build RBL DNS untuk anti spam based ip address

Requirements:

MySQL server. Menggunakan mysql server. pastikan telah terinstall dengan baik. pada percobaan kali ini dengan Os CentOs 6.5

persiapkan database, username dan password untuk akses mysql. create database misal: rbldns

mysql> create database rbldns;
mysql> grant all privileges on rbldns.* to 'rbldns'@'localhost' identified by 'rbl1231';
lalu create table ips di database rbldns;
CREATE TABLE `ips` (
  `id` int(16) NOT NULL AUTO_INCREMENT,
  `ipaddress` varchar(40) NOT NULL DEFAULT '',
  `dateadded` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
  `reportedby` varchar(40) DEFAULT NULL,
  `updated` datetime DEFAULT NULL,
  `attacknotes` text,
  `b_or_w` char(1) NOT NULL DEFAULT 'b',
  PRIMARY KEY (`id`),
  KEY `dateadded` (`dateadded`),
  KEY `b_or_w` (`b_or_w`)
) ENGINE=MyISAM AUTO_INCREMENT=189220 DEFAULT CHARSET=latin1 COMMENT='spammer list';

sampai di sini database untuk rbl dns sudah siap. RBL DNS daemon. menggunakan rbldnsd (http://www.corpit.ru/mjt/rbldnsd.html).

installasi

# wget -c "http://www.corpit.ru/mjt/rbldnsd/rbldnsd-0.997a.tar.gz"
# tar -xvf rbldnsd-0.997a.tar.gz 
# cd rbldnsd-0.997a
# ./configure 
# make
# cp -a rbldnsd /usr/local/sbin/rbldnsd

Konfigurasi

tambahkan user rbldns yang akan digunakan sebagai daemon user:

useradd rbldns

create directory

# mkdir -p /var/lib/rbldns/{dsbl,log}

create file konfig

# touch /var/lib/rbldns/dsbl/{dsbl,rbl,forward,spammerlist,whitelist,rbl.log}
# touch /var/lib/rbldns/log/rbl.log

unduh file rebuild rbldns yang akan digunakan untuk export dari mysql ke dalam bentuk file txt (spammerlist).

# wget -O /usr/local/bin/rebuild_rbldns.pl http://www.blue-quartz.com/rbl/rebuild_rbldns.txt

chmod 750 lalu edit

# chmod 750 /usr/local/bin/rebuild_rbldns.pl
# vim /usr/local/bin/rebuild_rbldns.pl

edit user, pass, nama database yang sesuai.

#!/usr/bin/perl
# rebuild_rbldns.pl
# Copyright (c) 2006 by Herb Rubin herbr@pfinders.com covered under GPL license
$version = "1.01"; # Mar 20, 2009
#
# Purpose: rebuild a flatfile of IP addresses from mysql ips table for RBL blacklist server
# Expects: database table named ips
#
# CREATE TABLE `ips` (
#  `ipaddress` varchar(15) NOT NULL default '',
#  `dateadded` datetime NOT NULL default '0000-00-00 00:00:00',
#  `reportedby` varchar(40) default NULL,
#  `updated` datetime default NULL,
#  `attacknotes` text,
#  `b_or_w` char(1) NOT NULL default 'b',
#  PRIMARY KEY  (`ipaddress`),
#  KEY `dateadded` (`dateadded`),
#  KEY `b_or_w` (`b_or_w`)
#) ENGINE=MyISAM DEFAULT CHARSET=latin1 COMMENT='spammer list';
#
# Begin User Defined Section
#----------------------------
my $blacklist_file = "/var/lib/rbldns/dsbl/spammerlist";
my $whitelist_file = "/var/lib/rbldns/dsbl/whitelist";
my $rbl_domain     = "rbldns.abc.co.id";
my $mysql_user     = "rbldns";
my $mysql_pass     = "pass";
my $mysql_database = "rbldns";
my $mysql_host     = "localhost";
my $datasource     = "dbi:mysql:database=$mysql_database;host=$mysql_host";
my $temp_file      = "/var/lib/rbldns/dsbl/templist";
#----------------------------
# End User Defined Section
$progname = $0;
$progname = $1 if ($progname =~ /([\w\._]+)$/); # trim off path
use Getopt::Std;
use DBI;

