Home > Archive > PERL CGI Beginners > November 2005 > Tracking/Blocking IPs.
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Tracking/Blocking IPs.
|
|
|
| I have been running a public forum (no registration required) with over 50,000 visits per day. Lot of Trolls and bad / advertising posts etc from other sites and individuals.
-> It was small initially and I used to track the IPs and ban them manually to put them within a database and Posting script checked the IP ban list before anyone can post.
-> By the time, it grew and I started monitoring {HTTP:Forwarded-For} and {HTTP:X-Forwarded-For}as well to filter out trolls.
-> later I also tried mod_rewrite,
# Ban anonymous proxy requests
RewriteCond %{HTTP:Via} !^$ [OR]
RewriteCond %{HTTP_FORWARDED} !^$ [OR]
RewriteCond %{HTTP:X-Forwarded} !^$
RewriteCond %{HTTP:Client-IP} ^$
RewriteCond %{HTTP:Forwarded-For} ^$
RewriteCond %{HTTP:X-Forwarded-For} ^$
RewriteRule .* /cgi-local/not_allowed.pl [L]
Now the problem is that Trolls are STILL coming through, I track those IPs and matched a couple of those as "Elite Proxies" (http://www.samair.ru/proxy/). Elite Proxy -> HTTP Servers of this type do not send HTTP_X_FORWARDED_FOR, HTTP_VIA and HTTP_PROXY_CONNECTION variables. Host doesn't even know you are using proxy server an of course it doesn't know your IP address.
Now the question is how to get these Elite Proxies filtered out? Another thing that I want to ask is that when I used these Elite Proxies myself to access Yahoo or Google, they immediately tracked it and gave the error "405 - Resource Not Allowed". It means that there is some way to detect it or it's because of https? If SSL can deal with this issue I am ready to go for it but just need to confirm or alternative solution to it before I make my move.
Thanks for any help.
Sara.
| |
| Randal L. Schwartz 2005-11-03, 3:55 am |
| >>>>> "Sara" == Sara <sara.samsara@gmail.com> writes:
Sara> I have been running a public forum (no registration required)
Sara> with over 50,000 visits per day.
There's your mistake. Looks like you'll have to implement a
round-trip registration. Of course, if your site is highly visible,
expect *that* to be automated and worked around.
There is no "ultimate" solution. Only a series of solutions depending
on your willingess to spend money to keep the bad guys out.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
| |
| Ing. Branislav Gerzo 2005-11-03, 7:55 am |
| Sara [S], on Wednesday, November 2, 2005 at 10:09 (+0500) typed the
following:
S> Now the question is how to get these Elite Proxies filtered
S> out? Another thing that I want to ask is that when I used these
You must have list o elite proxies to filtered them out. For example
in DB, look for it, and if it is in DB, access denied.
I can provide such a list (with all proxies, not only high-anonymity),
far far ago I coded www.proxy-web.com
I use perl proxy checker (my own script, not best, it checks proxies
in only 1 thread :), and have around 100.000 known proxies IP...
--
How do you protect mail on web? I use http://www.2pu.net
["I stopped that slapshot,", Tom said puckishly.]
| |
| Lukas Fragodt 2005-11-03, 6:55 pm |
| Sara wrote:
>I have been running a public forum (no registration required) with over 50,000 visits per day. Lot of Trolls and bad / advertising posts etc from other sites and individuals.
>
>
If you must allow "anonymous" posting, consider adding a feature
allowing you to selectively disable anonymous posting based on IP address.
>Now the problem is that Trolls are STILL coming through, I track those IPs and matched a couple of those as "Elite Proxies" (http://www.samair.ru/proxy/). Elite Proxy -> HTTP Servers of this type do not send HTTP_X_FORWARDED_FOR, HTTP_VIA and HTTP_PROXY_
CONNECTION variables. Host doesn't even know you are using proxy server an of course it doesn't know your IP address.
>
>
Slashdot seems to check for proxies by requesting, through the proxy, a
file on their own server. That may work for you.
We use tracking cookies to identify unique computers behind proxies. We
can link anonymous posts and multiple registered accounts to the same
computer or set
of computers regardless of what IP address is being used. We can ban
based on the unique identifier in the cookie.
Obviously, more tech savvy trolls can easily get around this by deleting
the cookies between posts, but a lot of trolls give up after multiple
attempts to use proxies fail.
HTH
Lukas
|
|
|
|
|