Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

CIDR notation or wildcards in Banning control panel for IPs?

LeeHLeeH
edited September 2012 in Vanilla 2.0 - 2.8

In order to ban multiple IP addresses in the same netblock, is it appropriate to use CIDR notation, or to try to fudge it with wildcards? I've got several /22s that I want to stop from registering accounts due to repeated abuse, and while it looks like I can easily approximate banning a /24 by using x.x.x.* as the IP address, I'm having trouble making Vanilla accept x.x.y.z/22, which is what I really want to do.

Is this possible or planned, or do we need to make due with standard wildcards? Alternately, do ranged inputs (like x.x.x-y.*) work?

Comments

  • peregrineperegrine MVP
    edited September 2012

    Does it even work with wildcards? I didn't think it did.

    why don't you just throw a cidr block in you htaccess.

    maybe you could roll your own if it isn't there.

    http://php.net/manual/en/function.ip2long.php

    http://stackoverflow.com/questions/594112/matching-an-ip-to-a-cidr-mask-in-php5

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • It does appear to work, at least with 2.1—entering a spammy IP address range with wildcards does show >1 banned account matches (screenshot), so Vanilla is at least smart enough to understand it.

    Blocking access at the web server level is less than optimal because then I'm the only person who can manage IP-based blocks—my moderators don't have shell access to the web server.

    Plus, I use nginx, which ignores .htaccess files in the first place :) Still, even with Apache, I'm not a fan of using .htaccess files for anything. They are less efficient than central configuration management because their presence sets off a flurry of extra file system IO for every read the web server has to perform (for more on the topic, see this). As with many other config details, it's the kind of thing that doesn't make much of a difference for a small site, but can spiral into significant overheads as loads increase.

    The most efficient way to implement IP based blocking outside of the forum software would be to toss it in at the firewall layer—that way, you're not bothering the web server at all. I can certainly do this if there's no way to match CIDR in Vanilla, but coming back to the original point, it would be better if the functionality were available within Vanilla so that the mod squad can handle it :)

  • You have a good idea - hope it gets implemented.

    good to know at least wild cards work in 2,1

    but if CIDR was implemented it would be a better solutions

    does netmasking work

    224.168.10.0/255.255.255.0

    224.168.10.0/0.255.255.255

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

Sign In or Register to comment.