Skip to content
GitLab
Explore
Sign in
Register
Primary navigation
Search or go to…
Project
M
mod_honeypot
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Code
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Deploy
Releases
Model registry
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
open
mod_honeypot
Commits
5f6efbb3
Commit
5f6efbb3
authored
6 years ago
by
ueli heuer
Browse files
Options
Downloads
Patches
Plain Diff
Changes for apache 2.4, fix some compiler warnings
parent
63331368
Branches
apache_2.4
Branches containing commit
No related tags found
No related merge requests found
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
src/mod_honeypot.c
+125
-113
125 additions, 113 deletions
src/mod_honeypot.c
with
125 additions
and
113 deletions
src/mod_honeypot.c
+
125
−
113
View file @
5f6efbb3
/*
* Date: 2
0-Jul
-201
5
* Date: 2
3-Oct
-201
8
* Info: mod_honeypot Apache 2 module
* Version: See MODULE_VERSION
* Author: Yoyodyne Software Systems, Inc.
...
...
@@ -32,6 +32,9 @@
* Prepend "hp_" to config struct variables
* 20-Jul-2015 1.2.03 BRM
* Change "failsafe accept" message to "passthrough"
* 23-oct-2018 1.2.04 UHE
* Change remote_ip -> client_ip for apache 2.4
* IP lookup only for IPv4 Addresses
*/
/* ==================== EXTREMELY IMPORTANT ===================
...
...
@@ -127,7 +130,7 @@
#define HP_THREAT_AGE 90
/* Threat age threshold (days) */
#define HP_THREAT_LEVEL 10
/* Threat level threshold */
#define MODULE_NAME "mod_honeypot"
#define MODULE_VERSION "1.2.0
3
"
/* Module revision level */
#define MODULE_VERSION "1.2.0
4
"
/* Module revision level */
#define IP_CACHE_SIZE 256
/* IPv4 cache table size */
#define LOOKUP_SIZE 80
/* PH DNS lookup string size */
...
...
@@ -255,7 +258,7 @@ static int hp_check_ipv4_cache
/* Retrieve the IP of the requester */
remote_ip
=
r
->
connection
->
remote
_ip
;
remote_ip
=
r
->
connection
->
client
_ip
;
if
(
hp_scfg
->
hp_logdebug
&
0x00000080
)
{
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
...
...
@@ -361,10 +364,10 @@ static void hp_add_ipv4_cache
if
(
hp_scfg
->
hp_logdebug
&
0x00001000
)
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: Add %u %s %d"
,
hp_scfg
->
hp_ip_cachenext
,
r
->
connection
->
remote
_ip
,
hp_scfg
->
hp_ip_cachenext
,
r
->
connection
->
client
_ip
,
ipstatus
);
strncpy
(
hp_scfg
->
hp_cached_ip_addr
[
hp_scfg
->
hp_ip_cachenext
],
r
->
connection
->
remote
_ip
,
16
);
strncpy
(
hp_scfg
->
hp_cached_ip_addr
[
hp_scfg
->
hp_ip_cachenext
],
r
->
connection
->
client
_ip
,
16
);
hp_scfg
->
hp_cached_ip_result
[
hp_scfg
->
hp_ip_cachenext
]
=
ipstatus
;
/* Bump list size, next available slot and rotate buffer if needed */
...
...
@@ -438,7 +441,7 @@ static int honeypot_handler
if
(
hp_scfg
->
hp_logdebug
&
0x00000004
)
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: Debug flags 0x%x"
,
hp_scfg
->
hp_logdebug
);
"mod_honeypot: Debug flags 0x%
l
x"
,
hp_scfg
->
hp_logdebug
);
/* Process only request methods on our method list */
...
...
@@ -470,7 +473,7 @@ static int honeypot_handler
if
(
hp_scfg
->
hp_logdebug
&
0x00800000
)
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: IP %s in reject cache"
,
r
->
connection
->
remote
_ip
);
r
->
connection
->
client
_ip
);
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: Blocklisted"
);
if
(
hp_scfg
->
hp_logdebug
&
0x00000001
)
...
...
@@ -487,7 +490,7 @@ static int honeypot_handler
if
(
hp_scfg
->
hp_logdebug
&
0x00800000
)
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: IP %s not in cache"
,
r
->
connection
->
remote
_ip
);
r
->
connection
->
client
_ip
);
break
;
/* Previously accepted */
...
...
@@ -495,7 +498,7 @@ static int honeypot_handler
if
(
hp_scfg
->
hp_logdebug
&
0x00800000
)
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: IP %s in accept cache"
,
r
->
connection
->
remote
_ip
);
r
->
connection
->
client
_ip
);
return
DECLINED
;
break
;
}
...
...
@@ -508,142 +511,151 @@ static int honeypot_handler
struct
hostent
*
hp
=
0
;
memset
(
lookup_this
,
'\0'
,
LOOKUP_SIZE
);
sscanf
(
r
->
connection
->
remote_ip
,
"%d.%d.%d.%d"
,
&
oct1
,
&
oct2
,
&
oct3
,
&
oct4
);
snprintf
(
lookup_this
,
LOOKUP_SIZE
-
1
,
"%s.%d.%d.%d.%d.%s"
,
hp_scfg
->
hp_access_key
,
oct4
,
oct3
,
oct2
,
oct1
,
"dnsbl.httpbl.org"
);
/* See if the requester is a known PH offender. Fail-safe on error. */
if
(
hp_scfg
->
hp_logdebug
&
0x01000000
)
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: Lookup %s"
,
lookup_this
);
if
(
sscanf
(
r
->
connection
->
client_ip
,
"::ffff:%d.%d.%d.%d"
,
&
oct1
,
&
oct2
,
&
oct3
,
&
oct4
))
{
h_errno
=
0
;
hp
=
gethostbyname
(
lookup_this
);
/* remote IP is a IPv4 Address, so go on an check it ... */
/* On failure, HOST_NOT_FOUND expected, but check for other errors */
snprintf
(
lookup_this
,
LOOKUP_SIZE
-
1
,
"%s.%d.%d.%d.%d.%s"
,
hp_scfg
->
hp_access_key
,
oct4
,
oct3
,
oct2
,
oct1
,
"dnsbl.httpbl.org."
);
if
(
hp
==
NULL
)
{
if
(
h_errno
!=
HOST_NOT_FOUND
)
{
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: Project Honeypot DNS check failed"
);
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: %s"
,
lookup_this
);
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: %s"
,
hstrerror
(
h_errno
));
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: Passthrough"
);
return
DECLINED
;
}
/* See if the requester is a known PH offender. Fail-safe on error. */
/* HOST_NOT_FOUND; add requester's address to accept cache and decline */
if
(
hp_scfg
->
hp_logdebug
&
0x01000000
)
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: Lookup %s"
,
lookup_this
);
if
(
hp_scfg
->
hp_logdebug
&
0x10000000
)
h_errno
=
0
;
hp
=
gethostbyname
(
lookup_this
);
/* On failure, HOST_NOT_FOUND expected, but check for other errors */
if
(
hp
==
NULL
)
{
if
(
h_errno
!=
HOST_NOT_FOUND
)
{
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: IP %s added to accept cache"
,
r
->
connection
->
remote_ip
);
hp_add_ipv4_cache
(
r
,
(
int
)
1
);
return
DECLINED
;
}
"mod_honeypot: Project Honeypot DNS check failed"
);
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: %s"
,
lookup_this
);
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: %s"
,
hstrerror
(
h_errno
));
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: Passthrough"
);
return
DECLINED
;
}
/*
Requesting IPv4 address is now known to be an offender.
*/
/*
HOST_NOT_FOUND; add requester's address to accept cache and decline
*/
/* Get the 4-octet DNS response "IP address" */
if
(
hp_scfg
->
hp_logdebug
&
0x10000000
)
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: IP %s added to accept cache"
,
r
->
connection
->
client_ip
);
hp_add_ipv4_cache
(
r
,
(
int
)
1
);
return
DECLINED
;
}
addr
.
s_addr
=
*
(
u_long
*
)
hp
->
h_addr_list
[
0
];
ip_raddr
=
inet_ntoa
(
addr
);
sscanf
(
ip_raddr
,
"%d.%d.%d.%d"
,
&
oct1
,
&
oct2
,
&
oct3
,
&
oct4
);
/* Requesting IPv4 address is now known to be an offender. */
if
(
hp_scfg
->
hp_logdebug
&
0x01000000
)
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: Result %s"
,
ip_raddr
);
/* Get the 4-octet DNS response "IP address" */
/* Release it if it's not one of the visitor types being monitored */
addr
.
