mod_dnsblA DNS blacklist is a way in which the DNS can be used to "blacklist" sites/addresses that have been deemd to be "bad" in some way. These blacklists are often used by email servers, for determining and rejecting email sent by addresses known to be sources of spam. More information on DNS blacklists can be found here:
http://en.wikipedia.org/wiki/DNSBL
While DNS blacklists are well known for use by email servers, it is also
possible to use them for other means, such as ways of checking whether an
FTP client's address should be allowed or rejected by an FTP server. Thus
the mod_dnsbl module was written for ProFTPD, for such a purpose.
The mod_dnsbl module is not compiled by default; build/installation
instructions are discussed here.
The most current version of mod_dnsbl is distributed with the
ProFTPD source code.
Please contact TJ Saunders <tj at castaglia.org> with any questions, concerns, or suggestions regarding this module.
<VirtualHost>, <Global>
The DNSBLDomain directive is used to configure the DNS name of
a DNS blacklist site, to be consulted when determining whether
mod_dnsbl should allow or reject an FTP connection. This
directive can be used multiple times, to configure multiple different DNS
blacklist sites. When checking these sites, the mod_dnsbl module
will check each DNSBLDomain, in the order they appear in the
proftpd.conf file.
Example:
DNSBLDomain sbl.spamhaus.org DNSBLDomain xbl.spamhaus.org
<VirtualHost>, <Global>
The DNSBLEngine directive toggles the use of DNS blacklists for
access control for FTP client connections (e.g. mod_dnsbl).
This is usually used inside a <VirtualHost> section to
enable DNS blacklist use for a particular virtual host. By default
mod_dnsbl is disabled for both the main server and all configured
virtual hosts.
<VirtualHost>, <Global>
The DNSBLLog directive is used to specify a log file for
mod_dnsbl's reporting on a per-server basis. The file
parameter given must be the full path to the file to use for logging.
Note that this path must not be to a world-writable directory and,
unless AllowLogSymlinks is explicitly set to on
(generally a bad idea), the path must not be a symbolic link.
<VirtualHost>, <Global>
The DNSBLPolicy directive determines whether the
mod_dnsbl module (if enabled) will allow a connection by default
or not.
If DNSBLPolicy is configured using "allow,deny", then
the mod_dnsbl module will allow the connection, unless
the connecting client is blacklisted by any of the configured
DNSBLDomain sites.
If DNSBLPolicy is configured using "deny,allow", then
the mod_dnsbl module will not allow the connection,
unless the connecting client is listed by any of the configured
DNSBLDomain sites.
mod_dnsbl module is distributed with ProFTPD. Simply follow
the normal steps for using third-party modules in ProFTPD:
$ ./configure --with-modules=mod_dnsbl $ make $ make installAlternatively,
mod_dnsbl can be built as a DSO module:
$ ./configure --enable-dso --with-shared=mod_dnbsl ...Then follow the usual steps:
$ make $ make install
Logging
The mod_dnbsl module supports different forms of logging. The
main module logging is done via the DNSBLLog directive.
For debugging purposes, the module also uses trace logging, via the module-specific log channels:
proftpd.conf:
TraceLog /path/to/ftpd/trace.log Trace dnsbl:20This trace logging can generate large files; it is intended for debugging use only, and should be removed from any production configuration.