1 (edited by adsh 2004-02-20 21:55)

Topic: About detecting user IP

I found bug with user IP detecting.

When user going to forum through proxy server, his IP addres is detected by user local address, not proxy server address. I think, that address detected by X-Forwarded-For header, not real IP...

I use forum on the server in big corporative network (server hase real IP). And I can see many local addreses (10.xxx.xxx.xxx, 192.168.xxx.xxx) in forum user details,  wich not present in my network...

Re: About detecting user IP

It's not a bug, it's a feature. PunBB attempts to detect the IP address behind the proxy, because banning the proxy usually isn't what you want. If someone is causing problems and is banned, he/she shouldn't just be able to switch to a different proxy and continue causing problems. In reality, it's not that easy, but that's the general idea.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

3 (edited by adsh 2004-02-20 22:31)

Re: About detecting user IP

H-mm. And how I can tell the difference between my local clients (10.0.0.0/8) and clients in another corporative networks smile ?

I hase been many times confused with this - where is my local clients and - where is other clients smile ...

There is an idea to ban users by it's cookies personal data or use together - user local address and proxy address (X-Forwarded-For + VIA)...

4

Re: About detecting user IP

adsh wrote:

H-mm. And how I can tell the difference between my local clients (10.0.0.0/8) and clients in another corporative networks :) ?

by ip

adsh wrote:

There is an idea to ban users by it's cookies personal data...

user register new account....

I think like Rickard It's not a bug, it's a feature.

5 (edited by adsh 2004-02-20 22:28)

Re: About detecting user IP

azh wrote:

by ip

My local clients have the same ip's such another local clients.

If I ban any local addres - I ban this addres in _all_ local networks...

6 (edited by azh 2004-02-20 22:29)

Re: About detecting user IP

hm?

adsh wrote:

My local clients have the same ip's such another local clients.

joke:
1. ban all by ip
2. don't use ban, use legs and hand (for bad users)
3. new ip for all
4. close forum
$-)

Re: About detecting user IP

adsh: Well, the alternative is to only use REMOTE_ADDR, but then you will end up with many users having the same IP address instead. We've had the problem at a site where i moderate (sweclockers.com). We banned the IP address of a user that was causing a lot of problems and then it turned out it was the proxy of a large swedish ISP, so lots and lots of users ended up getting banned. This was of course unacceptable and we were forced to unban that IP. We've had the same problem many, many times.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

8

Re: About detecting user IP

May be - banning on some personal cookies data makes more good sense?

Re: About detecting user IP

PunBB does ban based on cookie data. However, cookies can very easily be deleted.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

10

Re: About detecting user IP

You can not login to forum without cookie. There is - ban, based on user name, not IP. And we also may ban user, based on "proxy ip + local user ip". In alternative...

Re: About detecting user IP

adsh wrote:

You can not login to forum without cookie. There is - ban, based on user name, not IP.

True, however it is very easy to delete the cookie and then register again under a new username.

adsh wrote:

And we also may ban user, based on "proxy ip + local user ip". In alternative...

I'm not sure what you mean. If you don't want to ban an IP address, you don't have to. You can just ban the username.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: About detecting user IP

The IP address detection has been improved in PunBB 1.2. It will ignore obviously local IP's such as 127.0.0.1, 192.168.*, 10.* etc.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: About detecting user IP

Im running punBB 1.2.12 and I still have this problem/feature. It running in an internal reverse proxy server and it says that a couple of users IP is 192.168.x.x
Any idea how to avoid this without compromising punBB's banning feature?

14

Re: About detecting user IP

You can have a lot of users with the same IP, there is nothing wrong with this. They could be behind a proxy, or just using NAT on theri firewall. Bannin IPs is a bad practice. In my country 99.99% users don't have static IPs.

http://www.info-mob.com/forum/ - Croatian forum only, don't bother if you don't speak Croatian :)

Re: About detecting user IP

But its normal that a guy from Argentina, one from Russia and one from Germany have the exact same IP? I mean, they have the same IP only in this forums, their IP anywere else are different.

16

Re: About detecting user IP

OK, that is not normal smile

http://www.info-mob.com/forum/ - Croatian forum only, don't bother if you don't speak Croatian :)

Re: About detecting user IP

"running in an internal reverse proxy server"

Well, there's your problem! smile No, honestly. I have no idea what actually goes on in your setup. This topic is over two years old, and some of the things I said above don't apply anymore. In version 1.2.12, PunBB relies completely on REMOTE_ADDR (which is the address the proxy is providing). We used to try to sniff out the IP address behind the proxy, but we had to drop that because of some security concerns (was very easy to spoof).

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: About detecting user IP

Oh, okey then. Didn't noticed that the topic was old. I just thought that something wrong could be happening to this forum I mention, but if its standard then there's nothing to see here, please keep moving... wink

19 (edited by futurama234 2006-07-08 14:06)

Re: About detecting user IP

The problem is that all proxies do not send REMOTE_ADDR in request.
Basically, you can't ban a person without leeting him a way to register again, with punbb or whatever forum/portal script.

Re: About detecting user IP

The problem is that all proxies do not send REMOTE_ADDR in request.

Unless I'm missing something very basic, every computer sends out REMOTE_ADDR. It's X_FORWARDED_FOR that not every proxy sends out and that can be manipulated (which is why PunBB doesn't use it anymore)