prosody-modules
eff78e2c7d22
mod_dnsbl/README.markdown

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

Annotate

mod_dnsbl/README.markdown @ 6163:eff78e2c7d22

mod_sasl_ssdp: Upgrade to version 0.4.0 with new delimiter
author tmolitor <thilo@eightysoft.de>
date Sat, 25 Jan 2025 00:04:37 +0100
parent 6161:99860e1b817d
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
6161
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
1 ---
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
2 labels:
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
3 - 'Stage-Alpha'
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
4 summary: 'Flag accounts registered by IPs matching blocklists'
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
5 depends:
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
6 - mod_anti_spam
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
7 ---
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
8
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
9 This module is designed for servers with public registration enabled, and
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
10 makes it easier to identify accounts that have been registered by potentially
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
11 "bad" IP addresses, e.g. those that are likely to be used by spam bots.
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
12
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
13 **Note:** Running a Prosody instance with public registration enabled opens up
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
14 your server as a potential relay for spam and abuse, which can have a negative
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
15 impact on your server and the network as a whole. We do not recommended it
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
16 unless you have prior experience operating public internet services and are
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
17 prepared for the time and effort necessary to tackle any issues. For other
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
18 advice, see the Prosody documentation on [public servers](https://prosody.im/doc/public_servers).
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
19
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
20 ## How does it work?
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
21
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
22 When a user account is registered on your server, this module checks the user's
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
23 IP address against a list of configured blocklists. If a match is found, it
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
24 flags the account using [mod_flags].
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
25
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
26 Flags can be reviewed and managed by using the mod_flags commands and flagged
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
27 accounts can be automatically restricted, e.g. by mod_firewall or similar.
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
28
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
29 This module supports two kinds of block lists:
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
30
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
31 - DNS blocklists (DNSBLs)
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
32 - Text files, with one IP/subnet per line
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
33
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
34 ## Configuration
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
35
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
36 **Note:** mod_dnsbl requires mod_anti_spam to be installed, but it does not
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
37 need to be enabled or loaded (only some code is shared). mod_flags is also
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
38 required, and this will be automatically loaded if not specified in the
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
39 config file.
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
40
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
41 The main configuration option is `dnsbls`, a list of DNSBL addresses:
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
42
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
43 ```lua
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
44 dnsbls = {
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
45 "dnsbl.dronebl.org";
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
46 "cbl.abuseat.org";
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
47 }
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
48 ```
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
49
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
50 You can set a message to be sent to users who register from a matched IP
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
51 address:
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
52
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
53 ```lua
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
54 dnsbl_message = "Your IP address has been detected on a block list. Some functionality may be restricted."
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
55 ```
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
56
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
57 You can change the default flag that is applied to accounts:
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
58
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
59 ```lua
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
60 dnsbl_flag = "dnsbl_hit"
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
61 ```
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
62
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
63 ### File-based blocklists
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
64
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
65 As well as real DNSBLs, you can also put file-based blocklists here, by
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
66 prefixing `@` to a filesystem path (Prosody must have read permission to
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
67 access the file):
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
68
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
69 ```lua
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
70 dnsbls = {
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
71 "dnsbl.dronebl.org";
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
72 "@/etc/prosody/ip_blocklist.txt";
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
73 }
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
74 ```
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
75
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
76 The file must contain a single IP address or subnet on each line, though blank
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
77 lines and comments are ignored. For example:
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
78
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
79 ```
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
80 # This is a comment
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
81 203.0.113.0/24
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
82 2001:db8:7894::/64
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
83 ```
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
84
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
85 File-based lists are automatically reloaded when you reload Prosody's
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
86 configuration.
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
87
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
88 ### Advanced configuration
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
89
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
90 You can override the flag and message on a per-blocklist basis with a slightly
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
91 more detailed configuration syntax:
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
92
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
93 ```lua
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
94 dnsbls = {
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
95 ["dnsbl.dronebl.org"] = {
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
96 flag = "dnsbl_hit";
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
97 message = "Your account is restricted because your IP address has been detected as running an open proxy. For more information see https://dronebl.org/lookup?ip={registration.ip}";
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
98 };
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
99 ["@/etc/prosody/ip_blocklist.txt"] = {
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
100 flag = "local_blocklist";
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
101 message = "Your account is restricted";
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
102 };
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
103 }
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
104 ```
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
105
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
106 ## Compatibility
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
107
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
108 Compatible with Prosody 0.12 and later.
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
109
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
110 If you are using Prosody 0.12, make sure you install mod_flags from the
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
111 community module repository. If you are using a later version, mod_flags is
99860e1b817d mod_dnsbl: Flag accounts registered by IPs matching blocklists
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
112 already included with Prosody.