[Resolved] Banning unwanted users with ip address

LordRogaine

I'm using php with mysql. I have a site where I have been banning unwanted users by using their ip address. I have found that an ip address can be used by more than one member. Is there a more efficient way to single out a particular user other than using an ip address?

Thanks in advance!

thorpe

unfortunately that is a limitation of the way the net works.

LordRogaine

Is there some sort of ip address directory that tells you where certain ip addresses are from? The same way a telephone area code would tell you the city or state? The same way (212) is for NYC. I'm being swamped by Nigerian scammers and I want to protect the members of my site by blocking ip addresses from Nigeria.

thorpe

such a db does exist. you'd have to google for it. thing is though... if these guys are doing this on pupose, chances are they are not from where you think they are. they may just be running through proxies.

LordRogaine

I've been looking on the net but can't find anything that really goes into depth about this. Do you know of a good site that will explain all of this to me? I appreciate the help. Thanks.

justsomeone

I've done a bit of work on this lately and have come upwith a solution that's "good enough for me for now".

A simple bit of php did the trick.

Every page request I get, I append the IP address and timestamp to a "watch" file. That's just one extra line of php to every page.

Periodically (every w minutes) I run a little php script (< 30 lines, if I recall correctly) which removes "old" (older than x minutes) records from this file, and looks for ip's which appear in the list more than y times.

Any it finds are stored in an array. Records in a second "abusers" file are then inserted/updated into this array. "Old" array items (older than z minutes) are delete from the array. This array is then saved as the "abusers" file. The IP's in the array are also written to a "deny from" directive in the .htaccess file.

All of the above means that if there are more than x requests from a given IP address in y minutes, then that IP is banned for z minutes.

If someone is hiding behind a proxy server while they abuse my site, then anyone sharing that proxy will also suffer the ban, but as it's not a perma-ban, I regard this as a reasonable level of collateral damage.

Tweaking of values for w,x,y,z allows me to finetune the operation of this "doorman" depending on the needs of the moment, and makes this something which I am happy to work with, and it has seen off at least one abuser for me.

Of course, the abuser will still use some of my resources, the next step would be to use this to update a firewall rather than just a .htaccess. That's on my to-do list.

LordRogaine

thank you for the suggestion, but this would not work with my site. It is impossible to differentiate the difference between the legit users and the scammers. The only way is through the email messages they send to the other members and I am trying to make it so they cannot register or even come onto my site. I have been banning their ip addresses so they will find it an inconvenience to come back onto my site, but they still find ways around it. Guess I'll have to keep looking for new ways to do this. thanks to everyone for trying to help.

b01

Banning by IP is useless when you think about the fact that most net users IPs are dynamic. A simple DHCP renew, and the computer has a new IP.

The best way to ban would be by MAC address, but I'm not sure if you can get that ifo when a user visits your site.

There are isssues with that of course (cloning/faking a MAC address is easy), but its better than using IP.

Come to think of it, I've seen in forums where peoples sigs list your computers info (IP, OS, and other minute details), so there should be an easy way to get enough info from a user, and create some sort of UID (Unique ID), then ban based on the UID you asign to a user.

bretticus

I wrote the following functions awhile back and never got around to testing them in a live environment. Basically, it queries arin to get the netblock, you can ban a whole netblock with these if you want (most of the time a bad idea.) I was uses them for tighter session security. Warning...whois rfc's might have changed since then!

<?PHP

function getRemoteNetworkRange($ip)
{
	define("SEC_WHOIS_SERVER", "whois.arin.net");
	define("SEC_WHOIS_PORT", 43);
	$range = "";
	if(@$sock=fsockopen(SEC_WHOIS_SERVER, SEC_WHOIS_PORT, $errno, $errstr, 30)) {
		if(@fputs ($sock, "$ip\r\n")) {
			while (!feof($sock)) {
				$out .= fgets ($sock, 2048);
			}
			fclose($sock);
		}
	}
	if (strpos($out, "NetRange:") !== false){
		$ipPattern = "/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+\-\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/";
		preg_match($ipPattern, $out, $matches);
		$range = $matches[0];
	} elseif (strpos($out, "CIDR:") !== false) {
		$ipPattern = "/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/*\d*/";
		preg_match($ipPattern, $out, $matches);
		$range = $matches[0];
		//Assume CIDR (Classless Inter-Domain Routing) notation.
		list($network, $cidr) = explode("/", $range);			
		$broadcast = long2ip(ip2long($network) | (~ip2long(cidr2mask($cidr))));
		$range = "$network-$broadcast";
	} else {
		$range = $ip;
	}
	$range  = preg_replace("/[^\d\.\-\/]/", "",$range);
	return $range;
}		

function cidr2mask($mask_bits)
{		
   if($mask_bits > 31 || $mask_bits < 0) return("0.0.0.0");
   $host_bits  = 32-$mask_bits;
   $num_hosts  = pow(2,$host_bits)-1;
   $netmask    = ip2long("255.255.255.255")-$num_hosts;
   return long2ip($netmask);
}

function inIPRange($ip, $range)
{
	$returned = false;
	if(strpos($range, "-") !== false){
		list($network,$broadcast) = explode("-", $range);			
		$longip			= ip2long($ip);
		$longnetwork	= ip2long($network);
		$longbroadcast	= ip2long($broadcast);
		if ($longip > $longnetwork && $longip < $longbroadcast)
			$returned  = true;
	} else {
		if ($ip == $range)
			$returned  = true;
	}
	return $returned;
}	
?>

By the way, this code is not copy and pasteable. The backslashes that should be in the regular expression patterns are stripped from the forum post automatically.

justsomeone

Originally posted by b01
Banning by IP is useless when you think about the fact that most net users IPs are dynamic. A simple DHCP renew, and the computer has a new IP.

That's true.

The best way to ban would be by MAC address, but I'm not sure if you can get that ifo when a user visits your site.

You can't.

There are isssues with that of course (cloning/faking a MAC address is easy), but its better than using IP.

Come to think of it, I've seen in forums where peoples sigs list your computers info (IP, OS, and other minute details), so there should be an easy way to get enough info from a user, and create some sort of UID (Unique ID), then ban based on the UID you asign to a user.

Everything in the request can be faked. Everything. So, you just have to work out what the best solution for you is.

A common route is to use IP addresses, and if there are repeated abuses from IP addresses within an IP block, then ban the block. It's not perfect, but it's fast and easy.

A solution like you suggest is more complex and and adds little value. If an abuser is taking the trouble to send the request from a different IP address each time, then there's no reason to believe that they won't change the headers that identify their OS, browser config etc etc. Also banning based on a combination of these is going to be more computation intensive, requiring that every request be have a UID generated as per the rules and then that UID looked up to see if it is banned. This requires CPU usage and potential database accesses. So, even a banned user gets to steal resources. An IP-based ban on the other hand can be implemented on the firewall, saving your web/database resources for your real customers.

But I'm not saying you're wrong. It's just a matter of solving the right problem. There are doubtless many aplications where a solution like yours is more appropriate than an IP ban. Just as there will be situations where an IP ban is more appropriate.

Picking the right solution for each problem is part of the job.

b01

Yeah, I'm ALL about the FAST N' EASY now. Wasted a lot of time trying to program minute functions to fit my needs. What a waste of time!:o

LordRogaine

Thank you to everyone for your help and thoughts on this. I guess I'll have to try different things until I find what works best. Thanks again everyone.

jonki

Hi LordRogaine
Did you work anything out in the end? I am in need of something similar.
Thanks a lot