Software `/` code `/` prosody-modules

Annotate

mod_dnsbl/README.markdown @ 6209:d611ed13df7e draft

Merge

author	Trần H. Trung <xmpp:trần.h.trung@trung.fun>
date	Tue, 18 Mar 2025 00:16:25 +0700

rev	line source
6209 d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	1 ---
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	2 labels:
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	3 - 'Stage-Alpha'
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	4 summary: 'Flag accounts registered by IPs matching blocklists'
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	5 depends:
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	6 - mod_anti_spam
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	7 ---
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	8
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	9 This module is designed for servers with public registration enabled, and
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	10 makes it easier to identify accounts that have been registered by potentially
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	11 "bad" IP addresses, e.g. those that are likely to be used by spam bots.
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	12
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	13 Note: Running a Prosody instance with public registration enabled opens up
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	14 your server as a potential relay for spam and abuse, which can have a negative
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	15 impact on your server and the network as a whole. We do not recommended it
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	16 unless you have prior experience operating public internet services and are
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	17 prepared for the time and effort necessary to tackle any issues. For other
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	18 advice, see the Prosody documentation on [public servers](https://prosody.im/doc/public_servers).
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	19
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	20 ## How does it work?
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	21
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	22 When a user account is registered on your server, this module checks the user's
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	23 IP address against a list of configured blocklists. If a match is found, it
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	24 flags the account using [mod_flags].
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	25
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	26 Flags can be reviewed and managed by using the mod_flags commands and flagged
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	27 accounts can be automatically restricted, e.g. by mod_firewall or similar.
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	28
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	29 This module supports two kinds of block lists:
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	30
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	31 - DNS blocklists (DNSBLs)
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	32 - Text files, with one IP/subnet per line
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	33
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	34 ## Configuration
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	35
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	36 Note: mod_dnsbl requires mod_anti_spam to be installed, but it does not
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	37 need to be enabled or loaded (only some code is shared). mod_flags is also
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	38 required, and this will be automatically loaded if not specified in the
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	39 config file.
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	40
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	41 The main configuration option is `dnsbls`, a list of DNSBL addresses:
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	42
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	43 ```lua
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	44 dnsbls = {
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	45 "dnsbl.dronebl.org";
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	46 "cbl.abuseat.org";
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	47 }
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	48 ```
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	49
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	50 You can set a message to be sent to users who register from a matched IP
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	51 address:
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	52
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	53 ```lua
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	54 dnsbl_message = "Your IP address has been detected on a block list. Some functionality may be restricted."
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	55 ```
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	56
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	57 You can change the default flag that is applied to accounts:
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	58
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	59 ```lua
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	60 dnsbl_flag = "dnsbl_hit"
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	61 ```
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	62
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	63 ### File-based blocklists
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	64
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	65 As well as real DNSBLs, you can also put file-based blocklists here, by
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	66 prefixing `@` to a filesystem path (Prosody must have read permission to
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	67 access the file):
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	68
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	69 ```lua
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	70 dnsbls = {
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	71 "dnsbl.dronebl.org";
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	72 "@/etc/prosody/ip_blocklist.txt";
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	73 }
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	74 ```
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	75
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	76 The file must contain a single IP address or subnet on each line, though blank
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	77 lines and comments are ignored. For example:
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	78
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	79 ```
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	80 # This is a comment
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	81 203.0.113.0/24
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	82 2001:db8:7894::/64
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	83 ```
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	84
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	85 File-based lists are automatically reloaded when you reload Prosody's
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	86 configuration.
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	87
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	88 ### Advanced configuration
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	89
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	90 You can override the flag and message on a per-blocklist basis with a slightly
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	91 more detailed configuration syntax:
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	92
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	93 ```lua
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	94 dnsbls = {
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	95 ["dnsbl.dronebl.org"] = {
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	96 flag = "dnsbl_hit";
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	97 message = "Your account is restricted because your IP address has been detected as running an open proxy. For more information see https://dronebl.org/lookup?ip={registration.ip}";
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	98 };
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	99 ["@/etc/prosody/ip_blocklist.txt"] = {
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	100 flag = "local_blocklist";
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	101 message = "Your account is restricted";
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	102 };
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	103 }
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	104 ```
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	105
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	106 ## Compatibility
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	107
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	108 Compatible with Prosody 0.12 and later.
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	109
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	110 If you are using Prosody 0.12, make sure you install mod_flags from the
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	111 community module repository. If you are using a later version, mod_flags is
d611ed13df7e Merge Trần H. Trung <xmpp:trần.h.trung@trung.fun> parents: diff changeset	112 already included with Prosody.

prosody-modules

d611ed13df7e

mod_dnsbl/README.markdown

Software / code / prosody-modules

Annotate

mod_dnsbl/README.markdown @ 6209:d611ed13df7e draft

Software `/` code `/` prosody-modules