I host a forum where the target audience is ONLY U.S., Australia, and Oceania. I would like to know how I could ban all other countries from access to my forum except the three above. I've been having a problem with bots signing up and they are all coming from IPs from other countries, so I think this would fix the problem and would not bother my target audience.
Is there an easy way to do this? Advice would be appreciated.
Bots use proxy servers all around the world. People running bots know how to get around IP blocking.
Using GeoIP to prevent bots from signing up on your system will not really solve the core problem.
Captcha can help to some extent, however it's actually been broken (in the sense that well programmed bots can solve Captcha challenges) for several years.
The StackOverflow model is actually very good... don't let a new user do very much until they get a little bit of reputation (e.g. post something that gets upvoted by other users, or require the first few posts to receive moderator approval).
MaxMind's GeoLite City free database can be easily downloaded, updated, and processed to localize IP addresses.
With this PHP code you may allow selected countries to view your site.
All other users will be show blank page with message that they cant access site.
You may set any number of countries by adding && $country != "XY"
where XY is code of country which you allow view your site.
It below example Korea and US may view the site while others not.
With a little modification, you may also block or allow selected IP's if you want
$userIP = get_ipxx(false);
$country = file_get_contents('http://api.hostip.info/country.php?ip=' . $userIP);
if ($country != "KR" && $country != "US") {
die ('ERROR : SITE IS UNAVAILABLE');
}
function get_ipxx($ip2long = true) {
if($_SERVER['HTTP_CLIENT_IP']) {
$ip = $_SERVER['HTTP_CLIENT_IP'];
}else if($_SERVER['HTTP_X_FORWARDED_FOR']) {
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}else{
$ip = $_SERVER['REMOTE_ADDR'];
}
if($ip2long) {
$ip = ip2long($ip);
}
return $ip;
}
The easiest, but rather brute force way would be to get a list of IPs per country (they are normally allocated roughly by country, http://www.countryipblocks.net/). This has the possibility of accidentally blocking people who are legitimate customers, and still allowing people who are not legitimate in to the site, but it should handle 95-99% of the cases. You'll then just set up the firewall or webserver or whatever tech you choose to block any of those IPs.
Related
when i ran fority scanner it reported often misused authentication issue on the below line
hostName=java.net.InetAddress.getLocalHost().getHostName();
I had written a function which will validate this host name against the white list of host names as below.
private String validateHost(String hostName)
{
String[] PossibleHosts = {"host1","host2","host2","host4","host5",};
Integer myhostIndex = Arrays.asList(PossibleHosts).indexOf((hostName).toLowerCase());
if(myhostIndex>=0){
hostName = PossibleHosts[myhostIndex];
} else {
hostName = "";
}
return hostName;
}
which will be called by below line
hostName=validateHost(java.net.InetAddress.getLocalHost().getHostName());
But when i run the fority scan for the next time , it still shows issue on the same line even after i have done the validaiton. what can be done to remove the fortify error.
To answer you, let me explain how Fortify detects this issue, why it's included, then what to do about it.
How Fortify detects this issue: It's basically a super grep. It just finds anywhere you're using java.net.InetAddress.getLocalHost().getHostName() and complains. It is unaffected by data validation.
Why do this? Because this function is sometimes used for security purposes, and it should not be. For example, imagine a dev wanted to trust all messages from their own domain, they might use this to determine where a message came from. But then the security of their system relies on DNS, which is not secure. (See the Details tab for more info.)
What to do: First, make sure that what you're trying to do with java.net.InetAddress.getLocalHost().getHostName() is safe. Basically, that you're not trying to secure your system with this code. Then ignore the finding. At most companies I help, you would write a short explanation of why this code is OK, put it in the comment field of the Issue Summary tab, and mark the Analysis as "Not an Issue." At some places, you could also suppress it. If you're getting a ton of these, you can create a Filter that will knock out the whole category, but realize that you might also knock out some real issues that way.
Source of information: Consultant at Fortify Software 2008-2010, independent application security consultant since then.
