IP address banning?

megananne7

I am a moderator for a forum which just installed Vanilla, so we are all learning our way around. We understand how to ban usernames, but the Admins seem to not be able to find a way to ban someone using the IP address. It is very important we find a way to do this because we are a website designed for teenage girls and often have a pedophile or two find the site. We would be greatful if someone could point out if (and how) to ban using IP addresses, so these offenders cannot simply sign up for another account. Thanks!

Bergamot

I think you can do it with htaccess editing, but yeah I agree it would be nice to have this built into vanilla as an extension.

ithcy

in my experience, ip banning never works out very well. it blocks legitimate users who happen to be on the same proxy (on larger ISPs this can be hundreds of thousands or even millions of users), and doesn't block people who have dynamic IPs or are smart enough to use anonymous proxies.

maybe a feature like this would be useful: when a user applies for membership, along with the application form, the admin would receive notification if this application is coming from an IP that has been used by a banned account in the past.

also on a site such as yours a "report this comment to a moderator" function might help.

megananne7

in my experience, ip banning never works out very well. it blocks legitimate users who happen to be on the same proxy (on larger ISPs this can be hundreds of thousands or even millions of users), and doesn't block people who have dynamic IPs or are smart enough to use anonymous proxies.

We understand that and have that happened before. However, we have one particular person coming back over and over again and it's getting quite irritating. They are not using a popular/well known ISP, so if it ends up blocking a couple people, we would rather have that happen, then have a possible pedophile roaming on the message board.

ithcy

oh. well in that case, do what bergamot said. edit the file .htaccess in the root web folder for your site, and add this:

Order allow,deny Deny from 111.222.333.444 <-- replace this with whatever Allow from all

if you don't have a .htaccess file there, just create a plain text file, paste that in, and upload it. sooner or later someone will make a vanilla extension.

Bergamot

Rather than banning an IP outright, though, it might be nice to be able to get notification if someone creates a new account that shares an IP with someone in the "Banned" role.

ithcy

i thought i said that already

WallPhone

I don't remember where this idea came from, but one board 'banned' users by hiding all posts until a moderator approved them--to everyone but the person banned. Think of it as an automatic whisper to self. If appropriate, the moderator makes the post visible to the other members, otherwise the person banned thinks he is just being ignored. This would only work in an closed forum--otherwise he could log out and see that something is amiss.

lech

Placing an ip block at the htaccess level, while it is a bit nasty, works. Until there's a sure-fire work around for this I can't see any other way to do it unless you can ban via IP from within vanilla itself, which then would require some overhead upon each load as it runs through it's list of banned addresses. For now, enabling the recording of IP addresses to the forum seems to be your best option to see if the idiots venturing into your forum are on a static or dynamic IP. Then again this would only be extremely useful if that person was on a static IP and you could nail them each and every time. But like mentioned above, if that person is on a dynamic address, you're likely to block out legitimate users who just happen to be on their netblock. If it is such a problem, and it's a teen girl site, and there are actual pedo's venturing in, it's a perfect honeypot for law enforcement if you want to go that route. Providing your users are forced to sign up and click through the terms and agreement alerting them of the possible fact, it's a perfect tool to jail some of these bastards :D

giginger

@WallPhone: That's a pretty good idea. Moderator work intensive on a large site but I really like that idea.

DigitaLink

Wouldn't there be a way to do it with a cookie? Granted, if they're smart enough to block or delete cookies regularly, it isn't foolproof, but it's another option. Set it to something like 'banner' instead of 'banned' so even if they look, it looks like an advertising thing. Sadly tech can't keep all the bad guys away all the time just yet. Other question I'd have is have you discussed this matter with the police? If there's a pedophile KNOWN to frequent this site for targets, the police would most likely be thrilled to try to catch him. Wouldn't be the first or last time police set up traps in a chatroom to nab a ped. And if you have server logs where his IP can be tracked back to him through his ISP, that would come in handy too. You as a webmaster can't get info from his ISP, but the police can if it comes down to that.

Wanderer

Quote: ithcy
Order allow,deny
Deny from 111.222.333.444 <-- replace this with whatever
Allow from all <img src="http://www.debono.com.au/forum/pics/quote2.gif" alt="pic" border="0"/>

I have a particularly stubborn spambot that comes from ip address: 60.230.139.189
I put this into my .htaccess file as mentioned above but they still get in.
Is there a secret?

I really want to allow guests to post but this bot is really persistent and the links posted are very unsavoury.

Posted: Wednesday, 14 March 2007 at 1:53PM (AEDT)

Mark

Well, this type of extension should be really really easy to program.

1. Create a new admin screen to manage banned IPs.
2. Also add a link on each of the comments to "ban this IP".
3. Have your extension check the banned list and then attach to the delegates when adding a comment or starting a discussion to throw the error.

You could also have your error message explain that the IP has been banned and have them contact an administrator to unban their account despite the IP blockage. Then add a link to the account page that says something like "Allow Access Despite IP Banning" - and make your IP check also check the UserID to let those users pass through.

Wanderer

"Really easy to program" Yeah right but not for this little black duck!

The problem is that the Guest Posting extension uses a guest account which needs to be set up.

The password is hidden from the visiting poster, in fact the whole thing is transparent to the visitor.

So I can't ban the guest account as that would ban all visitors from posting.

I thought the .htaccess method would work, I'll investigate further.

Posted: Wednesday, 14 March 2007 at 2:11PM (AEDT)

Mark

It could also be that your .htaccess files are disallowed on your server (so the ip ban isn't taking effect).
But if you are using one for friendly urls, then that is not the case.

Wanderer

Silly me didn't realise my host offers an interface for banning by ip.
I used it and this got written to the .htaccess file...

<Limit GET> order deny,allow </Limit> Allow From all Deny From 60.230.139.189

Posted: Wednesday, 14 March 2007 at 2:25PM (AEDT)

Dinoboff

That doesn't look right.

Why the order line is alone inside the limit element and why just limit it to the get request, or why just change the order for the get request?
And as it is, you first deny the guy them allow everybody (so you allow the guy again). The order should be the opposite: you allow everybody then deny some ip.

Dinoboff

(and where is bergamot?)

Wanderer

Actually, the tool overwrote the above with simply...

Deny From 60.230.139.189

Posted: Wednesday, 14 March 2007 at 3:13PM (AEDT)

Wanderer

Bastard still got in.

Now trying...
<Limit GET> order allow,deny allow from all deny from 60.230.139.189 </Limit>

Posted: Wednesday, 14 March 2007 at 5:47PM (AEDT)

Mark

I haven't tried it, but isn't there a captcha extension available?
That might be the answer you are looking for.