Jump to content

Recommended Posts

Posted

Not just connection issues but my xfinity Wi-Fi in Denver CO started actively blocking this website a few weeks ago. I use mobile data to access it on my phone, but I'm going to dig around my firewall settings and try to find out why it's blocked. 

  • 3 weeks later...
  • Administrators
Posted

Just so you guys know… I'm continuing to tweak the algorithm that's banning some of your IP addresses. Things that are typical of problem users put you on a really short leash. Things that are typical of good users increase what I let you do on the site before your activity looks too suspicious and I ban you.

One of the most important things is to not block reCAPTCHA. I can't stress that enough. I use Google's reCAPTCHA v3 – it operates behind the scenes and tells me how likely it is that you're a bot. Bots know not to load reCAPTCHA (thinking no score is better than a bad score), so if you don't load it, then you look like a bot and you'll trip the algorithm very quickly and get banned. If your privacy controls block reCAPTCHA, then whitelist it. Otherwise you'll probably eventually get banned.

If you do get banned, try again in 3-4 days. Most of the time the ban period is pretty short.

  • Like 1
  • Administrators
Posted

I just did a change that will make it much less likely for legit users to get banned. Here's what is needed to qualify for the new criteria…

  1. Have logged into chat in the past 6 months (starting with logins ~now) and not have deleted your cookies since that time
  2. Not look like a bot to reCAPTCHA v3 or be blocking reCAPTCHA

It's highly unlikely you'll be blocked if you pass those two tests.

 

If you are currently blocked and want your IP address unlblocked, do the following (this offer is not available to New Members)…

  1. Click on this link. Then change to the network where you're having problems and reload that page. Make note what it says for "IPv4" – that's the IP address with the problem.
  2. Switch back to the network that lets you view this page and send that IP address to me in a DM.

I don't promise I'll unblock your IP, but it will give me a better idea of what's triggering blocks and if you seem legit, I'll undo the block. Senior members will most likely be unblocked.

Posted (edited)

Tried to connect to chat for first time today,  got this meassage.  Browser ID could not be determined. Your login cannot be verified. Tried again and said email not verified, so did that.  Hope that works

 

Edited by tighthole64
  • Administrators
Posted
2 hours ago, tighthole64 said:

Tried to connect to chat for first time today,  got this meassage.  Browser ID could not be determined. Your login cannot be verified. Tried again and said email not verified, so did that.  Hope that works

The first part is pretty normal. There's a whole thread about it. The second part means you need to change or validate your email in the system powering chat (which is different but semi-connected to the forums). There's no error there. I started working on syncing the two systems, but got distracted by other things. I'll get back to it in the near future.

  • Like 1
  • 4 weeks later...
Posted

@rawTOP  Used to be able to connect, now we tunnel through SSH to an offshore server.  NBD, but there ARE some improvements you could make to the site that would make it less attractive to bots and such.

x-powered-by: PHP/7.2.30

the latest PHP is 7.4, and you should be running it behind php-fpm.  at no point should the version string be present in the sites headers.  This gives spammers a known target.

server: Apache

Scrub this. connecting clients dont need to know this is an Apache server and it also makes an attractive target for bots.

You should be running fail2ban to automate most of the heavy lifting for bot and hacker bans.  fail2ban can even do scripted callouts to your hosting providers firewall.

Your strict transport security is also misconfigured, appearing twice...

strict-transport-security: max-age=63072000
content-length: 177928
last-modified: Thu, 18 Jun 2020 16:18:51 GMT
strict-transport-security: max-age=15768000

the sites cryptography also does not specify a cipher order...

  • Administrators
Posted
3 hours ago, mass1ve said:

@rawTOP  Used to be able to connect, now we tunnel through SSH to an offshore server.  NBD, but there ARE some improvements you could make to the site that would make it less attractive to bots and such.


x-powered-by: PHP/7.2.30

the latest PHP is 7.4, and you should be running it behind php-fpm.  at no point should the version string be present in the sites headers.  This gives spammers a known target.


server: Apache

Scrub this. connecting clients dont need to know this is an Apache server and it also makes an attractive target for bots.

You should be running fail2ban to automate most of the heavy lifting for bot and hacker bans.  fail2ban can even do scripted callouts to your hosting providers firewall.

Your strict transport security is also misconfigured, appearing twice...


strict-transport-security: max-age=63072000
content-length: 177928
last-modified: Thu, 18 Jun 2020 16:18:51 GMT
strict-transport-security: max-age=15768000

the sites cryptography also does not specify a cipher order...

Thanks for your feedback. It's always good to get a perspective from someone who knows something about server admin.

I'm on PHP v7.2 rather than 7.4 because it's the version that's part of the stable build of my OS. And it is using php-fpm – that's the only way to get HTTP/2 to work properly.

I'll ask my host to turn off the x-powered-by header – doing so is not a bad idea. That said, it's probably clear the site is running IP.Board and IP.Board is php-based, so turning off x-powered-by only really hides the version number.

Apache doesn't like/support turning off the server header. Just showing Apache with no version number is the compromise. That said, I'll ask my host to turn it off. Maybe they can.

I'll look further at fail2ban, but it may conflict with what I've already written. fail2ban will never be able to detect who's spammed the site, etc. though it will do a better job with other types of attacks.

When I tested I only saw the strict-transport-security header once in the response header. But when I ran the site through an SSL test (see below) it complained about duplicate headers. I did find the htaccess rule that was setting it a second time. But now I'm a bit confused what's setting it the first time. But it's working, so I'm not going to complain.

As far as specifying a cipher order, if I understand the issue correctly, I don't really see the point. I've disabled all the insecure ciphers. Doing so is necessary to get an A+ rating on the "SSL" test…

https://www.ssllabs.com/ssltest/analyze.html?d=breeding.zone

So if there are no possible insecure ciphers, it doesn't matter which the browser uses.

  • 4 weeks later...
Posted

@rawTOP

tls issues today with the site cert? things were down for a few hours today.   was there an issue with the rollout or update?  certbot has a module for Apache that handles autorenewal as well as the reload.

 

  • Administrators
Posted
On 7/14/2020 at 4:58 AM, mass1ve said:

@rawTOP

tls issues today with the site cert? things were down for a few hours today.   was there an issue with the rollout or update?  certbot has a module for Apache that handles autorenewal as well as the reload.

I was busy and didn't ask my host exactly what went wrong, but it was NOT a cert renewal problem – they renew automatically.

Guest takingdeepanal
Posted
On 7/14/2020 at 6:58 PM, mass1ve said:

@rawTOP

tls issues today with the site cert? things were down for a few hours today.   was there an issue with the rollout or update?  certbot has a module for Apache that handles autorenewal as well as the reload.

 

 

10 hours ago, rawTOP said:

I was busy and didn't ask my host exactly what went wrong, but it was NOT a cert renewal problem – they renew automatically.

I had troubles as well - but figured that it was a maintenance issue. Main thing is that the site is running! 🙂

 

Posted

Having the same issues connecting from my home wifi network, no issue from my cellphone data plan. I'll try unplugging the router overnight and see if it helps.

  • 2 weeks later...
Guest xsodomyx
Posted

I also can't access the site without a VPN - Mind you, I just joined, I've done nothing wrong 😭

  • 2 weeks later...
  • Administrators
Posted

So, everyone say thank you to @thejadoman… He got in touch with me and gave me information that let me figure out the problem. Turns out a database table I thought only had spammer IPs in it, also had good IPs. I now know how to tell the difference.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use, Privacy Policy, and Guidelines. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.