I’m surprised that Discourse doesn’t do this already (especially since most Tor users trying to access forums are likely bypassing previous suspensions), but is there a way to block Tor users from being able to register on my forum?
One particular user is using Tor to bypass any IP bans and fingerprinting restrictions over and over again. It’s become a massive headache to deal with them…
Discourse is not a webserver per se. Tor is somekind issue, but really minor one comparing to ”normal” network. But how is this situation different than if that guy would use just another VPN service?
You can recognize known Tor-IP’s at server level and ban them there, but not easily out-ot-the-box. Unknow private ones… no chance.
But in more general level… IPs are useless. My IP changes by mobile ISP at least once a week. Good luck to ban me by IP because it won’t be same on next week. Actually it can change even today when I’m taking 10 mile trip.
IPs helps only when there is cable based connections. But then same guy change to VPN and bye gone that banning.
Fingerprinting… where is that still allowed and legal system identify users?
Not always. Many cable operators use DHCP to divvy out IP addresses and when the lease on an address expires they can and do assign a new one. The next one will likely be in the same IP range but even that may not happen. My own ISP moves me around and the new POP can geo-locate me anywhere in the country.
I will gladly take any solution that allows me to prevent Tor users from accessing my forum. It is already a major issue in my community, and in my opinion, it has the potential to have a ripple effect in other communities if more people end up learning about it.
This feature in particular is disastrous and essentially renders IP bans as useless.
I’ve banned all known Tors at server level using iptables. Or you can use Nginx itself too, or some another reverse proxy.
Using any of those front of Discourse is really trivial task. But Docker is the buggest questionmark because it bypasses UFW/iptables of VPS in way I can’t understand because I’m just climbing up that learning curve (in my books that is the biggest security concern and less spoken)
Here is something about firewall question:
Of course someone can make a plugin that stops an IP. I don’t know much but I can’t understand why it would be difficult — even WordPress can do it.
But there is too issues as I see those:
an app starts do tasks that should do at server
an app is always late and even it stops something hammering of server has already happened