Apache 2.4.x spamhaus_new Module

Background Story

The Apache webserver anti-spam module mod_spamhaus_new is based on the existing mod_spamhaus which I found useful to protect the Apache webserver from spam relay via web forms, URL injection, DDoS attacks from bots and generally from known bad IP addresses. I installed the original module on my webserver and were happy with the results, until some customers told me, that they cannot download the software they bought with their products. What was their fault? Nothing, they had just bad luck that they got a dynamic IP address which had been Spamhaus blacklisted before.
As I realized this plus the fact, that some customers are unable to order because of the same reason, I decided to check, if the Apache Spamhaus module configuration allows to set exceptions for specific domains. That was not the case, so I decided to add this feature and create a mod_spamhaus_new.
Also, Spamhaus-blacklisted IP addresses had been cached forever, which is not desirable: Added MS_CacheValidity parameter.

mod_spamhaus_new is a typical example what to achieve within four working days:

- Find out how Apache modules work.
- Understand how mod_spamhaus works.
- Understand Apache module build process and configuration.
- Solve problem that the Apache API changed from version 2.2 to 2.4, adapt the existing mod_spamhaus source code.
- Understand Apache Portable Runtime hash functions.
- Cleanup existing code and functionality.
- Add new functionality "unaffected domains".
- Add DNS cache expiry parameter. Not blacklisted IP addresses are rechecked after some time.
- Moved from fixed size arrays to hashed lists, which improves the speed to check if an IP is cached.
- Test mod_spamhaus_new.
- Document new Apache Spamhaus module.
- Publish mod_spamhaus_new.

mod_spamhaus_new is not perfect in any way, it is a result what can be done within four days with minimal effort. The following improvements could be done:

- Further clean up of the source code regarding global variables and functional structure.
- Implement module tests.
- Test if resizing of IP address (DNS cache) hash table could be improved by looking up Apache Portable Runtime source code.
- Improve coding reaching MISRA C MISRA C++ compliance.
- Implement an asynchronous checking strategy in order to speed up delivery times of checked pages. Currently a request of a checked page leads to a lookup of the requestor in cache or at Spamhaus. Depending on the response time of the Spamhaus request, this can lead to delays until the requested page is delivered. Solution: We could check requests of unchecked pages in advance to have the result already in cache when a checked page should be delivered.

The latter is postponed until the weather is too bad for skiing, windsurfing, mountainbiking, hiking etc. or I get paid for it. :)

Description, Build Process, Configuration

Coding style adapted from previous module version, no complete rewrite! Adapted module for own purposes. Would do it nicer for new projects. See the background story above.

Copyright: Copyright (C) 2008 Luca Ercoli <luca.e [at] seeweb.it>, 2018 Rainer Kaufmann <info [at] kaufmann-automotive.ch>

License:

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA

What's mod_spamhaus_new
=======================

mod_spamhaus_new is an Apache module that uses DNSBL in order to block spam relay via web forms, preventing URL injection, block HTTP(S) DDoS attacks from bots and generally protecting your web service denying access to a known bad IP address. Default configuration takes advantage of the Spamhaus Block List (SBL) and the Exploits Block List (XBL) querying sbl-xbl.spamhaus.org but you can use a different DNSB, for example local rbldnsd instance of sbl-xbl (increasing query performance). Spamhaus's DNSBLs are offered as a free public service for low-volume non-commercial use. To check if you qualify for free use, please see: Spamhaus DNSBL usage criteria (http://www.spamhaus.org/organization/dnsblusage.html)

INSTALLATION
============

Prerequisites

* Apache 2.4.X - http://www.apache.org/
Other versions may work but have not been tested

Building

If you have got the apxs2 (APache eXtenSion tool) tool installed, write the following commands
to build module:

$ tar zxvf mod_spamhaus_new-0.X.tar.gz
$ cd mod-spamhaus-new
$ make
# make install

CONFIGURATION
=============

First, you must add following command to the main config file of you're web server to load
mod_spamhaus_new module:

LoadModule spamhaus_moduleusr/lib/apache2/modules/mod_spamhaus_new.so

(The path to mod_spamhaus_new.so depends on your apache installation)

Directives
==========

MS_Methods

Syntax: MS_Methods POST,PUT,OPTIONS
Default: POST,PUT,OPTIONS

The values admitted are the httpd's methods (GET,POST,etc)
Module verify remote ip address if the method used by the user is present
in the value passed to this variable. Methods must be comma-separated

MS_WhiteList

Syntax: MS_WhiteListetc/spamhaus.wl
Default: no value

Path of whitelist file.
After you've edit it, you mustn't reload apache. This file will be read only
when 'data modification time' change. You can add an individual IP address or
subnets with CIDR.

MS_UnaffectedDomains

Syntax: MS_UnaffectedDomainsetc/spamhaus.unaffected
Default: no value

Path of unaffected domains file. Format: www.example.com
Domains listed in this file are not spamhaus-checked, so e.g. visitors can do
an order in an online shop or can contact you whithout being locked out.
This can be helpful if you have customers that had bad luck and got a dynamic
IP which is already in a spam-list.

MS_DNS

Syntax: MS_DNS sbl-xbl.spamhaus.org
Default: sbl-xbl.spamhaus.org

Name server to use for verify is an ip is blacklisted.
Using a local rbldnsd instance of sbl-xbl, you can increase query performance

MS_CacheSize

Syntax: MS_CacheSize 4096
Default: 2048
Max value: 16384

This directive can manage the number of cache entries.

MS_CacheValidity

Syntax: MS_CacheValidity 86400
Default: 172800

This directive defines the number of seconds how long cached MS_DNS entries are valid.

MS_CustomError

Syntax: MS_CustomError "My custom error message"
Default: "Access Denied! Your IP address is blacklisted because of malicious behavior in the past."

A custom error message that allows you to replace default error message with one you create

Synopsis:
---------

<IfModule mod_spamhaus_new.c>

# HTTP methods that should be checked
MS_METHODS POST,PUT,OPTIONS,CONNECT

# Whitelist of IP addresses and address ranges
MS_WhiteListetc/spamhaus.wl

# List of domains that should not be affected
MS_UnaffectedDomainsetc/spamhaus.unaffected

# Used DNS-based blackhole list
#MS_Dns local.rbldnsd.instance.of.sbl-xbl

# IP cache size
MS_CacheSize 4096

# IP cache entry validity
MS_CacheValidity 86400

# Error message that is presented to the user
#MS_CustomError "My custom error message"

</IfModule>

Download

https://sourceforge.net/projects/mod-spamhaus-new/

https://github.com/kaufmannr/mod_spamhaus_new

Kaufmann Automotive GmbH teilen