RBLs, "Realtime Blackhole lists", or just plain "blacklists" are used by mail servers to protect against spam. In recent years these Realtime Blackhole Lists have expanded to include not just open relays and know sources of spam, but also lists of systems that have been broken into, are infected with viruses, worms and are running open proxies.
Webservers can benefit from using RBLs/blacklists that include lists of machines which have been broken into and are being used by attackers as a mid point to hide their tracks. This helps you to cut down on the attacks on your systems. Setting up apache to block these hosts is a fairly simple process, that involves replacing the mod_access module on your system with a patched version that understands how to do this. With Apache 1.x, this is accomplished by replacing mod_access with mod_access_rbl
. mod_access_rbl, at present, only works with apache 1.3, so to get it to work with Apache 2.x you need to patch mod_accesss, using a small and easy to install patch.
How to use RBL’s to protect Apache 2.x
1. Make a copy of your current mod_access.so file. If you don’t know where it is, try running this command on your system:
- locate mod_access.so
- cp /location/of/mod_access.so /some/safe/place
2. Download the patch for mod_access.
3. Locate your copy of the Apache source tree for your OS or distribution , or get a copy of the apache source for your system. Make sure you get the right version for your OS or distribution, and that you install any OS/distribution specific patches. You don’t want to miss anything important in your mod_access module. We’re going to replace your old one completely. Also, if you are using Apache 1.3, do not use this patch. Its for Apache 2.x.
4. Once you have found or installed the apache source for your system, you need to patch one file: mod_access.c. It is generally found in this directory:
- httpd-2.x.x/modules/aaa
Once you have found mod_access.c, you will want to run this command to patch it:
- cat /patch/to/mod_access_rbl.diff | patch -p1
5. Once it is patched, you can compile and install the patched mod_access.
- cd httpd-2.x.x/modules/aaa
- apxs -i -a -c mod_access.c
6. That command should also install the new mod_access into your running apache process. At this point, you will want to restart apache to make sure the new module works as the old one did, so carry out some testing to make sure all the old functionality is still working properly.
- /etc/init.d/httpd restart
Or whatever command you need to use to restart apache.
7. If all the old functionality is still working properly, you can then add in the new functionality afforded by the patch. To start blocking blackholed sites, you can take one of two approaches.
To protect all the sites on your server add this to your httpd.conf file. Remember, this will apply the blocking to every web directory and website on your server:
\<Limit GET POST OPTIONS PROPFIND> order allow,deny allow from all deny via xbl.spamhaus.org \</Limit>
If you add this to your httpd.conf, you will need to restart apache again.
The other way is to limit the blocking to specific virtual servers and/or web directories. This also lets you define different RBLs for each resource, file, web directory and/or virtual server you want to protect. To take this granual approach, you simply use .htaccess files. Just add or modify a .htaccess file in the web directory you wish to protect, and then put this at the top of the file:
<Limit GET POST OPTIONS PROPFIND> order allow,deny allow from all deny via xbl.spamhaus.org </Limit>
In both of these examples "xbl.spamhaus.org" is the RBL we are using, but you can choose to use any RBL you like in the "deny via" command. Keep in mind, this will only deny connections for those methods (GET, POST, OPTIONS and PROPFIND) defined in the <limit> directive. If you want to block other methods, then you will need to add them. Since those other methods are largely used by things like DAV, if you don’t use DAV, then you can just deny all other methods except for GET, POST, OPTIONS and PROPFIND by adding this to either your httpd.conf or your .htaccess file:
<LimitExcept GET POST OPTIONS PROPFIND> Order deny,allow Deny from all </LimitExcept>
mod_access, when configured in this manner, will look up all incoming connections against the RBL you have defined (again, in this example, we used spamhaus.org’s Exploit Block List (cache) ). Keep in mind, that this process will introduce a small delay on all incoming connections and that mod_access will not cache these lookups. You can minimize this non-caching behavior by running a local DNS server to cache the connections on the server you intend to implement this on. Make sure you also configure the system apache is running on to use the local DNS running on that same machine. You might get a little boost by pointing to a DNS running on another server on the same LAN, but you’ll get the best performance if your DNS server is running on localhost (127.0.0.1).