s_addr
=
*
(
u_long
*
)
hp
->
h_addr_list
[
0
];
ip_raddr
=
inet_ntoa
(
addr
);
sscanf
(
ip_raddr
,
"%d.%d.%d.%d"
,
&
oct1
,
&
oct2
,
&
oct3
,
&
oct4
);
if
(
hp_scfg
->
hp_logdebug
&
0x0
2
000000
)
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot:
Visitor type 0x%x
"
,
oct4
);
if
(
hp_scfg
->
hp_logdebug
&
0x0
1
000000
)
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot:
Result %s
"
,
ip_raddr
);
if
((
hp_scfg
->
hp_
visitor
_
type
&
oct4
)
==
0
)
return
DECLINED
;
/* Release it if it's not one of the
visitor
type
s being monitored */
if
(
hp_scfg
->
hp_logdebug
&
0x02000000
)
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: Visitor type
matches
0x%x"
,
hp_scfg
->
hp_visitor_type
);
if
(
hp_scfg
->
hp_logdebug
&
0x02000000
)
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: Visitor type 0x%x"
,
oct4
);
/* See if the threat level matches or exceeds our limit */
if
((
hp_scfg
->
hp_visitor_type
&
oct4
)
==
0
)
return
DECLINED
;
if
(
hp_scfg
->
hp_logdebug
&
0x04000000
)
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: Threat level %d"
,
oct3
);
if
(
hp_scfg
->
hp_logdebug
&
0x02000000
)
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: Visitor type matches 0x%lx"
,
hp_scfg
->
hp_visitor_type
);
/* See if the threat level matches or exceeds our limit */
if
(
oct3
<=
hp_scfg
->
hp_threat_level
)
{
if
(
hp_scfg
->
hp_logdebug
&
0x04000008
)
if
(
hp_scfg
->
hp_logdebug
&
0x04000000
)
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: Threat level under %d"
,
hp_scfg
->
hp_threat_level
);
return
DECLINED
;
}
"mod_honeypot: Threat level %d"
,
oct3
);
if
(
hp_scfg
->
hp_logdebug
&
0x04000000
)
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: Threat level exceeds %d"
,
hp_scfg
->
hp_threat_level
);
if
(
oct3
<=
hp_scfg
->
hp_threat_level
)
{
if
(
hp_scfg
->
hp_logdebug
&
0x04000008
)
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: Threat level under %d"
,
hp_scfg
->
hp_threat_level
);
return
DECLINED
;
}
/* See if the threat age is at or less than our limit */
if
(
hp_scfg
->
hp_logdebug
&
0x04000000
)
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: Threat level exceeds %d"
,
hp_scfg
->
hp_threat_level
);
/* See if the threat age is at or less than our limit */
if
(
hp_scfg
->
hp_logdebug
&
0x08000000
)
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: Threat age %d"
,
oct2
);
if
(
hp_scfg
->
hp_logdebug
&
0x08000000
)
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: Threat age %d"
,
oct2
);
if
(
oct2
>=
hp_scfg
->
hp_threat_age
)
{
if
(
hp_scfg
->
hp_logdebug
&
0x08000010
)
if
(
oct2
>=
hp_scfg
->
hp_threat_age
)
{
if
(
hp_scfg
->
hp_logdebug
&
0x08000010
)
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: Threat age over %d"
,
hp_scfg
->
hp_threat_age
);
return
DECLINED
;
}
if
(
hp_scfg
->
hp_logdebug
&
0x08000000
)
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: Threat
age ov
er %d"
,
"mod_honeypot: Threat
level at/und
er %d"
,
hp_scfg
->
hp_threat_age
);
return
DECLINED
;
}
if
(
hp_scfg
->
hp_logdebug
&
0x08000000
)
/* This request meets all requirements for rejection */
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: Threat level at/under %d"
,
hp_scfg
->
hp_threat_age
);
"mod_honeypot: Blocklisted"
);
if
(
hp_scfg
->
hp_logdebug
&
0x00000001
)
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
" %s"
,
r
->
uri
);
/*
This
request
meets all requirements for
reject
ion
*/
/*
Add the
request
er's IP to the
reject
cache
*/
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: Blocklisted"
);
if
(
hp_scfg
->
hp_logdebug
&
0x00000001
)
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
" %s"
,
r
->
uri
);
if
(
hp_scfg
->
hp_logdebug
&
0x10000000
)
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: IP %s added to reject cache"
,
r
->
connection
->
client_ip
);
/* Add the requester's IP to the reject cache */
hp_add_ipv4_cache
(
r
,
(
int
)
-
1
);
if
(
hp_scfg
->
hp_logdebug
&
0x10000000
)
ap_log_rerror
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
r
,
"mod_honeypot: IP %s added to reject cache"
,
r
->
connection
->
remote_ip
);
/* Reject the request */
hp_add_ipv4_cache
(
r
,
(
int
)
-
1
);
r
->
content_type
=
"text/plain"
;
ap_custom_response
(
r
,
HTTP_FORBIDDEN
,
"Your IP address is on the Project Honeypot offender list."
);
return
HTTP_FORBIDDEN
;
}
/*
Reject the reques
t */
/*
failsave if it's a IPv6 request allow i
t */
r
->
content_type
=
"text/plain"
;
ap_custom_response
(
r
,
HTTP_FORBIDDEN
,
"Your IP address is on the Project Honeypot offender list."
);
return
HTTP_FORBIDDEN
;
return
DECLINED
;
}
...
...
@@ -849,7 +861,7 @@ static int honeypot_post_config
ap_log_error
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
s
,
MODULE_NAME
" "
MODULE_VERSION
);
ap_log_error
(
APLOG_MARK
,
APLOG_CRIT
,
0
,
s
,
" Data block %u bytes"
,
" Data block %
l
u bytes"
,
sizeof
(
hp_mod_config
));
return
OK
;
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment