Danbooru

Reworking IP bans

Posted under General

albert

Right now IP bans are implemented through iptables, which necessitates me having to log into every server every time a new ban is needed.

I'm thinking of moving the IP ban into the application itself. There would be a list of banned IPs that would be maintained by the admins. The only time this list would be checked is when a new account is created. Banned IPs cannot create a new account, and therefore would not be able to change any content.

I'm not sure if this is sufficient or whether additional checks are needed.

Updated by Action Kamen

Reply
Shinjidude

The one potential drawback I can see here is what happens if the IP blockee stockpiles a bunch of sockpuppet accounts before they are banned?

Those accounts would already exist and not be blocked immediately as they would be with a blanket server-based solution. Maybe check on log-in as well?

Reply
jxh2154

Does "by the admins" means I'd have the ability too?

If you would prefer to keep that exclusively under your control, I completely understand, as I'm sure there are multiple good reasons for doing so. Just seeking clarification is all.

Reply
jxh2154

Shinjidude said: The one potential drawback I can see here is what happens if the IP blockee stockpiles a bunch of sockpuppet accounts before they are banned?

Is it feasible to limit to one account per IP, with exceptions made on request, or only allowed at certain user levels? I can't think of many reasons why a higher level user would want to, and zero reasons why a lower level user would want to - indeed they're explicitly forbidden to.

Reply
glasnost

If IP bans are part of the software, you may also want to add support for an actual permanent ban (as opposed to the current solution of >1000 year blocks), which would allow you to auto-ban any IP that tried to log into a perm-banned account.

Shinjidude said:
Heck Wikipedia found out after dishing out an IP ban that basically the entire country of Qatar shares a single IP address .

I laughed hard. Someone needs to call up the UN to airdrop some Cisco certs over there ASAP.

Reply
jxh2154

glasnost said:
If IP bans are part of the software, you may also want to add support for an actual permanent ban (as opposed to the current solution of >1000 year blocks), which would allow you to auto-ban any IP that tried to log into a perm-banned account.

This would certainly be more convenient.

Reply
evazion

Shinjidude said:
The one potential drawback I can see here is what happens if the IP blockee stockpiles a bunch of sockpuppet accounts before they are banned?

It's a moot point, since anybody that determined to cause trouble could just as easily create new accounts using proxies. This system should be good enough to stop casual troublemakers, which is the most you can really hope for.

Reply
Soljashy

Fred1515 said:
Not to mention dynamic IP users like me who change their IP ten times a day.

This.

I always get nervous when IP bans are hurled around, because the last thing I want is to get caught in the crossfire.

Reply
jxh2154

Soljashy said: This.
I always get nervous when IP bans are hurled around, because the last thing I want is to get caught in the crossfire.

While it's a potential problem, it's not reason enough to give up on IP banning, which can be the only tool available in some cases.

Reply
Shinjidude

Autobanning new IP's in dangerous too in the case that regular members share an IP banned member's ISP and dynamic IP's are implemented. As Soljashy notes, benign members will get "caught in the crossfire". If we do auto IP banning of any sort it should be of a short duration.

evazion said:
It's a moot point, since anybody that determined to cause trouble could just as easily create new accounts using proxies.

I would expect that we would IP ban most known public proxies anyway for this reason. Stockpiling accounts is something I'm pretty sure we've seen in the past, and it doesn't take much effort or forethought if someone is intentionally trying to wreak havoc.

Reply
葉月

This is another reason we should look into more smarts built into the system. As far as reworking the current system goes, I wouldn't touch it. The iptables-based solution is still the most robust, as far as IP blocks go. I'd rather propose making a function which'd call out to a small script that adds an IP to the iptables, accessible for admins only. That'd give the extra bang without weakening the filters.

Reply
evazion

Shinjidude said:
I would expect that we would IP ban most known public proxies anyway for this reason.

We probably should, but to be fair I'll point out that there are legitimate reasons to use a proxy: you may need to get around an internet filter, or maybe you're just paranoid and don't want Danbooru logging your IP.

Stockpiling accounts is something I'm pretty sure we've seen in the past, and it doesn't take much effort or forethought if someone is intentionally trying to wreak havoc.

The problem is that your suggestion for preventing this (doing the check on initial login) isn't possible due to the way Danbooru's authentication works. The check would have to be performed on every request instead. I think the reason albert wants to only do the check on account creation is to avoid this per-request overhead.

Reply
Shinjidude

Ah, I didn't know there was a way to bypass the initial login (without having cookies set, which would ostensibly be wiped after the person was banned the first time). Checking a user's IP on every request against a table of banned IP's would be quite unreasonable.

Reply
jxh2154

evazion said: Albert didn't announce it, but I noticed on Trac that this has been implemented.

::looks:: Ah, interesting, it is indeed an option now. I've also been able to see IPs in post comments (nowhere else though) for a day or two now.

Reply
1