[Dshield] Local DNS RBL

Frank Knobbe frank at knobbe.us
Sun Jan 23 21:28:44 GMT 2005


On Sun, 2005-01-23 at 14:18 -0500, David Cary Hart wrote:
> Given the close correlation of spam and virus distribution, I'm now
> banning mail from abusive areas (notably China and Korea). I'm thinking
> about extending the process to HTTPD as well using the same dns zones
> (if I can figure out how to do it).

You would need to configure the web server to run as being called from
inetd. Then use daemontools and tcpwrapper to launch it like this:
  /usr/local/bin/tcpserver -R -v -p -u www -g www 0 80 \
     rblsmtpd -r myblocklist.org /usr/local/sbin/httpd

> I hope that this is a useful (or at least fun). Watching the carnage in
> a maillog tail is enjoyable but, perhaps, I am too easily amused. Rants,
> raves, corrections and comments are welcome. Ultimately, I'm just trying
> to improve my skills to something north of nitwit.

Good idea to play with, bad idea for production. The overhead alone
(doing the RBL lookup for each HTTP connection) will kill you as each
web client establishes multiple connections to your web server.

Why not block with firewall rules instead? Much more efficient, secure,
stable (no missed, or wrong, RBL lookups), and easier to trouble shoot.


While on the subject of blocking, I always snicker when people preach
the "deny-all-allow-what-is-required" firewall mantra, but then turn
around and selectively block countries they think are hostile. Why not
block them all, and only allow certain, friendly networks???

Cheers,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20050123/15251739/attachment.bin


More information about the list mailing list