Real-time block lists have become a popular technique to maintain a central and dynamic database of malicious IP addresses. Most prominent examples are given by spamhaus.org or other services, which provide an updated blacklist of spammer IP addresses.
These block lists are provided by means of a Domain Name server, which makes querying whether an address is blacklisted as easy as a simple DNS lookup. If an IP address is black-listed, the DNS server will response with some resolved name, otherwise it will return a not-found response.
ModSecurity does provide the ability to query real-time block lists by its
@rbl operator. This can be used to check whether
a client IP is currently black-listed or not.
I didn't come to use ModSecurity's RBL-feature, since I did not have a dynamic
DNS server running around locally. One rainy weekend I had a glance at the
DNS protocol specification and thought it shouldn't be hard to write a simple
DNS server on my own. The outcome is this
The jwall-rbld package provides a small DNS server, which maintains a dynamic in-memory database of IP addresses. These can be interactively changed, resulting in an easy-to-use and flexible real-time block list.
This document describes the jwall-rbld server and its setup to be used to dynamically block client addresses with ModSecurity.