Are Tor/VNP/etc a threat, aka. Is there any point to ban IPs

Continuing the discussion from Blocking Tor Users by Default:

Linked story doesn’t have any role how we should secure Discourse. It is meant for those who are living in countries like China and Russia.

As I see that issue is banning an IP-address helps only a short time and it is similat action than banning a user agent. It works only against bad behaving ones who aren’t trying to harm you. But evil ones… totally waste of time.

Changing IP or user agent is so trivial trick it just doesn’t help against an attacker — I’m not talking about black hats, but a-holes who are trying to break a forum or make one’s life miserable.

An app should not do tasks that should do somewhere else. Like firewall or packet filtering generally. But is doing already by blocking user agents and using something else than crontab. Is this similar situation.

I don’t ask anything, but I would like to hear opinions (and why not tricks too)

• what kind of security measures a self hosting admin should do
• is Discourse vulnerable against angry and skillful people (I know you have bounty program, but that is another ball game)
• and more or less on meta level: are IP- and user agent -bans just a gimmick to give false feeling of security because we are allready lost this war

Ideas?

You can try akismet. You can try approving all users (which is very inconvenient). But if an actual human is trying to be a pest there isn’t much you can do.

I think there may still be a shadow ban plugin. Looking for somebody to create a shadow ban plugin (I don’t know if they created it or if it’s available). Or you could just keep the user in a group that everyone has muted.

Edit: it does exist: Discourse Shadowban might be a way to get the one bad actor to not realize that what he’s doing to be malicious isn’t having any effect.

The problem is that a majority of its users are using it for malicious purposes, not to mention that it’s especially popular for browsing the dark web.

That majority came from you. It is not a fact. It is a factoide

Most of malicious purposes are made from light web. Right now I have two users online, but there is 20’ish knockers trying to find holes. Actually banning countries helps more than banning onions.

But there isn’t still too much to do. You can ban every known tor entry point by hand, but if a server doesn’t inform it… There is no difference between VPN and Tor, and we don’t call VPNs as part of dark web.

But of course they are using tools that will hide indentity. What can you and we do then? USA, France, Germany, UK, China and Russia has tried close freedom of the net, without any luck because there is no big enough political and financial leverage. I don’t see how Discourse could do more.

Or they can. They can build up an AI that can identify malicious behaving. But let’s be realistic here — almost anything beyond watched words is scifi at the point.

But my weak point is banning IPs is just pure waste of time. It gives just illusion of security, nothing more. There must be some other tools but those options are bad and worse, because then we should start limiting all users somehow.

Trust level of Discourse is one solution and actually not bad at all. But there should be other metrics than likes (I just don’t get why bother counting likes, because then TL is a marketing tool, nothing else) or reads. What metrics? I don’t know.

If just one guy is after an admin/forum that situation is difficult — mostly because nothing else than IP bans there is not. All other knockers are easier, because majority of bots are stupid and badly coded. That’s why right now one vietnamise IP tries to expolit one ancient XMLRPC hole of WordPress at Discourse

But most of apps and services are guiding to hide version. Not Discourse. Is it so because version sniffing is actully old story or is there some other reasons?

Sorry, but what do you mean by that?

The problem is that Tor is much more accessible than any VPN out there. Tor users can just change their IP address with the click of a button.

By the way, how would a VPN allow you to access a .onion website?

If the location of a user is constantly changing (e.g., from France to South Korea) over and over again, is that not suspicious behavior? I can’t imagine that Tor relays are impossible to detect.

2318×734 132 KB

Okay, but settling for nothing is not enough. Complacency with lax security is disastrous and just makes things worse.

There are tens or hundreds of Discourse sites running. It is not clear that there is any evidence of “lax security” . If you want to have more robust IP-level control then you’ll need to do it with a reverse proxy.

Of course.

And yet Tor is in marginal and practically every malicious tarffc comes via VPN.

Now I have to ask: have you ever used VPN? Where is the difference? Are you now saying most of VPS-users are using plain one OpenVPN server?

Giving URL. I don’t understand your question.

Sometimes is, sometimes not. But again: and do you think VPN allows?

Of course it can. Not easily, though. You can try deteck all users coming from VPS-servers, that is not that easy either.

And it is a task that must do at server before entering in an app.

Yes, but what if people were to stop banning IP addresses altogether? I was just responding to what @Jagster said since he believes that it’s a waste of time.

How do you know that?

I have used VPNs before, yes. What do virtual private servers have to do with this discussion though?

You said that there aren’t any differences between VPNs and Tor.

Unless somebody has invented teleportation, you can’t immediately get from France to South Korea.

As a result, there’s only one explanation…

At least it’s possible. Maybe somebody could develop a #plugin for just that purpose…

Because self hosted OpenVPN is the only situation when one can’t change IP with one click.

Exit relays are actually trivial to detect by design. Here they are.

There is some information about that here:

Though that hasn’t been updated to incorporate this:

And there’s some information about why they do this here:

This discussion doesn’t make sense, because

Not true, the majority of Tor users are simply using it because it is easy to get started and they are curious.

This is exactly what Nextcloud has done with the Suspicious Logins app, which I believe will soon be offered by default

Completely false. I read this as having no understanding of either, so just clarifying that these are two different things in every sense.

Also not true, because VPN’s are easier than ever to use now that we have Wireguard built into the Linux kernel and ready to deploy. If you are referring to the Tor browser bundle, remember Mozilla now offers their own VPN service within Firefox, meaning you would not even need to install the Tor bundle.