$pid = $$;
&getopts("fhvV",\%Options);
&usage if ($Options{'h'}); # then exit
my $dbh;

if ($Options{"V"}) {
    print "$progname version $version\n";
    exit 0; # good exit
}
if ($dbh = DBI->connect($datasource, $mysql_user, $mysql_pass, { PrintError => 0, RaiseError => 0 }) ) {
    #########################
    # Logged in to database #
    #########################
    &build_file($blacklist_file, "b"); 
    &build_file($whitelist_file, "w");
    $dbh->disconnect;
} else {
    #################################
    # failed to connect to database #
    #################################
    print DBI->errstr . "\n" if ($Options{'v'});
    print "Error: Could not connect to local MySQL database. (did password change?)\n";
    exit 1; # bad exit
}
exit;
##########################
# subroutines start here #
##########################
sub usage {
    print <<EOF;
$progname usage:

   $progname [-hmtvV]
   Rebuild the rbl dns flat file from a mysql database.
   rbl means relay blacklist.

   Recommendation: Run this as a cronjob on a regular basis.
 where:
    -h         Display this help
    -v         Verbose mode
    -V         Show $progname version.
EOF
}
sub build_file {
###########################################################
# create a file from mysql, either blacklist or whitelist #
###########################################################
  my ($file, $type) = @_;
  if (open RBL, ">$temp_file") {
      #########################################
      # first line of file is always the same #
      #########################################
      print RBL ":127.0.0.2:spammer must die -netsysadmin k24-\n";
      my $sql = "SELECT ipaddress FROM ips WHERE b_or_w='$type' ORDER BY dateadded, ipaddress";
      my $sth = $dbh->prepare($sql);
      $sth->execute;
      my $count = 0;
      while ($hash_ref   = $sth->fetchrow_hashref) {
         my $ipaddress   = $$hash_ref{'ipaddress'};
         #my $dateadded   = $$hash_ref{'dateadded'};
         #my $reportedby  = $$hash_ref{'reportedby'};
         #my $updated     = $$hash_ref{'updated'};
         #my $attacknotes = $$hash_ref{'attacknotes'};
         #my $borw        = $$hash_ref{'borw'};
         $count ++;
         if ($type eq "w") {
             print RBL "!$ipaddress\n";
         } else {
             print RBL "$ipaddress\n";
         }
      }
      close RBL;
      `mv $temp_file $file`;
      print "$count ips of type $type\n" if ($Options{'v'});
  } else {
      print "Failed to open $file for writing\n";
  }
}

create file script daemon untuk rbl dns seperti dibawah ini: simpan dengan nama /etc/sysconfig/rbldnsd:

# My boot rbldnsd options
# -----------------------------------------
# TTL 35m, check files every 60s for changes, -f = smooth reloads
# -l logfilepath
# Please change 101.102.103.104 to your real public IP that you want the dns daemon to listen on
# Please change mydomain.com to your real domain name.
#
#RBLDNSD="-u rbldnsd -l /var/lib/rbldns/log/rbl.log -f -r/var/lib/rbldns/dsbl -b 192.168.1.50 rbldns.abc.co.id:ip4set:spammerlist,whitelist rbldns.abc.co.id:generic:forward"
OPTIONS="-u rbldns -p /var/run/rbldnsd.pid -l /var/lib/rbldns/log/rbl.log -f -r/var/lib/rbldns/dsbl -b 0.0.0.0 rbldns.abc.co.id:ip4set:spammerlist,whitelist rbldns.abc.co.id:generic:forward"

simpan dengan nama /etc/init.d/rbldnsd:

#!/bin/bash
#
# chkconfig: 2345 85 15
# description: rbldnsd is a DNS server designed for dnsbls.  
# processname: rbldnsd
# pidfile: /var/run/rbldnsd.pid
# source function library
. /etc/init.d/functions

prog="rbldnsd"
lockfile=/var/lock/subsys/$prog
PID_FILE=/var/run/rbldnsd.pid
[ -e /etc/sysconfig/rbldnsd ] && . /etc/sysconfig/rbldnsd 
RETVAL=0
start() {
        echo -n $"Starting rbldnsd service: "
        daemon /usr/local/sbin/rbldnsd $OPTIONS
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/rbldnsd
}
stop() {
        echo -n $"Shutting down rbldnsd service: "
        killproc rbldnsd
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/rbldnsd
}
case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  restart|reload)
        stop
        start
        RETVAL=$?
        ;;
  condrestart)
        if [ -f /var/lock/subsys/rbldnsd ]; then
            stop
            start
            RETVAL=$?
        fi
        ;;
  status)
        status -p $PID_FILE rbldnsd
        RETVAL=$?
                if [ $RETVAL -eq 3 -a -f $lockfile ] ; then
                        RETVAL=2
                fi
        ;;
  *)
        echo $"Usage: $0 {start|stop|restart|condrestart|status}"
        exit 1
esac
exit $RETVAL

start daemon rbldns

# chmod a+x /etc/init.d/rbldnsd
# /etc/init.d/rbldnsd start

lalu cek service apakah sudah listen atau belum:

[root@rbldns ~]# netstat -ntlpu | grep rbldns
udp        0      0 0.0.0.0:53                  0.0.0.0:*                               7237/rbldnsd        
[root@rbldns ~]#

Jika sudah listen smpai dengan langkah ini sudah ready untuk digunakan.

