Introduction

Real-time block lists have become a popular technique to maintain a central and dynamic database of malicious IP addresses. Most prominent examples are given by spamhaus.org or other services, which provide an updated blacklist of spammer IP addresses.

These block lists are provided by means of a Domain Name server, which makes querying whether an address is blacklisted as easy as a simple DNS lookup. If an IP address is black-listed, the DNS server will response with some resolved name, otherwise it will return a not-found response.

About the jwall-rbld Package

ModSecurity does provide the ability to query real-time block lists by its integrated @rbl operator. This can be used to check whether a client IP is currently black-listed or not.

I didn't come to use ModSecurity's RBL-feature, since I did not have a dynamic DNS server running around locally. One rainy weekend I had a glance at the DNS protocol specification and thought it shouldn't be hard to write a simple DNS server on my own. The outcome is this jwall-rbld server.

The jwall-rbld package provides a small DNS server, which maintains a dynamic in-memory database of IP addresses. These can be interactively changed, resulting in an easy-to-use and flexible real-time block list.

This document describes the jwall-rbld server and its setup to be used to dynamically block client addresses with ModSecurity.

Getting Help

The jwall-rbld server is a small open-source project provided by Christian Bockermann. For any problems regarding the configuration, setup or feature-requests, simply write an e-mail to chris (at) jwall.org.