Successfully, permanently ban a user from a website? [closed]
I have a social networking website and I want to ban a user from the website. I've added his IP address to the ban list in the .htacess
file and to the php level for banning that user, but he keeps coming back with different IPs.
How can I permanently ban a user, no matter how hard he tries to re-enter the website?
I guess you're coming at this from the wrong angle. Many sites (including this one) slowly let you see more of the abilities as you prove you can be trusted.
I'd suggest making first posts have to be moderated, or some form of voting system and then none of his posts will stay visible for long.
This is a human problem really, not so much a technical one.
Thanks to Tor and innumerable other proxy services, you can't depend on an IP ban to block a user.
You'd need to implement some kind of other barrier - email validation requirements on sign-up, maybe, or require moderation approval for new account creations? Unless your user sign-up process requires blood samples, social security numbers, and mothers' maiden names, you'll have cracks open for illegitimate accounts.
The choice of what kind of barriers you put in place on the scale of usability versus security is an important decision - keep in mind that for everything you put in place to thwart a small segment of trolls, malicious users, or bots, you'll be inconveniencing a much larger set of legitimate users.
When a new user signs up, use a service like Twilio to send a text message to their phone containing a short passcode. They have to correctly enter this code to verify their account. This is similar to how Craigslist (attempts) to keep spammers out and is also frequently used by online banking as a kind of a poor man's two-factor authentication system.
I can't promise you "successfully, permanently" but there are certainly plenty of things you can do to make his life more difficult. Enough of these and he will give up.
You have already tried using his IP address for identification but it's easy to find free proxy servers. It's somewhat harder to find free and anonymous proxy servers. Most proxy servers send the user's IP address along in an X-Forwarded-For:
header. You can use mod_security
to block these.
SecRule REQUEST_HEADERS:X-Forwarded-For "@Contains 192.168.0.1"
Obviously, you should replace 192.168.0.1
with his actual IP address. You can block a larger set of proxied IPs by removing the last octet.
This will limit him now to using anonymous proxies and Tor. You can identify when he's using Tor because every request will come from a different IP address and these will probably all be on a Tor exit node list. Here are two examples of lists. There are proxy lists available too.
You can force him to bypass the proxy for just one subrequest by using either Flash or Javascript or even just an image link. This depends on how the proxy is set up in his computer (you can put it into the browser or the OS or have it as a transparent proxy on the network) but whatever type it is, it probably only proxies for port 80 and 443. Have your website cause him to connect on port 8080 or port 25 or something else and encode a unique identifier in the request. This would do the trick in PHP:
echo("<img src=\"http://example.com:25/".session_id().".jpg\" />");
The next step I would take is using EverCookies. Depending on how good he is at removing all the various storage methods, that alone might be enough to reliably identify him. He can avoid this by running a browser in a VM and reverting it to a known state every time he gets banned again or by not running javascript but you will have successfully made his life that bit more difficult. You could potentially use the fact that he's not running javascript to identify him.
It's also worth noting that Google analytics assign a unique identifier in the second "field" (separated by dots) of their __utma
cookie. If you have Google analytics and he doesn't delete this cookie, you may already have enough to track him.
To log cookies (and all HTTP headers) you can use a forensic log.
Following that, browser fingerprinting is a bit more difficult and prone to both false positives (if you make it a little fuzzy) and false negatives (if you go for exact matches only) but can it be done. It would actually be more effective if he keeps reverting his VM to a known state because that will mean his fingerprint never changes. He would have to change his VM's screen resolution and time zone and the installed plugins each time he got banned.
One more method: Identify the content he posts. Just treat him like a normal spammer. Feed his data through a Bayesian learning engine and teach it to recognise him... and once it's good enough at recognising what he posts, ban anyone who posts that sort of content. This one has the nice advantage that false positives are probably people you would want to ban anyway, even if they're not the same guy.