...
 
Commits (2)
/*
* Date: 20-Jul-2015
* Date: 23-Oct-2018
* Info: mod_honeypot Apache 2 module
* Version: See MODULE_VERSION
* Author: Yoyodyne Software Systems, Inc.
......@@ -32,6 +32,9 @@
* Prepend "hp_" to config struct variables
* 20-Jul-2015 1.2.03 BRM
* Change "failsafe accept" message to "passthrough"
* 23-oct-2018 1.2.04 UHE
* Change remote_ip -> client_ip for apache 2.4
* IP lookup only for IPv4 Addresses
*/
/* ==================== EXTREMELY IMPORTANT ===================
......@@ -127,7 +130,7 @@
#define HP_THREAT_AGE 90 /* Threat age threshold (days) */
#define HP_THREAT_LEVEL 10 /* Threat level threshold */
#define MODULE_NAME "mod_honeypot"
#define MODULE_VERSION "1.2.03" /* Module revision level */
#define MODULE_VERSION "1.2.04" /* Module revision level */
#define IP_CACHE_SIZE 256 /* IPv4 cache table size */
#define LOOKUP_SIZE 80 /* PH DNS lookup string size */
......@@ -255,7 +258,7 @@ static int hp_check_ipv4_cache
/* Retrieve the IP of the requester */
remote_ip = r->connection->remote_ip;
remote_ip = r->connection->client_ip;
if (hp_scfg->hp_logdebug & 0x00000080) {
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
......@@ -361,10 +364,10 @@ static void hp_add_ipv4_cache
if (hp_scfg->hp_logdebug & 0x00001000)
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: Add %u %s %d",
hp_scfg->hp_ip_cachenext, r->connection->remote_ip,
hp_scfg->hp_ip_cachenext, r->connection->client_ip,
ipstatus);
strncpy(hp_scfg->hp_cached_ip_addr[hp_scfg->hp_ip_cachenext], r->connection->remote_ip, 16);
strncpy(hp_scfg->hp_cached_ip_addr[hp_scfg->hp_ip_cachenext], r->connection->client_ip, 16);
hp_scfg->hp_cached_ip_result[hp_scfg->hp_ip_cachenext] = ipstatus;
/* Bump list size, next available slot and rotate buffer if needed */
......@@ -438,7 +441,7 @@ static int honeypot_handler
if (hp_scfg->hp_logdebug & 0x00000004)
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: Debug flags 0x%x", hp_scfg->hp_logdebug);
"mod_honeypot: Debug flags 0x%lx", hp_scfg->hp_logdebug);
/* Process only request methods on our method list */
......@@ -470,7 +473,7 @@ static int honeypot_handler
if (hp_scfg->hp_logdebug & 0x00800000)
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: IP %s in reject cache",
r->connection->remote_ip);
r->connection->client_ip);
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: Blocklisted");
if (hp_scfg->hp_logdebug & 0x00000001)
......@@ -487,7 +490,7 @@ static int honeypot_handler
if (hp_scfg->hp_logdebug & 0x00800000)
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: IP %s not in cache",
r->connection->remote_ip);
r->connection->client_ip);
break;
/* Previously accepted */
......@@ -495,7 +498,7 @@ static int honeypot_handler
if (hp_scfg->hp_logdebug & 0x00800000)
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: IP %s in accept cache",
r->connection->remote_ip);
r->connection->client_ip);
return DECLINED;
break;
}
......@@ -508,142 +511,151 @@ static int honeypot_handler
struct hostent *hp = 0;
memset(lookup_this, '\0', LOOKUP_SIZE);
sscanf(r->connection->remote_ip,
"%d.%d.%d.%d",
&oct1, &oct2, &oct3, &oct4);
snprintf(lookup_this, LOOKUP_SIZE-1,
"%s.%d.%d.%d.%d.%s",
hp_scfg->hp_access_key,
oct4, oct3, oct2, oct1,
"dnsbl.httpbl.org");
/* See if the requester is a known PH offender. Fail-safe on error. */
if (hp_scfg->hp_logdebug & 0x01000000)
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: Lookup %s",
lookup_this);
if (sscanf(r->connection->client_ip,
"::ffff:%d.%d.%d.%d",
&oct1, &oct2, &oct3, &oct4)) {
h_errno = 0;
hp = gethostbyname(lookup_this);
/* remote IP is a IPv4 Address, so go on an check it ... */
/* On failure, HOST_NOT_FOUND expected, but check for other errors */
snprintf(lookup_this, LOOKUP_SIZE-1,
"%s.%d.%d.%d.%d.%s",
hp_scfg->hp_access_key,
oct4, oct3, oct2, oct1,
"dnsbl.httpbl.org.");
if (hp == NULL) {
if (h_errno != HOST_NOT_FOUND) {
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: Project Honeypot DNS check failed");
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: %s",
lookup_this);
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: %s",
hstrerror(h_errno));
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: Passthrough");
return DECLINED;
}
/* See if the requester is a known PH offender. Fail-safe on error. */
/* HOST_NOT_FOUND; add requester's address to accept cache and decline */
if (hp_scfg->hp_logdebug & 0x01000000)
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: Lookup %s",
lookup_this);
if (hp_scfg->hp_logdebug & 0x10000000)
h_errno = 0;
hp = gethostbyname(lookup_this);
/* On failure, HOST_NOT_FOUND expected, but check for other errors */
if (hp == NULL) {
if (h_errno != HOST_NOT_FOUND) {
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: IP %s added to accept cache",
r->connection->remote_ip);
hp_add_ipv4_cache(r, (int)1);
return DECLINED;
}
"mod_honeypot: Project Honeypot DNS check failed");
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: %s",
lookup_this);
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: %s",
hstrerror(h_errno));
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: Passthrough");
return DECLINED;
}
/* Requesting IPv4 address is now known to be an offender. */
/* HOST_NOT_FOUND; add requester's address to accept cache and decline */
