Am 30.05.2014 22:48, schrieb Wietse Venema:
> [email protected]:
>>> You also need to drop "secondary groups". On UNIX, that's
>>> done with setgroups() or initgroups(), before dropping
>>> root privileges
>>
>> thanks for the hint, looks not that it's supported
>> http://www.php.net/manual/en/book.posix.php
>
> It took me a few seconds to find that PHP has initgroups.
>
> site:php.net initgroups
indeed - no excuse except blindness :-(
implemented - thanks!
in the meantime i installed and configured the mysql-server
scary, my first from-scratch mysql-setup after 11 years
most i likely wrote the code for insert/update (currently
untested) and also planned a 'dnsbl_auto' feature which is
set by the honeypot-service for auto-expires and remove
old entries will skip records where it is 0 to provide
a webinterface later to add blocked IP's manually
at least that parts are straight forwarded
well, finally i need to make a decision which DNS server
provides the easiest zone-handling (BIND, unbound, dnsmasq...)
and learn again how to start a PHP service on non-systemd-setups
_____________________________________________________________________
#!/usr/bin/php
<?php
/** listen on all interfaces */
$address = '0.0.0.0';
/** tcp port to listen */
settype($_SERVER['argv'], 'array');
settype($_SERVER['argv'][1], 'integer');
if(empty($_SERVER['argv'][1]))
{
$port = 25;
}
else
{
$port = $_SERVER['argv'][1];
}
/** configuration */
$whitelist = array();
$simulation = true;
$ttl = 3600 * 24 * 7;
/** database account */
$db_host = 'localhost';
$db_user = 'dnsbl';
$db_db = 'dnsbl';
$db_table = 'dnsbl';
$db_port = 3307;
$db_pwd = '***********************';
/** disable output buffering */
ob_implicit_flush();
/** create the socket */
if(($sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP) ) === false)
{
exit('socket_create() failed: reason: ' .
socket_strerror(socket_last_error()) . "\n");
}
if(@socket_bind($sock, $address, $port) === false)
{
exit('socket_bind() failed: reason: ' .
socket_strerror(socket_last_error($sock)) . "\n");
}
if(@socket_listen($sock, 5) === false)
{
exit('socket_listen() failed: reason: ' .
socket_strerror(socket_last_error($sock)) . "\n");
}
/** drop privileges to 'nobody' */
if(!@posix_initgroups('nobody', 99) || !@posix_setgid(99) ||
!@posix_setuid(99))
{
exit('Drop privileges failed' . "\n");
}
/** service loop */
while(1 == 1)
{
/** accept connection */
$msgsock = @socket_accept($sock);
/** get the remote address */
$remote_ip = '';
@socket_getpeername($msgsock , $remote_ip);
/** insert remote adress to database or update the timestamp to avoid expire
if it already exists */
if(!empty($remote_ip) && !in_array($remote_ip, $whitelist))
{
switch($simulation)
{
/** database mode */
case false:
/** connect to database */
$db_conn = mysqli_init();
$rw = mysqli_real_connect($db_conn, $db_host, $db_user, $db_pwd, $db_db,
$db_port);
if($rw)
{
/** try to find existing record and update only timestamp */
$result = mysqli_query($db_conn, 'select dns_key from ' . $db_table . '
where dnsbl_ip=\'' .
mysqli_real_escape_string($db_conn, $remote_ip) . '\';', MYSQLI_STORE_RESULT);
if(mysqli_num_rows($result))
{
$row = mysqli_fetch_row($result);
mysqli_free_result($result);
mysqli_query($db_conn, 'update ' . $db_table . ' set dnsbl_timestamp='
. time() . ' where dns_key=' .
intval($row[0]) . ';', MYSQLI_USE_RESULT);
}
/** insert new ip into database */
else
{
mysqli_free_result($result);
mysqli_query($db_conn, 'insert into ' . $db_table . '(dnsbl_ip,
dnsbl_timestamp, dnsbl_auto) values (\'' .
mysqli_real_escape_string($db_conn, $remote_ip) . '\',' . time() . ', 1);',
MYSQLI_USE_RESULT);
}
mysqli_close($db_conn);
}
break;
/** debug: echo connecting remote address on stdout */
case true:
echo $remote_ip . "\n";
break;
}
}
/** close connection */
@socket_close($msgsock);
}
?>
_____________________________________________________________________
mysql> show create table dnsbl;
CREATE TABLE `dnsbl` (
`dnsbl_key` int(10) unsigned NOT NULL AUTO_INCREMENT,
`dnsbl_ip` varchar(255) COLLATE latin1_german1_ci NOT NULL DEFAULT '',
`dnsbl_timestmap` int(10) unsigned NOT NULL DEFAULT '0',
`dnsbl_auto` tinyint(1) unsigned NOT NULL DEFAULT '0',
PRIMARY KEY (`dnsbl_key`),
UNIQUE KEY `dnsbl_ip` (`dnsbl_ip`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_german1_ci;
