SID-01399: TWiki-5.1.0 How to Disable Registration

Status:	Answered	TWiki version:	5.1.0	Perl version:	5.10.1
Category:	CategoryRegistration	Server OS:	Debian 6.0.4	Last update:	12 years ago

I've recently had the unfortunate experience that some hacker(s) are connecting to my TWiki site and maliciously registering bogus users, so I want to turn off registration completely.

I have set the configure option to turn this off but it does not disable registration or access to the link, it only shows that registration has been temporarily disabled.

Any tips would be appreciated and apologies if a resolution has already been posted to this forum. Thanks.

-- SergeiHaramundanis - 2012-02-09

Discussion and Answer

Remove the registration link in WebLeftBarLogin in every web and Move the TWiki.TWikiRegistration topic to the trash (make a backup before). You can also set ALLOWTOPICHCHANGE in Main.WebPreferences to NodobyGroup, but that might be too drastic.

-- EnriqueCadalso - 2012-02-10

If you move the TWiki.TWikiRegistration topic I recommend to move it to an access controlled web, and to recreate the topic with a note, such as "Registration has been disabled. Please contact ... if you'd like to have an account on this site."

In addition you could rename the register script in twiki/bin and tweak the form action in the registration script.

If you are on a public site I recommend to use the BlackListPlugin.

-- PeterThoeny - 2012-02-10

Thanks very much for the tips. As follow-up, here's what I decided to do:

From linux command line logged in as user twiki:

1. mv ./twiki/bin/register ./twiki/bin/register.save
2. chmod 0444 ./twiki/data/Main/TWikiRegistrationAgent.txt*
3. chmod 0444 ./twiki/data/Main/TWikiUsers.txt*
4. chmod 0000 ./twiki/data/TWiki/BulkRegistration.txt*
5. chmod 0000 ./twiki/data/TWiki/TWikiRegistration.txt*

1. restrict edits on all custom topics via topic preferences settings
2. set configure option to disable registration

-- SergeiHaramundanis - 2012-02-25

I have had the same problem. Until today I simply logged into a shell, removed the bogus user passwords from twiki/data/.httpd, removed their user pages from the data/Main directory, and then logged in and edited the TWikiUsers page to remove their names from the list of users. But the hackers have become so persistent that I was having to remove several bogus registrations per day. Whether they hoped to simply place advertising or malicious content on an unprotected web (there were none), or whether logging in as a registered user is a stepping stone in trying to gain root access, I cannot say. But this underscores the need for an enhanced two-step registration which requires approval by an administrator as well as a confirmation by the user to an e-mail.

-- ScottPedigo - 2012-03-26

In addition to doing the steps listed by Sergei, above, I also renamed the configure script just to be extra safe (access to it was already separately prohibited by the Apache configuration), changed the access for the renamed configure and register scripts to 400, and set ALLOWTOPICVIEW = some user groups for both TWikiUsers and TWikiGroups to make it a bit harder for any hackers to find valid user names to which they could try to guess the passwords or to even know what groups there are. It is a sad state of affairs to have to take such measures to protect a web I put up to provide useful information to the public, but cybercrime is a multi-million dollar business, and the hackers will use any toehold they can get on any system.

-- ScottPedigo - 2012-03-26

We get in average about one spam registration per day on twiki.org. They are mostly link spam, e.g. just an annoyance to cleanup. I recommend to install the BlackListPlugin, I frequently add new spam sites to the shared list.

A registration requiring approval by an administrator would be a nice optional feature for public TWiki sites. TWiki is open source software. I invite you to get involved, fix/enhance part of TWiki, and contribute it back to the community.

-- PeterThoeny - 2012-03-26

I am having the same problems. Initially it was just one or two per week. Now it appears to be 3-5 per day! I only want new registrants to be people known to me - registration approval would be an excellent feature. I would help here except that I am not a programmer so have no idea how or where to start.

I am going to make the registration page available only to me and I'll register everyone manually.

-- Steve DiBartolomeo - 2013-04-08

Making the registration available only to TWikiAdminGroup works for real users, but I'm seeing bots still hitting the bin/register script and getting in. Shouldn't one be able to restrict access to this script in the Apache config file so that, for example, only a localhost IP can access the script? Any tips on how best to accomplish this?

-- Michael Sprague - 2013-11-26

You can restrict the register script and any other using apache directives. Example directive you can add to the <Directory "/var/www/twiki/bin"> section:

<FilesMatch "^register.*">
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1 192.168.1.10
</FilesMatch>

-- Peter Thoeny - 2013-11-27

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.