add BAD_HOSTS setting for nasty clients

having one who updates every 5s with a invalid password. this locks the database (due to it increasing auth fail count and msg) all the time, so i can't even delete that host from django admin. also: Response now get a status parameter, defaulting to 200.
2019-04-15 18:57:54 +02:00 · 2019-04-15 18:57:54 +02:00 · 4c49ef5613
commit 4c49ef5613
parent 4581f90f2d
2 changed files with 13 additions and 3 deletions
--- a/src/nsupdate/api/views.py
+++ b/src/nsupdate/api/views.py
@ -27,14 +27,14 @@ from ..main.dnstools import (FQDN, update, delete, check_ip, put_ip_into_session
 from ..main.iptools import normalize_ip


-def Response(content):
+def Response(content, status=200):
    """
    shortcut for text/plain HttpResponse

    :param content: plain text content for the response
-    :return: HttpResonse object
+    :return: HttpResponse object
    """
-    return HttpResponse(content, content_type='text/plain')
+    return HttpResponse(content, status=status, content_type='text/plain')


@log.logger(__name__)
@ -210,6 +210,8 @@ class NicUpdateView(View):
        :return: HttpResponse object
        """
        hostname = request.GET.get('hostname')
+        if hostname in settings.BAD_HOSTS:
+            return Response('abuse', status=403)
        auth = request.META.get('HTTP_AUTHORIZATION')
        if auth is None:
            # logging this at debug level because otherwise it fills our logs...
@ -219,6 +221,8 @@ class NicUpdateView(View):
        if '.' not in username:  # username MUST be the fqdn
            # specifically point to configuration errors on client side
            return Response('notfqdn')
+        if username in settings.BAD_HOSTS:
+            return Response('abuse', status=403)
        host = check_api_auth(username, password)
        if host is None:
            return basic_challenge("authenticate to update DNS", 'badauth')
--- a/src/nsupdate/settings/base.py
+++ b/src/nsupdate/settings/base.py
@ -51,6 +51,12 @@ BAD_AGENTS = set([])  # list can have str elements
 from netaddr import IPSet, IPAddress, IPNetwork
 BAD_IPS_HOST = IPSet([])  # inner list can have IPAddress and IPNetwork elements

+# when encountering these hostnames (fqdn), block them early/silently from
+# api usage. avoid any database access, so if someone tries to update
+# every 5s, the database won't be locked all the time and we can at least
+# delete the host from django admin.
+BAD_HOSTS = set([])
+
 # nameservers used e.g. for MX lookups in the registration email validation.
 # google / cloudflare DNS IPs are only given as example / fallback -
 # please configure your own nameservers in your local settings file.