PIRATEBOX

Kareha Board IP Banning

Posted by mauser 
This forum is currently read only. You can not log in or make any changes. This is a temporary situation.
Now, this forum is in read-only mode. You find details Details hereContinue on /r/PirateBox
Forum List Message List New Topic
mauser
Kareha Board IP Banning
October 03, 2018 03:11AM
Hello,
I am getting close to finishing up this project and deploying it, however still have a few little functions to address;
If I am going to administer an imageboard, I need to be able to ban spamming/abusive users via their IP address.
Looking into /board/config.pl I found that bans are written to a .htaccess file. However, .htaccess is only utilized by the apache web server, not lighttpd.
So then I looked into denying IP's via the lighttpd config file. I experimented with it to the best of my ability, but have not been able to effectively ban my test IP.
I have checked the Kareha support threads, lighttpd forums, and google to no avail. I have tried several different solutions but nothing seems to work. I reboot the piratebox after each config edit.

I thank anyone who is able to give some input to solve this problem or put me in a direction to do so.

Here is my lighttpd.conf as it stands right now. I appended the "ban" section to the end of the file. 

## Configuration for Piratebox

server.modules = (
 	"mod_access",
	"mod_alias",
#	"mod_compress",  Disabled, fixing reload Problem??
 	"mod_redirect",
        "mod_rewrite",
        "mod_setenv",
	"mod_fastcgi"
)

server.document-root        = "/opt/piratebox/www"

## Locate the tmp storage into tmp. It is in most cases the ram
## Limit the uploads to 5MB to save - especially on small devices
## the device from dieing because OUT-OF-RAM exceptions
##     in KB  => 5MB 
server.upload-dirs          = ( "/tmp" )
server.max-request-size = 5120

server.errorlog             = "/opt/piratebox/tmp/error.log"
server.breakagelog 	    = "/opt/piratebox/tmp/break.log"
server.pid-file             = "/opt/piratebox/tmp/lighttpd.pid"

 server.username             = "nobody"
 server.groupname            = "nogroup"



index-file.names            = ( "index.php", "index.html",
                                "index.htm", "default.htm",
                               " index.lighttpd.html" )

url.access-deny             = ( "~", ".inc" )

# added .cgi .py
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" , ".cgi" , ".py" )


# Enable lighttpd on ipv6
$SERVER["socket"] == "[::]:80" {  }

dir-listing.encoding         	= "utf-8"
server.dir-listing           	= "enable"

# Grabs main css
dir-listing.external-css     	= "/content/css/page_style.css"

# Header
# Enables header section
dir-listing.show-header      	= "enable"
dir-listing.encode-header	= "disable"
# Hides HEADER.txt from listing
dir-listing.hide-header-file	= "enable"

# Footer
# Enables footer section
dir-listing.show-readme		= "enable"
dir-listing.encode-readme	= "disable"
# Hides README.txt from listing
dir-listing.hide-readme-file	= "enable"
# Diables default footer text
dir-listing.set-footer		= " "

# Disabled, maybe fixes reload problem on imageboard
#compress.cache-dir          = "/var/cache/lighttpd/compress/"
#compress.filetype           = ( "application/x-javascript", "text/css", "text/html", "text/plain" )

#n.a. on router    include_shell "/usr/share/lighttpd/create-mime.assign.pl"
include "/opt/piratebox/conf/lighttpd/mime.types" 

#----------- ShoutBox-Env --------------
include "/opt/piratebox/conf/lighttpd/env"

#----------- cgi.conf --------------
server.modules += ( "mod_cgi" )

$HTTP["url"] =~ "^/cgi-bin/" {
#	cgi.assign = ( "" => "" ) 
  	cgi.assign = ( ".py" => "/usr/bin/python" )
}

## Warning this represents a security risk, as it allow to execute any file
## with a .pl/.py even outside of /usr/lib/cgi-bin.
#
#cgi.assign      = (
#	".pl"  => "/usr/bin/perl",
#	".py"  => "/usr/bin/python",
#)

$HTTP["url"] =~ "^/board/" {
    cgi.assign = ( ".pl" => "/usr/bin/perl" , )
}
#-------------------------------------


setenv.add-response-header += ( "Cache-Control" => "max-age=60, must-revalidate, no-store, no-cache, public" ) 

# 404 Error Page with redirect
#
server.error-handler-404 = "/index.html"

## for better debugging
#server.modules += ( "mod_accesslog" )
#accesslog.filename = "/opt/piratebox/tmp/access.log"


# Fix for iOS7
#   It ask especially different domains without a specific URL.
#   It want to get a "success" message, to allow full system/internet access
$HTTP["useragent"] =~ "CaptiveNetworkSupport" {
        server.document-root =  "/opt/piratebox/www/library/test/"
        index-file.names        = ( "success.html" )
        dir-listing.activate    = "disable"
        server.error-handler-404 = "/success.html"
}


include "/opt/piratebox/conf/lighttpd/fastcgi-php-generate203.conf"

## Uncommenting the following line enables PHP for the 
## complete PirateBox
#include "/opt/piratebox/conf/lighttpd/fastcgi-php.conf"

#Ban section:

$HTTP["remoteip"] == "192.168.77.75|192.168.77.187|192.168.77.38" {
    url.access-deny = ( "" )
}
Reply Quote
RandomRedMage
Re: Kareha Board IP Banning
October 22, 2018 04:50AM
Speaking strictly from a usage case scenario such as PirateBox, or WhateverBox you want to call it when your done customizing and branding it to your liking, the Kareha Image Board as implemented in this kind of off grid setup, would NOT benefit from IP based banning. As the device assigning IP addresses is working from a small range of addresses, and it WILL reassign them over time, meaning, should you have an abusive user, posting or uploading inappropriate content you would need a different method of restricting their ability to do so, though that is outside of the scope of the project as a whole as PirateBox is meant not to track users in any way, as the project itself states.

Though if you are actively thinking about trying to implement something like this, I would suggest using Hardware IDs. Banning individual Devices, and not IP addresses. Essentially a mac address filter. While it is not a perfect solution, as I'm not sure how you would implement it in this particular case, it is however a method that would not get in the way of the natural operation of the isolated networks normal activity.

Though if you do find a way to implement this, savvy users usually know how to spoof their MAC, so as I said not perfect. But could always add common spoof addresses to the ban list preemptively. Such as DEAD-BEEF-DEAD, DEAD-DEAD-BEEF, and so on. [also any single repeated digit MAC like 0000-0000-0000] a lot of people i know are rather lazy when spoofing, and will do one or the other.

Anyway, tldr; dont use IP banning on this kind of device it will disrupt the normal usage, including your own usage potentially.
Reply Quote
mauser
Re: Kareha Board IP Banning
October 23, 2018 03:04AM
As an update to this problem, I have gotten so far as to enable IP based banning using scripts that appended the lighttpd.conf file. But I realize this is a hackish solution to a problem.
RandomRedMage: you bring up a very good argument as to the use of MAC filtering vs IP filtering in this kind of implementation. Reading up on the subject of MAC filtering through the use of iptables has convinced me that your way is the correct way to approach this problem. I do not believe my target audience will be savvy enough to know to spoof a MAC address, so I believe this approach would be more than adequate. I will be working through this problem in the next week or so, whenever I have time to do so, but I will post a general walkthrough of it once I get it figured out for future reference of kareha/piratebox users.
RandomRedMage: Thank you for giving me a heading to implement this feature.
Reply Quote
Newer Topic Older Topic