Conversations like this are confusing. My understanding is the concern is over threats from VPN’s and Tor users to a vulnerable public forum, but what I’m wondering is why you are not using these technologies in order make your service only accessible to trusted users to begin with (assuming this is an issue of critical importance to you).

Always.

If the threat you face is a state level actor, then yes. In that case you would be in danger because unlimited resources and expertise reach far beyond what we can anticipate. If you are in danger I suggest never exposing yourself (or your services) on the public internet, but I hope that isn’t the case.

The original topic had the purpose of discussing Tor blocking in relation to unwanted but not security-related activity. My impression is that this one was forked to discuss Tor/VPN blocking in relation to security but the purposes got crossed through the replies.

There are legitimate reasons for blocking Tor and VPNs, however doing so for security is not one of them. Bad actors may use Tor, they may use VPNs, they may also use previously compromised systems which could be on any type of connection, (data centre / home / office / whatever) anywhere in the world.

Equally, assuming your service is publicly available with no specific reason to block Tor/VPNs, legitimate users may also be on any of those connection types.

If malicious activity is observed, whether that’s manually or with an automatic mechanism, temporary IP blocking for that specific activity may make manual attacks more awkward and automated attacks require a larger and more complex bot network, potentially making your service less appealing as a target to actors with limited resources.

I was mostly just wondering if it was impossible. Thank you for the information though!

How would you know that though?

Oh, that’s great! I’ll have to check it out!

1. Yes, I’m referring to the web browser. Being able to just download it and have it up and running like any other web browser is extremely convenient for anybody looking to hide what they’re doing. Most free VPNs are quite shady (and in all likelihood, they’re selling your data to other companies), and if you want to use a reputable VPN, you’ll have to fork over a couple of dollars every month. Tor is free and reputable. You just can’t compete with free.

2. This is a similar point to the one above, but Mozilla’s VPN costs money.

Why would any forum want to make itself exclusively accessible through Tor? It’s considerably slower that “normal” web browsers, and just imagine the nightmare trying to get users to switch…

In what context? Just curious…

It’s a matter of weighing the pros versus the cons. What’s the percentage of “good” users using Tor compared to the percentage of “bad” users using Tor?

I’m not sure how effective that would be. Considering just how large Tor’s network is, it’d be like playing a game of cat and mouse trying to block all of the IP addresses.

In every sense? No it is not. Those are different only when we are talking about technical solution behind those.

For an admin who’s reading logs those are totally same, There is no difference. There is an user making requests from changing IP that leads to VPS/something that looks like VPS…

That is one point of view. Most of attack attempts come from VPN/tor — tor is small minority, though. Skill level when those attackers are using ancient passworld lists or trying to exploit old WordPress holes is another story. But such starting point where we don’t stop something from the source just because a script kiddie can barely copy&paste, is really weak.

But in topics like this should always remember that out there is two, almost opposite, worlds:

• global vs. local
• business vs. (almost) everything

First ones can’t assume someone is not a legit person just based how he/she/is is entered to the net. Second ones can when they get only trash from via VPS and tor.

So, then this

is not always true. It depends.

That’s true if we are talking real attackers. But when out there is just another pissed of person that doesn’t use linux. And even there would be something else in use than headless server there is high chance he/she/it just doesn’t know how to use it. VPS is much easier.

So — we are quite often now talking about two different worlds. Or cases.

I don’t have any bigger issues with tor. VPN is another story but that is just because scrapers and knockers are using it so often.

For me the situation is quite easy. There is no point what so ever ban an IP because it will change after 2-5 tries. I’m in such easy solution that I’m driving pure local services wihtout any bigger financial importance and I can use geoip.

Right know it is not in use, though. And I have more or less 200 concurrent visitors trying to access to SSH, WordPress, Drupal… you name it, but only seo-scrapers are interested in Discourse

Do you have any data to back that up though?

For all we know, that could actually be the complete opposite.

Why not? If somebody’s IP address is in Canada during one login period, then in Denmark during the next login period, then in Zimbabwe during the next login period, does that seem legitimate?

It seems like a bot is using VPN.

Yes, and that most certainly isn’t legitimate. Maybe I’m not understanding the point you’re trying to get across?

I’m not sure what my opinion is about fingerprinting, but that could be an option (maybe for a plugin)

AmIUnique says I have a unique fingerprint among " 887481 fingerprints in our entire dataset" (if they are to be trusted, I just found it now)

edit: they show the information they use, and it’s a lot, even details from my video card because of webgl, it’s totally doable, one could change between different devices, and keep messing with the browser configuration to try bypassing it, so it won’t be perfect or easy to solve the problem

It already is a #plugin.

Most major web browsers now attempt to block fingerprinting (and circling back to the original subject of this topic, Tor is probably the most immune to fingerprinting for obvious reasons).

So yeah, maybe it could’ve been a good option a few years back, but it’s becoming harder and harder to fingerprint users as large companies crack down on advertisers for privacy reasons.

It could be an heuristic and flag the user for manual verification instead of outright blocking, so it could be aggressive in it’s identification.

tor mighty be hard to identify a specific user, but it would be fair enough to put all tor users on manual verification, most forums won’t have many of them

(sorry if to the plugin already does that, I’m mobile, didn’t check it out yet)