[aur-dev] [PATCH] Add an IP ban list

Lukas Fleischer archlinux at cryptocrack.de
Wed Mar 20 19:11:08 EDT 2013 

On Wed, Mar 20, 2013 at 09:54:58PM +0000, Xyne wrote:
> On 2013-03-19 22:42 +0100
> Lukas Fleischer wrote:
> 
> >On Tue, Mar 19, 2013 at 05:12:23PM -0400, canyonknight wrote:
> >> On Tue, Mar 19, 2013 at 9:23 AM, Lukas Fleischer
> >> <archlinux at cryptocrack.de> wrote:
> >> > This allows for specifying a list of IP addresses that will no longer be
> >> > able to register new accounts and login. The list of banned IP addresses
> >> > can be configured in "web/lib/config.inc.php".
> >> >
> >> > Signed-off-by: Lukas Fleischer <archlinux at cryptocrack.de>
> >> > ---
> >> 
> >> What are your thoughts on taking this a step further and adding a
> >> "bans" table to the DB schema? It could eventually be extended to
> >> allow for TUs and Developers to ban IP addresses directly from the web
> >> interface without ever having to muck around with the config file.
> >
> >Exactly what I was planning to do.
> >
> >We should also display each user's last login IP address in his profile
> >(only visible to developers and TUs) and add a "Ban this IP address"
> >button next to it. The "Save last login IP address" patch I submitted
> >already adds the IP address to the Users table.
> 
> Do the IPs need to be visible? In the case of a single IP a simple ban button
> will suffice. A proxied IP will be completely different every time so
> subsequent addresses are unrelated. That only leaves netmasked dynamic IPs. It
> would be enough to have an interface button connected to a query that returns
> all users with an IP in the netmasked range (/24?). You could even
> automatically flag user accounts that share a range with banned IPs, again
> without divulging the IP address.

This is not the whole truth. To stop the latest spam attack, we had a
look at the web server logs, noticed that the spammer was using Tor,
generated a list of Tor exit nodes and added that to the IP ban list.
How would you do that without seeing any IP addresses? How would you
figure out if a spammer is just controlling 4-5 small subnets or using
proxies at all?

If you feel strongly about not showing IP addresses, we could hide IP
addresses for TUs and only show them to the AUR administrator(s) who can
skim through the logs anyway.

> 
> >Oh, and we might want to exclude TUs and developers from IP bans.
> 
> I haven't tried it, but can't TUs disable each other's TU status? The exclusion
> would be trivial if so.

Yes, they can. I did not mean to allege anything here -- I just wanted
to make sure that banning a range of IP addresses doesn't
(unintentionally) block any Trusted Users or developers.

More information about the aur-dev mailing list