From 4c49ef5613c2f4bc8cdae1320efe4ca6fe47b4c5 Mon Sep 17 00:00:00 2001
From: Thomas Waldmann <tw@waldmann-edv.de>
Date: Mon, 15 Apr 2019 18:57:54 +0200
Subject: [PATCH] add BAD_HOSTS setting for nasty clients

having one who updates every 5s with a invalid password.
this locks the database (due to it increasing auth fail count and msg)
all the time, so i can't even delete that host from django admin.

also: Response now get a status parameter, defaulting to 200.
---
 src/nsupdate/api/views.py     | 10 +++++++---
 src/nsupdate/settings/base.py |  6 ++++++
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/nsupdate/api/views.py b/src/nsupdate/api/views.py
index 9715fe7..bd7cd6e 100644
--- a/src/nsupdate/api/views.py
+++ b/src/nsupdate/api/views.py
@@ -27,14 +27,14 @@ from ..main.dnstools import (FQDN, update, delete, check_ip, put_ip_into_session
 from ..main.iptools import normalize_ip
 
 
-def Response(content):
+def Response(content, status=200):
     """
     shortcut for text/plain HttpResponse
 
     :param content: plain text content for the response
-    :return: HttpResonse object
+    :return: HttpResponse object
     """
-    return HttpResponse(content, content_type='text/plain')
+    return HttpResponse(content, status=status, content_type='text/plain')
 
 
 @log.logger(__name__)
@@ -210,6 +210,8 @@ class NicUpdateView(View):
         :return: HttpResponse object
         """
         hostname = request.GET.get('hostname')
+        if hostname in settings.BAD_HOSTS:
+            return Response('abuse', status=403)
         auth = request.META.get('HTTP_AUTHORIZATION')
         if auth is None:
             # logging this at debug level because otherwise it fills our logs...
@@ -219,6 +221,8 @@ class NicUpdateView(View):
         if '.' not in username:  # username MUST be the fqdn
             # specifically point to configuration errors on client side
             return Response('notfqdn')
+        if username in settings.BAD_HOSTS:
+            return Response('abuse', status=403)
         host = check_api_auth(username, password)
         if host is None:
             return basic_challenge("authenticate to update DNS", 'badauth')
diff --git a/src/nsupdate/settings/base.py b/src/nsupdate/settings/base.py
index 767a6e9..84ee44c 100644
--- a/src/nsupdate/settings/base.py
+++ b/src/nsupdate/settings/base.py
@@ -51,6 +51,12 @@ BAD_AGENTS = set([])  # list can have str elements
 from netaddr import IPSet, IPAddress, IPNetwork
 BAD_IPS_HOST = IPSet([])  # inner list can have IPAddress and IPNetwork elements
 
+# when encountering these hostnames (fqdn), block them early/silently from
+# api usage. avoid any database access, so if someone tries to update
+# every 5s, the database won't be locked all the time and we can at least
+# delete the host from django admin.
+BAD_HOSTS = set([])
+
 # nameservers used e.g. for MX lookups in the registration email validation.
 # google / cloudflare DNS IPs are only given as example / fallback -
 # please configure your own nameservers in your local settings file.