/* Get the 4-octet DNS response "IP address" */
if (hp_scfg->hp_logdebug & 0x10000000)
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: IP %s added to accept cache",
r->connection->client_ip);
hp_add_ipv4_cache(r, (int)1);
return DECLINED;
}
addr.s_addr = *(u_long *) hp->h_addr_list[0];
ip_raddr = inet_ntoa(addr);
sscanf(ip_raddr,"%d.%d.%d.%d", &oct1, &oct2, &oct3, &oct4);
/* Requesting IPv4 address is now known to be an offender. */
if (hp_scfg->hp_logdebug & 0x01000000)
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: Result %s",
ip_raddr);
/* Get the 4-octet DNS response "IP address" */
/* Release it if it's not one of the visitor types being monitored */
addr.s_addr = *(u_long *) hp->h_addr_list[0];
ip_raddr = inet_ntoa(addr);
sscanf(ip_raddr,"%d.%d.%d.%d", &oct1, &oct2, &oct3, &oct4);
if (hp_scfg->hp_logdebug & 0x02000000)
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: Visitor type 0x%x",
oct4);
if (hp_scfg->hp_logdebug & 0x01000000)
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: Result %s",
ip_raddr);
if ((hp_scfg->hp_visitor_type & oct4) == 0) return DECLINED;
/* Release it if it's not one of the visitor types being monitored */
if (hp_scfg->hp_logdebug & 0x02000000)
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: Visitor type matches 0x%x",
hp_scfg->hp_visitor_type);
if (hp_scfg->hp_logdebug & 0x02000000)
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: Visitor type 0x%x",
oct4);
/* See if the threat level matches or exceeds our limit */
if ((hp_scfg->hp_visitor_type & oct4) == 0) return DECLINED;
if (hp_scfg->hp_logdebug & 0x04000000)
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: Threat level %d",
oct3);
if (hp_scfg->hp_logdebug & 0x02000000)
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: Visitor type matches 0x%lx",
hp_scfg->hp_visitor_type);
/* See if the threat level matches or exceeds our limit */
if (oct3 <= hp_scfg->hp_threat_level) {
if (hp_scfg->hp_logdebug & 0x04000008)
if (hp_scfg->hp_logdebug & 0x04000000)
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: Threat level under %d",
hp_scfg->hp_threat_level);
return DECLINED;
}
"mod_honeypot: Threat level %d",
oct3);
if (hp_scfg->hp_logdebug & 0x04000000)
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: Threat level exceeds %d",
hp_scfg->hp_threat_level);
if (oct3 <= hp_scfg->hp_threat_level) {
if (hp_scfg->hp_logdebug & 0x04000008)
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: Threat level under %d",
hp_scfg->hp_threat_level);
return DECLINED;
}
/* See if the threat age is at or less than our limit */
if (hp_scfg->hp_logdebug & 0x04000000)
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: Threat level exceeds %d",
hp_scfg->hp_threat_level);
/* See if the threat age is at or less than our limit */
if (hp_scfg->hp_logdebug & 0x08000000)
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: Threat age %d",
oct2);
if (hp_scfg->hp_logdebug & 0x08000000)
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: Threat age %d",
oct2);
if (oct2 >= hp_scfg->hp_threat_age) {
if (hp_scfg->hp_logdebug & 0x08000010)
if (oct2 >= hp_scfg->hp_threat_age) {
if (hp_scfg->hp_logdebug & 0x08000010)
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: Threat age over %d",
hp_scfg->hp_threat_age);
return DECLINED;
}
if (hp_scfg->hp_logdebug & 0x08000000)
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: Threat age over %d",
"mod_honeypot: Threat level at/under %d",
hp_scfg->hp_threat_age);
return DECLINED;
}
if (hp_scfg->hp_logdebug & 0x08000000)
/* This request meets all requirements for rejection */
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: Threat level at/under %d",
hp_scfg->hp_threat_age);
"mod_honeypot: Blocklisted");
if (hp_scfg->hp_logdebug & 0x00000001)
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
" %s", r->uri);
/* This request meets all requirements for rejection */
/* Add the requester's IP to the reject cache */
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: Blocklisted");
if (hp_scfg->hp_logdebug & 0x00000001)
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
" %s", r->uri);
if (hp_scfg->hp_logdebug & 0x10000000)
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: IP %s added to reject cache",
r->connection->client_ip);
/* Add the requester's IP to the reject cache */
hp_add_ipv4_cache(r, (int)-1);
if (hp_scfg->hp_logdebug & 0x10000000)
ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r,
"mod_honeypot: IP %s added to reject cache",
r->connection->remote_ip);
/* Reject the request */
hp_add_ipv4_cache(r, (int)-1);
r->content_type = "text/plain";
ap_custom_response(r, HTTP_FORBIDDEN,
"Your IP address is on the Project Honeypot offender list.");
return HTTP_FORBIDDEN;
}
/* Reject the request */
/* failsave if it's a IPv6 request allow it */
r->content_type = "text/plain";
ap_custom_response(r, HTTP_FORBIDDEN,
"Your IP address is on the Project Honeypot offender list.");
return HTTP_FORBIDDEN;
return DECLINED;
}
......@@ -849,7 +861,7 @@ static int honeypot_post_config
ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s,
MODULE_NAME " " MODULE_VERSION);
ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s,
" Data block %u bytes",
" Data block %lu bytes",
sizeof(hp_mod_config));
return OK;
......