Linked story doesn’t have any role how we should secure Discourse. It is meant for those who are living in countries like China and Russia.
As I see that issue is banning an IP-address helps only a short time and it is similat action than banning a user agent. It works only against bad behaving ones who aren’t trying to harm you. But evil ones… totally waste of time.
Changing IP or user agent is so trivial trick it just doesn’t help against an attacker — I’m not talking about black hats, but a-holes who are trying to break a forum or make one’s life miserable.
An app should not do tasks that should do somewhere else. Like firewall or packet filtering generally. But is doing already by blocking user agents and using something else than crontab. Is this similar situation.
I don’t ask anything, but I would like to hear opinions (and why not tricks too)
what kind of security measures a self hosting admin should do
is Discourse vulnerable against angry and skillful people (I know you have bounty program, but that is another ball game)
and more or less on meta level: are IP- and user agent -bans just a gimmick to give false feeling of security because we are allready lost this war
That majority came from you. It is not a fact. It is a factoide
Most of malicious purposes are made from light web. Right now I have two users online, but there is 20’ish knockers trying to find holes. Actually banning countries helps more than banning onions.
But there isn’t still too much to do. You can ban every known tor entry point by hand, but if a server doesn’t inform it… There is no difference between VPN and Tor, and we don’t call VPNs as part of dark web.
But of course they are using tools that will hide indentity. What can you and we do then? USA, France, Germany, UK, China and Russia has tried close freedom of the net, without any luck because there is no big enough political and financial leverage. I don’t see how Discourse could do more.
Or they can. They can build up an AI that can identify malicious behaving. But let’s be realistic here — almost anything beyond watched words is scifi at the point.
But my weak point is banning IPs is just pure waste of time. It gives just illusion of security, nothing more. There must be some other tools but those options are bad and worse, because then we should start limiting all users somehow.
Trust level of Discourse is one solution and actually not bad at all. But there should be other metrics than likes (I just don’t get why bother counting likes, because then TL is a marketing tool, nothing else) or reads. What metrics? I don’t know.
If just one guy is after an admin/forum that situation is difficult — mostly because nothing else than IP bans there is not. All other knockers are easier, because majority of bots are stupid and badly coded. That’s why right now one vietnamise IP tries to expolit one ancient XMLRPC hole of WordPress at Discourse
But most of apps and services are guiding to hide version. Not Discourse. Is it so because version sniffing is actully old story or is there some other reasons?
There are tens or hundreds of Discourse sites running. It is not clear that there is any evidence of “lax security” . If you want to have more robust IP-level control then you’ll need to do it with a reverse proxy.
Not true, the majority of Tor users are simply using it because it is easy to get started and they are curious.
This is exactly what Nextcloud has done with the Suspicious Logins app, which I believe will soon be offered by default
Completely false. I read this as having no understanding of either, so just clarifying that these are two different things in every sense.
Also not true, because VPN’s are easier than ever to use now that we have Wireguard built into the Linux kernel and ready to deploy. If you are referring to the Tor browser bundle, remember Mozilla now offers their own VPN service within Firefox, meaning you would not even need to install the Tor bundle.
Conversations like this are confusing. My understanding is the concern is over threats from VPN’s and Tor users to a vulnerable public forum, but what I’m wondering is why you are not using these technologies in order make your service only accessible to trusted users to begin with (assuming this is an issue of critical importance to you).
If the threat you face is a state level actor, then yes. In that case you would be in danger because unlimited resources and expertise reach far beyond what we can anticipate. If you are in danger I suggest never exposing yourself (or your services) on the public internet, but I hope that isn’t the case.
The original topic had the purpose of discussing Tor blocking in relation to unwanted but not security-related activity. My impression is that this one was forked to discuss Tor/VPN blocking in relation to security but the purposes got crossed through the replies.
There are legitimate reasons for blocking Tor and VPNs, however doing so for security is not one of them. Bad actors may use Tor, they may use VPNs, they may also use previously compromised systems which could be on any type of connection, (data centre / home / office / whatever) anywhere in the world.
Equally, assuming your service is publicly available with no specific reason to block Tor/VPNs, legitimate users may also be on any of those connection types.
If malicious activity is observed, whether that’s manually or with an automatic mechanism, temporary IP blocking for that specific activity may make manual attacks more awkward and automated attacks require a larger and more complex bot network, potentially making your service less appealing as a target to actors with limited resources.
I was mostly just wondering if it was impossible. Thank you for the information though!
How would you know that though?
Oh, that’s great! I’ll have to check it out!
Yes, I’m referring to the web browser. Being able to just download it and have it up and running like any other web browser is extremely convenient for anybody looking to hide what they’re doing. Most free VPNs are quite shady (and in all likelihood, they’re selling your data to other companies), and if you want to use a reputable VPN, you’ll have to fork over a couple of dollars every month. Tor is free and reputable. You just can’t compete with free.
This is a similar point to the one above, but Mozilla’s VPN costs money.
Why would any forum want to make itself exclusively accessible through Tor? It’s considerably slower that “normal” web browsers, and just imagine the nightmare trying to get users to switch…
In what context? Just curious…
It’s a matter of weighing the pros versus the cons. What’s the percentage of “good” users using Tor compared to the percentage of “bad” users using Tor?
I’m not sure how effective that would be. Considering just how large Tor’s network is, it’d be like playing a game of cat and mouse trying to block all of the IP addresses.
In every sense? No it is not. Those are different only when we are talking about technical solution behind those.
For an admin who’s reading logs those are totally same, There is no difference. There is an user making requests from changing IP that leads to VPS/something that looks like VPS…
That is one point of view. Most of attack attempts come from VPN/tor — tor is small minority, though. Skill level when those attackers are using ancient passworld lists or trying to exploit old WordPress holes is another story. But such starting point where we don’t stop something from the source just because a script kiddie can barely copy&paste, is really weak.
But in topics like this should always remember that out there is two, almost opposite, worlds:
global vs. local
business vs. (almost) everything
First ones can’t assume someone is not a legit person just based how he/she/is is entered to the net. Second ones can when they get only trash from via VPS and tor.
So, then this
is not always true. It depends.
That’s true if we are talking real attackers. But when out there is just another pissed of person that doesn’t use linux. And even there would be something else in use than headless server there is high chance he/she/it just doesn’t know how to use it. VPS is much easier.
So — we are quite often now talking about two different worlds. Or cases.
I don’t have any bigger issues with tor. VPN is another story but that is just because scrapers and knockers are using it so often.
For me the situation is quite easy. There is no point what so ever ban an IP because it will change after 2-5 tries. I’m in such easy solution that I’m driving pure local services wihtout any bigger financial importance and I can use geoip.
Right know it is not in use, though. And I have more or less 200 concurrent visitors trying to access to SSH, WordPress, Drupal… you name it, but only seo-scrapers are interested in Discourse
I’m not sure what my opinion is about fingerprinting, but that could be an option (maybe for a plugin)
AmIUnique says I have a unique fingerprint among " 887481 fingerprints in our entire dataset" (if they are to be trusted, I just found it now)
edit: they show the information they use, and it’s a lot, even details from my video card because of webgl, it’s totally doable, one could change between different devices, and keep messing with the browser configuration to try bypassing it, so it won’t be perfect or easy to solve the problem