syntax:   dnsblacklist.method string
    Supported: GET, POST, HEAD, OPTIONS, PUT and PROPFIND
    Default:  POST

    The HTTP method on which the module acts

dnsblacklist.host
    Syntax:   dnsblacklist.host string
    Default:  sbl-xbl.spamhaus.org

    The address of the DNSBL used

dnsblacklist.message
    Syntax:   dnsblacklist.message string
    Default:  Your IP address is blacklisted!

    Error message displayed to the blocked user

Once installed you will need to enable it editing the Lighttpd's configuration (/etc/lighttpd/lighttpd.conf). Here's an example:

server.modules = (
.....
"mod_dnsblacklist",
......

Finally you must restart the server

/etc/init.d/lighttpd restart

The default configuration will protect you from attacks performed with the POST method such spam relay via web forms and on your blog. To extend the protection and preventing URL injection put this in the configuration of Lighttpd:

dnsblacklist.method "GET,POST"

In order to change the error message shown to blocked users, you can use the directive "dnsblacklist.message" in this way:

dnsblacklist.message "Your custom message"

...and now fly light ;)


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Horst (not registered) on Tue, 2010-03-30 20:28.

In the lighttpd forum there is this thread, describing while it dont have to be a good idea to use this mod_dnsblacklist

http://redmine.lighttpd.net/boards/3/topics/2416

Quote by stbuehler:

I guess it will be useful to some people, so just as a final note why this is not the right way to do it in general:
lighttpd is single threaded, and will handle all requests with this one thread. If you "block one request for 1 second", you block all requests for 1 second.
Now it may be "difficult" to get many IPv4 addresses to cause a DDoS (each new address will block lighttpd for some time), when it comes to IPv6 you are doomed (I didn't look at your patch and I guess you don't support IPv6 anyway, but just as a thought).
So the real solution would be to do the DNS lookup asynchronous, which either requires you to do the lookup in another thread/process or have an async DNS lookup implementation which you can hook into lighttpds event system.