One Yukkuri Place

Read the rules before proceeding!

Topic: How is the security of our site?

Posted under General

Cute Aggression

As you can see, recently we have seen major bot attacks. They keep coming back despite the mods' best effort to delete them.

  • ID: 12633
  • Permalink
  • EasyDeibu

    There's basically zero protection on signup form.

    Even a simple captcha can help, but given complexities described in working with website engine, this may not be an easy task.

  • ID: 12639
  • Permalink
  • EasyV

    This kind of spam happens once every six months anyway.
    I mean, it could be much worse don't you think?

  • ID: 12651
  • Permalink
  • EasyDeibu

    Without adding something on software level, maybe we can use cloudflare? It has some bot protection, although it is more focused against DDoS.

    Or there are various methods of jumping through hoops with injecting non-application pages in-between process. But it depends on how much engine will allow.

  • ID: 12654
  • Permalink
  • BaronMind

    In the meantime, I think we need another mod/janitor...

  • ID: 12708
  • Permalink
  • Ruukasu

    I would like to add that OYP needs to be HTTPS. The DuckDuckGo Privacy Essentials addon gives OYP a C+ for lack of encryption and "unknown privacy practices".

  • ID: 12710
  • Permalink
  • EasyDeibu

    I don't think that HTTPS will help against bots.

    We either need to install captcha (can be difficult due to engine state), add sandbox where first forum posts need to be approved by mod before being seen (can be impossible due to engine), or install some general bot protection on server which has a list of blacklisted ips (can be not very effective)

  • ID: 12744
  • Permalink
  • Ruukasu

    EasyDeibu said:

    I don't think that HTTPS will help against bots.

    We either need to install captcha (can be difficult due to engine state), add sandbox where first forum posts need to be approved by mod before being seen (can be impossible due to engine), or install some general bot protection on server which has a list of blacklisted ips (can be not very effective)

    I agree that HTTPS won't stop bots, but it is a step toward better privacy.

    Regarding CAPTCHA, even Danbooru doesn't have the CAPTCHA feature either. If it is to be implemented in a future version, I personally don't recommend Google due to their bad privacy practices.

    Updated by Ruukasu

  • ID: 12759
  • Permalink
  • boom

    I wouldn't mind taking on the role of janitor, if only to get rid of the spam that seems to pop up every so often.

  • ID: 12770
  • Permalink
  • Ruukasu

    From what I gathered, the botnet started "mass joining" OYP for lack of better words around mid December.

    Dosu, can users' IP addresses be checked here?

  • ID: 12788
  • Permalink
  • Ruukasu

    boom said:

    I wouldn't mind taking on the role of janitor, if only to get rid of the spam that seems to pop up every so often.

    Perhaps two janitors will suffice in case one is absent for an extended period of time...? That could also speed up the spam cleanup process if necessary.

  • ID: 12790
  • Permalink
  • BaronMind

    Hitosura said:

    Oh! I nominate Cirno! Strongest!

    Give that I literally just this minute finished flaming my second site admin in as many months, that may not be the smartest idea.

  • ID: 12812
  • Permalink
  • poweryoga

    1) no protection whatsoever. Toawa and I had floated a captcha idea a long time ago but it's literally never been looked at beyond discussions.
    2) We can track IP addresses and block them but it's useless against bots since the ip addresses are almost always spoofed and comes from a huge block. IP banning traditionally is almost always useless in any scenario against dedicated attackers. (but very effective against morons)
    3) HTTPS won't help, and while it's a good security practice the implementation side is beyond my casual knowledge.
    4) Cloudflare is unnecessary, since our problem is not DDOS but with spam bots making accounts. It's also not free. We don't get enough traffic to warrant this sort of protection.

    I can make someone a janitor but last I checked they can't even delete posts, just approve posts still in the queue. So it's kind of pointless.

    Full admin access I'm leery of giving out for obvious reasons.

  • ID: 12814
  • Permalink
  • EasyDeibu

    poweryoga said:

    1) no protection whatsoever. Toawa and I had floated a captcha idea a long time ago but it's literally never been looked at beyond discussions.
    2) We can track IP addresses and block them but it's useless against bots since the ip addresses are almost always spoofed and comes from a huge block. IP banning traditionally is almost always useless in any scenario against dedicated attackers. (but very effective against morons)
    3) HTTPS won't help, and while it's a good security practice the implementation side is beyond my casual knowledge.
    4) Cloudflare is unnecessary, since our problem is not DDOS but with spam bots making accounts. It's also not free. We don't get enough traffic to warrant this sort of protection.

    I can make someone a janitor but last I checked they can't even delete posts, just approve posts still in the queue. So it's kind of pointless.

    Full admin access I'm leery of giving out for obvious reasons.

    I can probably help with HTTPS, implemented it a few times in my practice. But that again would require giving me server keys, which is even more than admin access. Or maybe we can have a chat and I can try to consult you through the process.

    Instead of blocking their IPs manually, there are already created lists of IPs that bot use that are updated regularly. Many of them also allow to download and cache list locally, for processing speed

    For example https://www.projecthoneypot.org/services_overview.php or http://iplists.firehol.org/

    Updated by EasyDeibu

  • ID: 12827
  • Permalink
  • EasyDeibu

    By the way, I just realised that all those spam post refer a single website. Can we just reject all forum posts that have a specific string (that damned website domain) in it's body?

    Or maybe deleted ones were referring different websites.

  • ID: 12834
  • Permalink
  • poweryoga

    filtering forum posts is impossible with my level of js and ruby knowledge. Not to mention I have doubts on whether plugins will even work with danbooru running in test mode. (don't even know how to plug that into text filters for this inputbox for that matter, but I haven't looked at d2 code in ages).

    As for IP filtering, we can probably do some filtering with apache but I'm not familar enough with that sort of stuff to really maintain it.

    As for HTTPS, appreciate the offer but that's just not the issue for this site. It's the basic lack of security features and the ability for us to really update it. It's fragile enough as is and every day this site stays up and doesn't break permanently is really a win.

    and as I mentioned before: we really would need to update danbooru 2 to the latest build, write a migration script and then start developing plugins or integrating captcha things to keep this site running smoothly. I don't have the motivation nor expertise to do this, and neither does Toawa after so many years into this project.

  • ID: 12843
  • Permalink
  • EasyDeibu

    poweryoga said:

    As for IP filtering, we can probably do some filtering with apache but I'm not familar enough with that sort of stuff to really maintain it.

    It can be maintained with a crontab after initial implementation. We choose 3rd party service with a list, find how to update local list to get their newest and add this to crontab.

    poweryoga said:

    I don't have the motivation nor expertise to do this, and neither does Toawa after so many years into this project.

    I am willing to try (not migration to version 2, but https and ip filtering), if you feel good enough about giving me access.

  • ID: 12844
  • Permalink
  • JusticeItEasy

    Sometimes it feels like they do it on purpose, like check this thread and go "oh they are talking about us! HERE HAVE SOME BOTS!"

  • ID: 12948
  • Permalink