HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


IP address getting through IP ban

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#85029 (In Topic #17506)
Avatar

Community saint

I've come across a guest entry in the "Users online" list that has been busy scrapping my site for many hours. I've banned the IP but it never stopped it. I've installed the spam mod, but realized it won't touch a guest (or am I wrong?).

Now here is a very strange thing. Since I couldn't stop it at the software level, I've banned the IP at the server level, but that is not working either. I've also put in a request with my host to see if they can stop it.

The IP has hit the spammer db pretty hard lately at Stop Forum Spam - IP Check - 192.162.19.183 with 3614 entries.


Steve
Back to the top
 
Posted
Rating:
#85030
Avatar

Community saint

I've had to put my site in closed mode to keep this "thing" from stealing all my content.

Steve
Back to the top
 
Posted
Rating:
#85031
Avatar

Community saint

I was hoping for something at their hardware level.  ;)

My host's response…
Hello Steve,

I have placed a Block on that Ip inside you .htaccess file. This should block this Ip from accessing your content.

If the IP is still coming through, please let us know.

Thanks!
This was useless! As soon as I opened my site it was right back at it. This thing is just not giving up.  :@

Anyone with suggestions?

Steve
Back to the top
 
Posted
Rating:
#85032
Avatar

Community saint

Is it possible to spoof an IP like that so it can't be banned?

Steve
Back to the top
 
Posted
Rating:
#85033
Avatar

Community saint

You might want to consider using CloudFlare. You could block the IP at CloudFlare which should prevent the IP from ever hitting your server.

I've noticed oddities from some addresses banned in .htaccess – it appears that they are allowed to load a second URL before they are stopped. Maybe it is just my misreading of the situation; I'd need to go through my logs more thoroughly to determine anything more.

Bob
Back to the top
 
Posted
Rating:
#85040
Avatar

It'll probably be a behind-proxy IP probably. We're moving away from recognising them given they present real confusion and that the world is moving to proxyless ip6. If you want to remove the support from ocPortal a quick fudge is to edit sources/support.php, add this line:

Code

$_SERVER['HTTP_X_FORWARDED_FOR']='';
under:

Code

function init__support()
{

After that you should see the "true" IPs (although the trade off is then you'll be seeing the IPs of proxy servers).

The raw Apache logs probably also have the true IP.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Item has a rating of 5 (Liked by Fletch)  
Rating:
#85055
Avatar

Community saint

Thanks, Chris. I've made that change but unfortunately it didn't help - the same IP is showing. I'll leave the change in place for now.

My host has escalated this problem to the next level to see what they can do. Hopefully they can figure out a way to stop it since it has the potential to affect all sites on their servers.

My site's been closed now for 9 hours, but this thing is still knocking on my door, but at least it's not able to scrape content. I've set all my usergroups to allow access while the site is closed so my members can get in, and it appears potential members can still join. :thumbs:

I keep thinking I'll wake up and find this has all been just a bad dream.  :dry:

Thanks again, Chris. You've done more than I was honestly expecting since this wasn't a bug.

I'll report any updates as I get them so anyone else who runs into this situation can have a good starting point.

Steve
Back to the top
 
Posted
Rating:
#85057
Avatar

I'd just reiterate the advice of looking in the Apache access log for the IP, to double check it is the same IP. Even if it's not an ocPortal bug, I wouldn't necessarily put 100% trust in the data at the PHP level when making config at the Apache level.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
1 guests and 0 members have just viewed this: None
Control functions:

Quick reply   Contract

Your name:
Your message: