Default maximum of only 3 new users allowed from the same IP address


(Bas van Leeuwen) #1


This setting is way too low by default if you are using Discourse in a large organisation.

One of our clients hit the limit within days of launch, 3 users is way too low.

I completely missed this setting (we have a closed forum, users are moderated after signup, so I completely skipped the “Spam” part of the settings) when setting up. I only found out by chance, when someone reported via our support-desk.

I suggest to up this to something higher (e.g. 25) by default, if spam turns out to be a problem, users will find this setting and can consciously set it lower.


403s returned if you have multiple users from one office
(Felix Freiberger) #2

I don’t see how this can catch many users.

  • If Discourse is hosted on the internet, and you have a diverse user base, you’re fine.
  • If Discourse is hosted internally, and your users are on your intranet, you’re also fine, as Discourse will still see all users coming from their own IP addresses.
  • If Discourse is hosted externally, and a large portion of your users are behind NAT and therefore share an IP address, you could run into this – but only if no user from that IP address is a staff member or has earned trust level 2, which seems very unlikely if your whole user base is basically coming from a single IP address.

How did you run into this, exactly?


(Matt Palmer) #3

This is an incorrect characterisation of the situation. It would be more accurate to say, “if you are using Discourse, hosted on in the Internet, in a large organisation which is all stuck behind a NAT gateway that only has a single IP address, which hasn’t been whitelisted, and isn’t using a proxy capable of setting X-Forwarded-For and being trusted, and doesn’t have IPv6, and somehow hasn’t managed to trip any of the auto-whitelisting functionality designed to avoid this particular scenario”. But that’s less catchy.

Conversely, if your NAT turns out to be a problem, users will find this setting and can consciously set it higher. Or deploy IPv6.


(Bas van Leeuwen) #4

By inviting 4 people from a single company to join my community. They all joined within a few hours, the fourth was denied.

Note: we only started a few weeks ago, currently have some 100 members in total


(Bas van Leeuwen) #5

Or in my case “if you are using Discourse, hosted on the internet, and invite a couple people at a client to join your new community” <- not a very strange usecase, is it?


(Matt Palmer) #6

Sure, which is why it’s a site setting, and not a hard-coded value buried deep in the code. It’s also quite different from the scenario you described originally.


(Bas van Leeuwen) #7

Fine, don’t change it, it’s indeed no longer a problem for me now that I know about it, just thought I’d help with a (in my opinion) useful tweak of the default setting :slight_smile:


(Sam Saffron) #8

It comes at a cost though, cause now you have a single IP able to spam lots of registrations.

It’s a :balance_scale: between convenience and security.


(Jeff Atwood) #9

Did you pay attention to the help text here? I think you are missing something rather critical. I’ve highlighted the relevant part.


(Bas van Leeuwen) #10

I saw that and I think the intent behind this was quite elegant.

That said, I reported to you that there is a blind spot in the reasoning: if more than three people from a new company (same location, same IP-address, not seen before) sign up in a short time, then the default value prevents them from doing so. This is a bad first impression to your new members.

I understand this, I am (trying to) arguing that the tradeoff-point needs tweaking :slight_smile:


(Ivan Rapekas) #11

As an admin of my forum, I’ve never recieved any notifications about exceeding any limits on default settings for versions 1.8.x-1.9.x. And I’ve never seen any mentions in admin panel. May it indicate that all 1500 users were registered smoothly and nobody was banned?

I have some reasonable questions on it:

  1. Do users receive a notification in case of exceeding the limit for their IP address?
  2. Do admins receive a notification in case of exceeding the limit by some users attempts to register?
  3. Is anywhere logged blocked IPs due to exceeding the limit?
  4. In case of incorrect configured external proxy Discourse may get always 127.0.0.1 as an IP for all users. My forum had been working with bad configured nginx for months until I fixed it.
  5. In some cases of SSO, there is no registration IP address passed by SSO-host to Discourse. Is it possible a hole for spammers?


(Bas van Leeuwen) #12
  1. Yes

  2. No :frowning:


(Jeff Atwood) #13

In SSO 100% of the responsibility for vetting users is with the SSO parent, not us. That’s how SSO works.

Many, many things will be broken if this is the case…


(Joshua Rosenfeld) #14

This topic was automatically closed after 34 hours. New replies are no longer allowed.