Setting DNS untuk rbldns.abc.co.id

Agar RBL DNS dapat digunakan di mail server, khususnya zimbra maka kita perlu menambahkan dns ns record rbldns.abc.co.id (misalnya) ke dns manager dari abc.co.id

setting NS record

nsrbl

lalu setting a records daripada a.rbldns.abc.co.id

arecordsrbl

Pastikan Firewall Mikrotik sudah disetup port forwarding 53 udp dari ip 202.169.239.180 ke ip internal 192.168.1.50

Testing:

Untuk menguji apakah RBL DNS sudah berjalan sebelum diterapkan di mail server bisa dengan cara berikut: insert ip dengan perintah:

mysql> INSERT INTO ips SET  ipaddress='207.126.164.135',  reportedby='manual',  attacknotes='spammers',  b_or_w='b',  dateadded=now(),  updated=now();"
Jika sudah, lalu build dan restart services rbldnsd:
[root@rbldns tmp]# /usr/local/bin/rebuild_rbldns.pl;/etc/init.d/rbldnsd restart
Shutting down rbldnsd service:                             [  OK  ]
Starting rbldnsd service: rbldnsd: listening on 0.0.0.0/53
rbldnsd: ip4set:spammerlist,whitelist: 20150518 022140: e32/24/16/8=189204/0/0/0
rbldnsd: generic:forward: 20140617 122159: e=0
rbldnsd: zones reloaded, time 0.2e/0.2u sec, mem arena=280 free=129 mmap=2960 Kb
rbldnsd: rbldnsd version 0.997a (23 Jul 2013) started (1 socket(s), 1 zone(s))
                                                           [  OK  ]
[root@rbldns tmp]#

cek file spammerlist

[root@rbldns ~]# cat /var/lib/rbldns/dsbl/spammerlist | grep 207.126.164.135
207.126.164.135
[root@rbldns ~]#

ip yang diblok sudah masuk kedalam list,.

cek terakhir via lookup dig dns.

dian@it-infra ~ $ dig 135.164.126.207.rbldns.abc.co.id @202.169.239.180
; <<>> DiG 9.9.5-3-Ubuntu <<>> 135.164.126.207.rbldns.abc.co.id @202.169.239.180
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64533
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;135.164.126.207.rbldns.abc.co.id. IN   A
;; ANSWER SECTION:
135.164.126.207.rbldns.abc.co.id. 2100 IN A 127.0.0.2
;; AUTHORITY SECTION:
rbldns.abc.co.id.   1800    IN  NS  a.rbldns.abc.co.id.
;; ADDITIONAL SECTION:
a.rbldns.abc.co.id. 1800    IN  A   202.169.239.180
;; Query time: 302 msec
;; SERVER: 202.169.239.180#53(202.169.239.180)
;; WHEN: Mon May 18 10:21:36 WIB 2015
;; MSG SIZE  rcvd: 109

Jika ada answer, dengan results 127.0.0.2 , maka ip sudah masuk ke RBL DNS. dan sudah bekerja dengan baik. Jika tidak ada results, maka ip tidak diblok.

dian@it-infra ~ $ dig 35.64.102.117.rbldns.abc.co.id @202.169.239.180
; <<>> DiG 9.9.5-3-Ubuntu <<>> 35.64.102.117.rbldns.abc.co.id @202.169.239.180
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 50561
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;35.64.102.117.rbldns.abc.co.id.    IN  A
;; Query time: 134 msec
;; SERVER: 202.169.239.180#53(202.169.239.180)
;; WHEN: Mon May 18 10:23:38 WIB 2015
;; MSG SIZE  rcvd: 59
dian@it-infra ~ $

Langkah terakhir memasang RBL DNS di zimbra mudah sekali, cukup seperti digambar bawah ini lalu save dan restart services

zimbrarbldns

restart services amavis dan milter

zmamavisdctl reload
zmmtactl reload

Results:

blockeddns

ref: http://www.blue-quartz.com/rbl/