I'm creating an app and currently working on the login/sign-up. I found this tutorial (http://www.appcoda.com/login-signup-parse-swift/) but I was wondering if there were a way to accept only certain email addresses? Some pseudocode would be
//Confirm email address if it includes "#collge.KSU.edu"
//saves user info
Well you kind of just answered your question but I guess something like:
Get username from user (or email or whatever)
if(username is valid) {
move to different screen or show notification
}
else {
display pop-up instructing the user their input is not valid
}
The main part is just parsing the String and making sure it is valid which I believe switch is already equip with. So for the case of a specific email, you could try value.contains("#collge.KSU.edu"), of course you'll have to be a bit more careful with using that to make sure they put it in the right spot.
So I've been getting a bothersome someone who keeps using my nickname. What I want to be able to do is perform the following command every time someone with exactly my nickname (let's say UserName) joins the channel I currently reside in:
/msg NickServ ghost UserName n0ideaHwatPassIs?
n0ideaHwatPassIs? is a sample password for our sample registered user of UserName
This sort of script would have to be able to check (in more or less real-time) if a separate user changed his/her nick to said UserName as well. If someone would be so kind as to help me with my dilemma by either pointing me to the proper documentation or working out such a script (no idea if this is as cut-and-dry as I imagined it would be at first) for me?
you can use a on notify event
but first, you have to put that nickname on notify list
type
/notify nickname
then use this script, press alt+r click on file, then new and put this script in there
on *:notify:{
if ($nick != $me) && ($nick == Nickyouwanthere) {
msg NickServ ghost UserName n0ideaHwatPassIs
}
every time someone with exactly my nickname (let's say UserName) joins the channel I currently reside in
This can't happen on IRC. (Except in exceptional circumstances like netsplits, but is immediately resolved then (by dropping one or both parties))
Twitter users can login and post comments on my site, as well as new posts.
Now, i am storing the user ID on my comments table on the database.
I was wondering what is the best practice to get users avatar and show it anywhere.
I guess that using the API is not the best option as it has a rate limit of 150/hour or 350/hour if OAuth is used.
Then i thought about getting it with this little code:
<?php
$username = "twitter"; // <-- You did not use quotes here?! Typo?
$xml = simplexml_load_file("http://twitter.com/users/".$username.".xml");
echo $xml->profile_image_url; // <-- No $xml->user here!
?>
But if i have to show, let's say, 20 avatars on one same page, maybe there will be a little delay getting all of them.
I also thought about storing them on the database on a users table with the nick and so on. But then... what if the user updates his profile picture? I would still having the old one...
So, what is the best practice for it?
There are many pages and systems with have to deal with same problems such as pinterest.com, or liveFyre comment system, disqus...
Thanks
I would say that you need to store the avatar URL generated by twitter and use that without calling the API everytime. Or use this service http://tweetimag.es/
On Stack Overflow, the profile page lists a "last seen" property. This doesn't seem to be updated on every page view (for performance reasons, obviously). How would you implement it in a heavy-traffic web app? Would you update it only on certain pages? Or cache the last time you logged the user's last visit and wait a specific amount of time before updating the database? Or something completely different?
On a heavy-traffic site like Stack Overflow, I would only update the "last seen" variable when a user actually does something. Lurking around and reading questions and answers shouldn't count as a user being "seen" by the system. Asking and answering questions, or voting on them should be actions that update when a user is last seen.
I won't talk about the implementation details because that's already covered by other answers (and I would probably get it wrong).
You'll probably find "What strategy would you use for tracking user recent activity?" to be helpful. The issues are similar.
I would use a SESSION. And only set it the first visit of the session. Also resetting it every hour or so for if people leave the browser open. In php something like this:
if(!isset(!_SESSION['lastSeen'])){
$_SESSION['lastSeen'] = time();
updateLastSeenInDatabaseOrSomething();
}
else{
if($_SESSION['lastSeen'] < time() + 2 * 60 * 60){ //2 hours
$_SESSION['lastSeen'] = time();
updateLastSeenInDatabaseOrSomething();
}
}
Something like that but then with OO and not doing the same thing twice.
Consider using the "Command" design pattern for this. It will help you two ways - answer the question at hand and also implement an "undo/redo" feature. You should maintain a list of command objects designed per that pattern.