IP Bans?

a_5mith

@SomethingAcacia

Do this at a server level, not software, having the software do it uses unnecessary resources from the server before removing them! doing it at a server level will ensure they don't even get proxied into nodebb before being 403'd.

In nginx, add the following to your nginx block

deny <IP address>

In apache

order allow,deny
deny from <IP address>
allow from all

Replacing `<IP address> with the IP address you wish to block. However do bear in mind that IP addresses are exceptionally easy to change. Usually just by turning the router off for a few minutes or using a free VPN etc. so it's not 100% effective.

julian

This seems pretty interesting too, @a_5mith: https://github.com/perusio/nginx-spamhaus-drop

While I'm definitely in favour of having the proxy layer handle this, some of our users run NodeBB naked, so might benefit from having this option in ACP anyhow.

... with plenty of warning to use a proxy layer, of course

a_5mith

@julian Including the port number? Interesting. That does look quite interesting, I'd never heard of Spamhaus Drop.

Sounded very close to Jailhouse Rock

Tanner

Perhaps banning ip's should be added to the guides at docs.nodebb.org, since it doesn't appear that there are any guidelines elsewhere except for this thread.

scottalanmiller

Even running NodeBB naked, you could just handle this at the OS firewall layer.

julian

@scottalanmiller said:

Even running NodeBB naked, you could just handle this at the OS firewall layer.

From an admin empowerment point of view, I can see the appeal of having it built into core (or via plugin), however.

a_5mith

@julian I wouldn't want to give people a false sense of hope that banning the IP will solve the Admins problem. It won't. It would be more beneficial to be able to completely hide a user so their posts can't be read. So only Admins and Mods can see their posts, and delete if necessary. Banning an IP is a poor solution that doesn't work. I can change my IP within about 18 seconds. So that wouldn't stop anyone who was determined to be "a troll" for lack of a better term. If they think they're being ignored. They go away. Win Win.

Perhaps if they're on some form of hellban list, forbid them from making new accounts with some false error of "you already have an account here". But if the IP changed, none of that would work either way. The worst thing you can do is tell someone they're banned, for some reason it makes them want to join more.

julian

Heh heh, I wonder how much work needs to go in to make a hellbanning plugin... and who my first victim would be :rage2:

a_5mith

@julian We should pick a random active user like @tanner and see how long it takes for him to notice.

Also, holy ****, I went to tag tanner and look what came up... @Community-Representatives

Oh, it didn't work though.

Tanner

Someone said my name? The sloth abides.

Edit: oh, don't ban me please :3

a_5mith

@Tanner Well that's blown the whole thing. Note to self, mentions are the worlds largest snitch.

julian

mentions + pushbullet = you're everywhere, all the time.

scottalanmiller

@julian said:

@scottalanmiller said:

Even running NodeBB naked, you could just handle this at the OS firewall layer.

From an admin empowerment point of view, I can see the appeal of having it built into core (or via plugin), however.

Yes, would be handy. Just thinking that there is a solution today as well. Overall I agree, a plugin would be best.