-6

I want to ban someone from my website.

So far, here's what I tried:

  • If someone with an IP that contained for example "188.91.1.x" entered my website, I would die() the site.

  • Cookies

The user I am trying to ban went around the above steps I've taken.

There are public chatrooms on my website and I want to keep him out of it.

How would you guys keep this person banned?

Any way to get any other unique ID specific to the user's machine, or even browser?

Ps:

  • I can't ban by login name (tried it, he keeps creating a new account)

  • I can't white list, kind of for the same reason as the above.

Edit:

I found this code and it works when testing with HideMyAss.com

<?
if( @fsockopen( $_SERVER['REMOTE_ADDR'], 80, $errstr, $errno, 1 ) )
{
    die("I'm not letting you in");
}
else
{
?>
Hello normal user, thanks for not trying to use a proxy
<?
}
?>

Anything that could go wrong with it (even if just to try it out in production)?

Well, the fsockopen way seems to be only for web-based proxies (which is perfect as I believe he's using it). I will first count how many visitors I get which trigger the fsockopen code I've pasted in my post and see if appropriate for me to use as a next step towards success of banning that person.

Dan P.
  • 1,707
  • 4
  • 29
  • 57
  • Whitelist, not blacklist. – Mark Oct 01 '13 at 09:59
  • 2
    http://stackoverflow.com/questions/19082152/unique-id-for-a-device-with-php/19082219 – Adam Zielinski Oct 01 '13 at 09:59
  • don't use IP based scurity. It isn't secure. That's it – hek2mgl Oct 01 '13 at 10:00
  • 1
    Ban by login name, not IP – Alma Do Oct 01 '13 at 10:00
  • People can change username, and use new emails to sign up with. @Adam - that's a question targeted to mobile devices. – Dan P. Oct 01 '13 at 10:00
  • I hate these kind of people. I would look into examining the request headers for signs that the user is connecting through a proxy. Maybe ServerFault would be a good place to post this as well – CurlyPaul Oct 01 '13 at 10:01
  • You block any IP containing "188.91"? That's a couple 10k potential visitors. – user247702 Oct 01 '13 at 10:01
  • Actually I added a number like "188.91.1", because the ending numbers were changing every now and then. With the above however it would always get him. – Dan P. Oct 01 '13 at 10:03
  • 3
    @DanyP it is not they don't have the issue, it is the fact your question is very vague and you need to give an example of what you have tried so far, I know you have in your edit but you didn't on your original post. – AaronHatton Oct 01 '13 at 10:43
  • DanyP, you don't know why people downvote. Surmising they do it because they've never had the same issues as you are is not correct. I agree with what @AaronHatton said and also, in the original form (with no code) the question looked more to belong on Webmasters or SuperUsers than on SO. –  Oct 01 '13 at 11:09
  • I know there's no 1 way of completely banning someone, but the addition of several different ways becomes quite efficient. I was more interested in those ways which together make a difference at the end. Since there's not 1 definite answer, I let my question more 'open' to suggestions. Thanks everybody. – Dan P. Oct 02 '13 at 03:17

5 Answers5

1

If he is using proxies it will be impossible to keep him out by using the IP.

You could try to set a cookie and then block access depending on that, but even that is easily circumvented.

Patrick
  • 922
  • 11
  • 22
1

It would be impossible to stop him completely, but you can make it much harder for him.

Cookies You can attept to store a cookie on the banned users computer. As long as the user doesn't delete his cookies or change browser, you can ban his new ips.

Registration You can require new users to register and activate account their account via email. This will slow any banned users down a lot as for every account they make, they'll need a new email.

Automatic ban You could add a ban button for yourself, to make it easy to ban people. You could add a vote ban feature so other members could ban people temporarily.

Teaqu
  • 2,953
  • 1
  • 14
  • 21
  • Hi, do you have an opinion about the code I added in my edit? Thanks for your answer btw, I will use cookies for sure, and we also have a 'mute' function implemented. – Dan P. Oct 01 '13 at 10:41
  • Good idea with the 'mute' function. fsockopen may slow down your site and could also block anyone who had a web server on their network. It that's not a problem, it should be fine. I've never used it myself though. – Teaqu Oct 01 '13 at 14:33
  • Turns out too many people would have been blocked if I used fsockopen (counter was over 5000 after 12 hours). In that case I guess I'll just go with an IP ban so he at least has to use a proxy, and make the mute function more efficient for me and the moderators. Thanks. – Dan P. Oct 02 '13 at 03:15
0

You can't.. The only thing you can do is adding the IP adresses he uses to your "banlist". There is no way to ban the user when he's changing his IP address (actually he's using proxy's).

Joran Den Houting
  • 3,149
  • 3
  • 21
  • 51
0

There is no way to completely block someone, i have had this same issue in the past.

The best way I used to do it is using htaccess files and blocking subnets like this below:

<Limit GET POST>
 order allow,deny
 allow from all
 deny from 1.2.3.4
 deny from 2.0.
</Limit>

Source: Using the .htaccess File to Block IP Access

Another way is to create a whitelist only using htaccess as well much alike the example below

AuthName "CIRC Under Maintenance" 
AuthType Basic 
<Limit GET POST> 
order deny,allow 
deny from all 
allow from 216.249.119. 
allow from 216.249.123.120 
</Limit>

Source: .htaccess allow/deny rules for subnet

More about .htacces files:.htaccess - Wikipedia

Another solution would be to check out unique id's per device found here: Unique ID for a device with PHP as mentioned by Adam in the comments

Community
  • 1
  • 1
AaronHatton
  • 392
  • 1
  • 7
  • 26
  • Hi, do you have an opinion about the code I added in my edit? – Dan P. Oct 01 '13 at 10:43
  • @DanyP doesn't appear to be any issues however note that some businesses, schools and even home users use proxies to filter content which can cause you issues with approaching less visitors – AaronHatton Oct 01 '13 at 10:44
  • I see. I need to allow schools and businesses, a lot of students and co-workers need my website to collaborate. Dammnit. – Dan P. Oct 01 '13 at 10:48
  • @DanyP look at this: http://stackoverflow.com/questions/19082152/unique-id-for-a-device-with-php/19082219 as Adam mentioned, this may be a good alternative – AaronHatton Oct 01 '13 at 11:01
0

Sometimes the only way to get around these things is manual approval of users. Like RainFromHeaven says, whitelist not blacklist.

Lyle
  • 11
  • 6