Question
I was wondering what the best way to track and block people based on IPs is? I would like to allow people to use the guest account freely, but at the same time I would also like to be able to know what IP is making what changes so people who deface the wiki can be blocked. Also, what is the best way to ban/block certain registered users, as well as to revert pages to a previous revision? Thanks.- TWiki version: r1.8
- Perl version: 5.006001
- Web server & version: Apache 1.3.27
- Server OS: Linux / Cpanel
- Web browser & version: Mozilla 1.3
- Client OS: WinXP
Answer
It sounds like you're concerned about defacements in a wiki system. While in theory it's a very possible threat to any wiki system, in reality it doesn't happen. Okay, once in a looong time it does happen, but the actual impact is still minimal when TWiki is concerned because it has revision control, so no data is ever lost. You just have to "undo" the latest revision to the page(s) affected. How to undo the latest revision is documented on twiki.org; I hope that other wikizens will fill in a reference to this, but you could also search the Codev and Support webs for instructions about this. Naturally, this procedure is not something that every normal user should know how to do and so it is hidden away a little, but it is there. You can permanently block registered users by munging their password entries in the .htaccess file, but they could still access your site with the guest account, or open a new account (depending on whether your setup allows this). There may also be other (more correct?) ways of blocking users; I'm again hoping that others will supplement this answer. My immediate advice is this, though: Unless you have valid actual proof or experiences with hostile users, you should rely on the good nature of the majority of users (and TWiki's revision control system!). There are lots of wiki sites, and hordes of wiki users, but rarely ever anything to get worried about. Of course I can't rule out that your users could happen to be bad, but on a statistical basis, I'm assuming against it. -- TorbenGB - 20 May 2003 Access to the server can be blocked by:- Rules at the firewall if they are crossing a firewall potected boundary.
This is a well documented technique and applies to internal as well as external access since many companies use internal firewals to protect - for example - accounting from RandD. - Rules at the server host IP interface.
If you are running Linux or equivilent, every host could be a firewall. If can run IPTables to filter connections - Rules in the web server.
Apache has rewrite rules that can be used to redirect access from specific IP addresses or reverse name lookups that match hosts or domains. See the extensive documentation for details.
grep 'TWikiGuest . save' twiki/data/log200305.txt
Rollback: Read the comment at the end of TWiki.cfg.
-- PeterThoeny - 21 May 2003
The trouble with IP based filtering is that it isn't effective a lot of the time. A user's IP address can change between sessions.
Most dial-up ISPs, many corporate intranets use DHCP. Even my cable/DSL uses DHCP, though the address hasn't changed in over 6 months - but it has changed.
Late model DHCP works with late model DNS to keep them in sync.
You need to go though the machine level logs to find the mapping of which user used that
IP address at the time the abuse happened.
This is SOP for ISPs investigating abuse - I've done that so I'm claining first hand knowledge :-/
Its also why I recommend filtering at the web server, since that can deal with the symbolic name rather than just the IP address. (I'm assuming here that you don't want to turn off the main login for this user.)
There are also other methods of doing identification and authentication than just the "Authtype basic".
See: - Apache's mod_auth and mod_access documentation
- http://www.apacheweek.com/features/userauth
- http://httpd.apache.org/docs-2.0/mod/mod_auth_anon.html
"This module does access control in a manner similar to anonymous-ftp sites; i.e. have a 'magic' user id 'anonymous' and the email address as a password. These email addresses can be logged.
Combined with other (database) access control methods, this allows for effective user tracking and customization according to a user profile while still keeping the site open for 'unregistered' users. One advantage of using Auth-based user tracking is that, unlike magic-cookies and funny URL pre/postfixes, it is completely browser independent"
Note also:- It insists that the user enters a userId. (Anonymous_NoUserId)
- It insists that the user enters a password. (Anonymous_MustGiveEmail)
- The password entered must be a valid email address, ie. contain at least one '@' and a '.'. (Anonymous_VerifyEmail)
- The userID must be one of anonymous guest www test welcome and comparison is not case sensitive.
- And the Email addresses entered in the passwd field are logged to the error log file (Anonymous_LogEmail)
- Apache::AuthenIMAP - Perform Basic User Authentication against an IMAP server
Allows users to give their username and e-mail password for authentication against a IMAP server for access to restricted web pages. - HTTPD::UserManage. Written by Lincoln Stein and Doug MacEachern, allows you to manage multiple types of authentication mechanisms, on multiple server-types (Apache, Netscape, etc) via one interface.
- You should also look at session management. Its not infalible, but it helps.
Topic revision: r6 - 2003-05-21 - AntonAylward
Site map
Blog web
Search
Changes
RSS Feed
Notifications
Statistics
Preferences
Register new user
Support Forum 
Ask a question
Open questions 
My recent questions
Get quick help in #twiki IRC channel
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.