void whitelist(struct ntt * ntt, const char *ip)
{
char entry[128];
//LOG(LOG_ALERT, "Whitelisting: %s", ip);
snprintf(entry, sizeof(entry), "WHITELIST_%s", ip);
ntt_insert(ntt, entry, time(NULL));
}
static const char *whitelist(cmd_parms *cmd, void *dconfig, const char *ip)
{
char entry[128];
snprintf(entry, sizeof(entry), "WHITELIST_%s", ip);
ntt_insert(hit_list, entry, time(NULL));
return NULL;
}
static int access_checker(request_rec *r)
{
int ret = OK;
/* BEGIN DoS Evasive Maneuvers Code */
if (r->prev == NULL && r->main == NULL && hit_list != NULL) {
char hash_key[2048];
struct ntt_node *n;
time_t t = time(NULL);
/* Check whitelist */
if (is_whitelisted(r->useragent_ip))
return OK;
/* First see if the IP itself is on "hold" */
n = ntt_find(hit_list, r->useragent_ip);
if (n != NULL && t-n->timestamp<blocking_period) {
/* If the IP is on "hold", make it wait longer in 403 land */
ret = HTTP_FORBIDDEN;
n->timestamp = time(NULL);
/* Not on hold, check hit stats */
} else {
/* Has URI been hit too much? */
snprintf(hash_key, 2048, "%s_%s", r->useragent_ip, r->uri);
n = ntt_find(hit_list, hash_key);
if (n != NULL) {
/* If URI is being hit too much, add to "hold" list and 403 */
if (t-n->timestamp<page_interval && n->count>=page_count) {
ret = HTTP_FORBIDDEN;
ntt_insert(hit_list, r->useragent_ip, time(NULL));
} else {
/* Reset our hit count list as necessary */
if (t-n->timestamp>=page_interval) {
n->count=0;
}
}
n->timestamp = t;
n->count++;
} else {
ntt_insert(hit_list, hash_key, t);
}
/* Has site been hit too much? */
snprintf(hash_key, 2048, "%s_SITE", r->useragent_ip);
n = ntt_find(hit_list, hash_key);
if (n != NULL) {
/* If site is being hit too much, add to "hold" list and 403 */
if (t-n->timestamp<site_interval && n->count>=site_count) {
ret = HTTP_FORBIDDEN;
ntt_insert(hit_list, r->useragent_ip, time(NULL));
} else {
/* Reset our hit count list as necessary */
if (t-n->timestamp>=site_interval) {
n->count=0;
}
}
n->timestamp = t;
n->count++;
} else {
ntt_insert(hit_list, hash_key, t);
}
}
/* Perform email notification and system functions */
if (ret == HTTP_FORBIDDEN) {
char filename[1024];
struct stat s;
FILE *file;
snprintf(filename, sizeof(filename), "%s/dos-%s", log_dir != NULL ? log_dir : DEFAULT_LOG_DIR, r->useragent_ip);
if (stat(filename, &s)) {
file = fopen(filename, "w");
if (file != NULL) {
fprintf(file, "%d\n", getpid());
fclose(file);
LOG(LOG_ALERT, "Blacklisting address %s: possible DoS attack.", r->useragent_ip);
if (email_notify != NULL) {
snprintf(filename, sizeof(filename), MAILER, email_notify);
file = popen(filename, "w");
if (file != NULL) {
fprintf(file, "To: %s\n", email_notify);
fprintf(file, "Subject: HTTP BLACKLIST %s\n\n", r->useragent_ip);
fprintf(file, "mod_evasive HTTP Blacklisted %s\n", r->useragent_ip);
pclose(file);
}
}
if (system_command != NULL) {
snprintf(filename, sizeof(filename), system_command, r->useragent_ip);
system(filename);
}
} else {
LOG(LOG_ALERT, "Couldn't open logfile %s: %s",filename, strerror(errno));
}
} /* if (temp file does not exist) */
} /* if (ret == HTTP_FORBIDDEN) */
} /* if (r->prev == NULL && r->main == NULL && hit_list != NULL) */
/* END DoS Evasive Maneuvers Code */
if (ret == HTTP_FORBIDDEN
&& (ap_satisfies(r) != SATISFY_ANY || !ap_some_auth_required(r))) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"client denied by server configuration: %s",
r->filename);
}
return ret;
}
int check_access(struct ntt * ntt, const char * ip, const char * uri)
{
char hash_key[2048];
struct ntt_node * n;
time_t t = time(NULL);
int ret = OK;
/* Check whitelist */
if( is_whitelisted(ntt, ip) ) {
return OK;
}
/* First see if the IP itself is on "hold" */
n = ntt_find(ntt, ip);
if( n && t - n->timestamp < blocking_period ) {
/* If the IP is on "hold", make it wait longer in 403 land */
n->timestamp = time(NULL);
ntt_update(ntt, ip, n->timestamp, n->count);
ntt_cleanup(n);
return HTTP_FORBIDDEN;
}
/* Not on hold, check hit stats */
/* Has URI been hit too much? */
snprintf(hash_key, 2048, "%s_%s", ip, uri);
n = ntt_find(ntt, hash_key);
if( n ) {
/* If URI is being hit too much, add to "hold" list and 403 */
if( t - n->timestamp < page_interval && n->count >= page_count ) {
ret = HTTP_FORBIDDEN;
ntt_insert(ntt, ip, time(NULL));
} else {
/* Reset our hit count list as necessary */
if( t - n->timestamp >= page_interval ) {
n->count=0;
}
}
n->timestamp = t;
n->count++;
ntt_update(ntt, hash_key, n->timestamp, n->count);
ntt_cleanup(n);
return ret;
}
// Insert
ntt_insert(ntt, hash_key, t);
/* Has site been hit too much? */
snprintf(hash_key, 2048, "%s_SITE", ip);
n = ntt_find(ntt, hash_key);
if( n ) {
/* If site is being hit too much, add to "hold" list and 403 */
if( t - n->timestamp < site_interval && n->count >= site_count ) {
ret = HTTP_FORBIDDEN;
ntt_insert(ntt, ip, time(NULL));
} else {
/* Reset our hit count list as necessary */
if (t-n->timestamp>=site_interval) {
n->count=0;
}
}
n->timestamp = t;
n->count++;
ntt_update(ntt, hash_key, n->timestamp, n->count);
ntt_cleanup(n);
return ret;
}
// Insert
ntt_insert(ntt, hash_key, t);
return ret;
}
